Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
uIarPolvHR.exe

Overview

General Information

Sample name:uIarPolvHR.exe
renamed because original name is a hash value
Original sample name:f3c6c680b66ef4a132e3a9b61b83622d.exe
Analysis ID:1570859
MD5:f3c6c680b66ef4a132e3a9b61b83622d
SHA1:c720cc4ff63d365458e9be977ed692263108dc87
SHA256:e51f50b3f520e3de0f0916e0291ad093aa0c50f6c81010001ce5aa2aee88f7b0
Tags:exeuser-abuse_ch
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Drops VBS files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: WScript or CScript Dropper
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to execute programs as a different user
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • uIarPolvHR.exe (PID: 5712 cmdline: "C:\Users\user\Desktop\uIarPolvHR.exe" MD5: F3C6C680B66EF4A132E3A9B61B83622D)
    • nonhazardousness.exe (PID: 6052 cmdline: "C:\Users\user\Desktop\uIarPolvHR.exe" MD5: F3C6C680B66EF4A132E3A9B61B83622D)
  • wscript.exe (PID: 2344 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nonhazardousness.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • nonhazardousness.exe (PID: 2352 cmdline: "C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe" MD5: F3C6C680B66EF4A132E3A9B61B83622D)
      • nonhazardousness.exe (PID: 2772 cmdline: "C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe" MD5: F3C6C680B66EF4A132E3A9B61B83622D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["192.210.150.26:8787:0"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-R1T905", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": ""}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000002.00000002.3878610708.00000000017DC000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000002.00000002.3878085476.0000000000400000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
        00000002.00000002.3878085476.0000000000400000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000002.00000002.3878085476.0000000000400000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
            00000002.00000002.3878085476.0000000000400000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
            • 0x6b6f8:$a1: Remcos restarted by watchdog!
            • 0x6bc70:$a3: %02i:%02i:%02i:%03i
            Click to see the 42 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.nonhazardousness.exe.2f00000.1.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
              4.2.nonhazardousness.exe.2f00000.1.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                4.2.nonhazardousness.exe.2f00000.1.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                  4.2.nonhazardousness.exe.2f00000.1.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                  • 0x69ef8:$a1: Remcos restarted by watchdog!
                  • 0x6a470:$a3: %02i:%02i:%02i:%03i
                  4.2.nonhazardousness.exe.2f00000.1.unpackREMCOS_RAT_variantsunknownunknown
                  • 0x64194:$str_a1: C:\Windows\System32\cmd.exe
                  • 0x64110:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x64110:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x64610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                  • 0x64c10:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                  • 0x64204:$str_b2: Executing file:
                  • 0x6503c:$str_b3: GetDirectListeningPort
                  • 0x64a00:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                  • 0x64b80:$str_b7: \update.vbs
                  • 0x6422c:$str_b9: Downloaded file:
                  • 0x64218:$str_b10: Downloading file:
                  • 0x642bc:$str_b12: Failed to upload file:
                  • 0x65004:$str_b13: StartForward
                  • 0x65024:$str_b14: StopForward
                  • 0x64ad8:$str_b15: fso.DeleteFile "
                  • 0x64a6c:$str_b16: On Error Resume Next
                  • 0x64b08:$str_b17: fso.DeleteFolder "
                  • 0x642ac:$str_b18: Uploaded file:
                  • 0x6426c:$str_b19: Unable to delete:
                  • 0x64aa0:$str_b20: while fso.FileExists("
                  • 0x64749:$str_c0: [Firefox StoredLogins not found]
                  Click to see the 55 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: WScript or CScript Dropper
                  Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nonhazardousness.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nonhazardousness.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nonhazardousness.vbs" , ProcessId: 2344, ProcessName: wscript.exe
                  Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                  Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nonhazardousness.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nonhazardousness.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nonhazardousness.vbs" , ProcessId: 2344, ProcessName: wscript.exe

                  Data Obfuscation

                  barindex
                  Sigma detected: Drops script at startup location
                  Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe, ProcessId: 6052, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nonhazardousness.vbs

                  Stealing of Sensitive Information

                  barindex
                  Sigma detected: Remcos
                  Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe, ProcessId: 6052, TargetFilename: C:\ProgramData\remcos\logs.dat

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-08T09:12:15.940595+010020327761Malware Command and Control Activity Detected192.168.2.849705192.210.150.268787TCP
                  2024-12-08T09:12:16.294485+010020327761Malware Command and Control Activity Detected192.168.2.849705192.210.150.268787TCP
                  2024-12-08T09:12:19.368019+010020327761Malware Command and Control Activity Detected192.168.2.849706192.210.150.268787TCP
                  2024-12-08T09:12:22.571557+010020327761Malware Command and Control Activity Detected192.168.2.849707192.210.150.268787TCP
                  2024-12-08T09:12:25.634771+010020327761Malware Command and Control Activity Detected192.168.2.849708192.210.150.268787TCP
                  2024-12-08T09:12:28.699135+010020327761Malware Command and Control Activity Detected192.168.2.849709192.210.150.268787TCP
                  2024-12-08T09:12:31.759933+010020327761Malware Command and Control Activity Detected192.168.2.849712192.210.150.268787TCP
                  2024-12-08T09:12:34.837090+010020327761Malware Command and Control Activity Detected192.168.2.849714192.210.150.268787TCP
                  2024-12-08T09:12:37.918451+010020327761Malware Command and Control Activity Detected192.168.2.849715192.210.150.268787TCP
                  2024-12-08T09:12:40.977829+010020327761Malware Command and Control Activity Detected192.168.2.849716192.210.150.268787TCP
                  2024-12-08T09:12:44.040063+010020327761Malware Command and Control Activity Detected192.168.2.849717192.210.150.268787TCP
                  2024-12-08T09:12:47.103938+010020327761Malware Command and Control Activity Detected192.168.2.849718192.210.150.268787TCP
                  2024-12-08T09:12:50.181208+010020327761Malware Command and Control Activity Detected192.168.2.849719192.210.150.268787TCP
                  2024-12-08T09:12:53.245578+010020327761Malware Command and Control Activity Detected192.168.2.849720192.210.150.268787TCP
                  2024-12-08T09:12:56.305610+010020327761Malware Command and Control Activity Detected192.168.2.849721192.210.150.268787TCP
                  2024-12-08T09:12:59.384153+010020327761Malware Command and Control Activity Detected192.168.2.849722192.210.150.268787TCP
                  2024-12-08T09:13:02.447643+010020327761Malware Command and Control Activity Detected192.168.2.849723192.210.150.268787TCP
                  2024-12-08T09:13:05.508917+010020327761Malware Command and Control Activity Detected192.168.2.849724192.210.150.268787TCP
                  2024-12-08T09:13:08.571658+010020327761Malware Command and Control Activity Detected192.168.2.849725192.210.150.268787TCP
                  2024-12-08T09:13:11.633851+010020327761Malware Command and Control Activity Detected192.168.2.849726192.210.150.268787TCP
                  2024-12-08T09:13:14.713064+010020327761Malware Command and Control Activity Detected192.168.2.849728192.210.150.268787TCP
                  2024-12-08T09:13:17.840397+010020327761Malware Command and Control Activity Detected192.168.2.849729192.210.150.268787TCP
                  2024-12-08T09:13:20.899360+010020327761Malware Command and Control Activity Detected192.168.2.849730192.210.150.268787TCP
                  2024-12-08T09:13:23.981583+010020327761Malware Command and Control Activity Detected192.168.2.849731192.210.150.268787TCP
                  2024-12-08T09:13:27.040003+010020327761Malware Command and Control Activity Detected192.168.2.849732192.210.150.268787TCP
                  2024-12-08T09:13:30.118304+010020327761Malware Command and Control Activity Detected192.168.2.849733192.210.150.268787TCP
                  2024-12-08T09:13:33.196391+010020327761Malware Command and Control Activity Detected192.168.2.849734192.210.150.268787TCP
                  2024-12-08T09:13:36.271422+010020327761Malware Command and Control Activity Detected192.168.2.849736192.210.150.268787TCP
                  2024-12-08T09:13:39.352420+010020327761Malware Command and Control Activity Detected192.168.2.849738192.210.150.268787TCP
                  2024-12-08T09:13:42.415021+010020327761Malware Command and Control Activity Detected192.168.2.849739192.210.150.268787TCP
                  2024-12-08T09:13:45.477709+010020327761Malware Command and Control Activity Detected192.168.2.849740192.210.150.268787TCP
                  2024-12-08T09:13:48.556380+010020327761Malware Command and Control Activity Detected192.168.2.849741192.210.150.268787TCP
                  2024-12-08T09:13:51.637470+010020327761Malware Command and Control Activity Detected192.168.2.849742192.210.150.268787TCP
                  2024-12-08T09:13:54.697763+010020327761Malware Command and Control Activity Detected192.168.2.849743192.210.150.268787TCP
                  2024-12-08T09:13:57.730447+010020327761Malware Command and Control Activity Detected192.168.2.849744192.210.150.268787TCP
                  2024-12-08T09:14:00.741188+010020327761Malware Command and Control Activity Detected192.168.2.849745192.210.150.268787TCP
                  2024-12-08T09:14:03.727882+010020327761Malware Command and Control Activity Detected192.168.2.849746192.210.150.268787TCP
                  2024-12-08T09:14:06.670128+010020327761Malware Command and Control Activity Detected192.168.2.849747192.210.150.268787TCP
                  2024-12-08T09:14:09.572831+010020327761Malware Command and Control Activity Detected192.168.2.849748192.210.150.268787TCP
                  2024-12-08T09:14:12.462298+010020327761Malware Command and Control Activity Detected192.168.2.849749192.210.150.268787TCP
                  2024-12-08T09:14:15.339412+010020327761Malware Command and Control Activity Detected192.168.2.849750192.210.150.268787TCP
                  2024-12-08T09:14:18.165372+010020327761Malware Command and Control Activity Detected192.168.2.849751192.210.150.268787TCP
                  2024-12-08T09:14:20.962166+010020327761Malware Command and Control Activity Detected192.168.2.849752192.210.150.268787TCP
                  2024-12-08T09:14:23.743192+010020327761Malware Command and Control Activity Detected192.168.2.849753192.210.150.268787TCP
                  2024-12-08T09:14:26.527441+010020327761Malware Command and Control Activity Detected192.168.2.849754192.210.150.268787TCP
                  2024-12-08T09:14:29.259038+010020327761Malware Command and Control Activity Detected192.168.2.849755192.210.150.268787TCP
                  2024-12-08T09:14:31.978435+010020327761Malware Command and Control Activity Detected192.168.2.849756192.210.150.268787TCP
                  2024-12-08T09:14:34.665419+010020327761Malware Command and Control Activity Detected192.168.2.849757192.210.150.268787TCP
                  2024-12-08T09:14:37.339486+010020327761Malware Command and Control Activity Detected192.168.2.849758192.210.150.268787TCP
                  2024-12-08T09:14:40.011408+010020327761Malware Command and Control Activity Detected192.168.2.849759192.210.150.268787TCP
                  2024-12-08T09:14:42.650209+010020327761Malware Command and Control Activity Detected192.168.2.849760192.210.150.268787TCP
                  2024-12-08T09:14:45.259021+010020327761Malware Command and Control Activity Detected192.168.2.849761192.210.150.268787TCP
                  2024-12-08T09:14:47.889559+010020327761Malware Command and Control Activity Detected192.168.2.849762192.210.150.268787TCP
                  2024-12-08T09:14:50.464910+010020327761Malware Command and Control Activity Detected192.168.2.849763192.210.150.268787TCP
                  2024-12-08T09:14:53.024438+010020327761Malware Command and Control Activity Detected192.168.2.849764192.210.150.268787TCP
                  2024-12-08T09:14:55.627261+010020327761Malware Command and Control Activity Detected192.168.2.849765192.210.150.268787TCP
                  2024-12-08T09:14:58.246368+010020327761Malware Command and Control Activity Detected192.168.2.849766192.210.150.268787TCP
                  2024-12-08T09:15:00.759363+010020327761Malware Command and Control Activity Detected192.168.2.849767192.210.150.268787TCP
                  2024-12-08T09:15:03.259055+010020327761Malware Command and Control Activity Detected192.168.2.849768192.210.150.268787TCP
                  2024-12-08T09:15:05.762061+010020327761Malware Command and Control Activity Detected192.168.2.849769192.210.150.268787TCP
                  2024-12-08T09:15:08.305862+010020327761Malware Command and Control Activity Detected192.168.2.849770192.210.150.268787TCP
                  2024-12-08T09:15:10.758559+010020327761Malware Command and Control Activity Detected192.168.2.849771192.210.150.268787TCP
                  2024-12-08T09:15:13.196593+010020327761Malware Command and Control Activity Detected192.168.2.849772192.210.150.268787TCP
                  2024-12-08T09:15:15.639337+010020327761Malware Command and Control Activity Detected192.168.2.849773192.210.150.268787TCP
                  2024-12-08T09:15:18.074480+010020327761Malware Command and Control Activity Detected192.168.2.849774192.210.150.268787TCP
                  2024-12-08T09:15:20.493216+010020327761Malware Command and Control Activity Detected192.168.2.849775192.210.150.268787TCP
                  2024-12-08T09:15:22.915149+010020327761Malware Command and Control Activity Detected192.168.2.849776192.210.150.268787TCP
                  2024-12-08T09:15:25.305668+010020327761Malware Command and Control Activity Detected192.168.2.849777192.210.150.268787TCP
                  2024-12-08T09:15:27.681128+010020327761Malware Command and Control Activity Detected192.168.2.849778192.210.150.268787TCP
                  2024-12-08T09:15:30.059320+010020327761Malware Command and Control Activity Detected192.168.2.849779192.210.150.268787TCP
                  2024-12-08T09:15:32.417206+010020327761Malware Command and Control Activity Detected192.168.2.849780192.210.150.268787TCP
                  2024-12-08T09:15:34.790094+010020327761Malware Command and Control Activity Detected192.168.2.849781192.210.150.268787TCP
                  2024-12-08T09:15:37.155021+010020327761Malware Command and Control Activity Detected192.168.2.849782192.210.150.268787TCP
                  2024-12-08T09:15:39.477490+010020327761Malware Command and Control Activity Detected192.168.2.849783192.210.150.268787TCP
                  2024-12-08T09:15:41.805756+010020327761Malware Command and Control Activity Detected192.168.2.849784192.210.150.268787TCP
                  2024-12-08T09:15:44.118000+010020327761Malware Command and Control Activity Detected192.168.2.849785192.210.150.268787TCP
                  2024-12-08T09:15:46.431293+010020327761Malware Command and Control Activity Detected192.168.2.849786192.210.150.268787TCP
                  2024-12-08T09:15:48.727474+010020327761Malware Command and Control Activity Detected192.168.2.849787192.210.150.268787TCP
                  2024-12-08T09:15:51.070947+010020327761Malware Command and Control Activity Detected192.168.2.849788192.210.150.268787TCP
                  2024-12-08T09:15:53.385556+010020327761Malware Command and Control Activity Detected192.168.2.849789192.210.150.268787TCP
                  2024-12-08T09:15:55.683362+010020327761Malware Command and Control Activity Detected192.168.2.849790192.210.150.268787TCP
                  2024-12-08T09:15:57.946252+010020327761Malware Command and Control Activity Detected192.168.2.849791192.210.150.268787TCP
                  2024-12-08T09:16:00.227442+010020327761Malware Command and Control Activity Detected192.168.2.849792192.210.150.268787TCP
                  2024-12-08T09:16:02.744382+010020327761Malware Command and Control Activity Detected192.168.2.849793192.210.150.268787TCP
                  2024-12-08T09:16:04.993195+010020327761Malware Command and Control Activity Detected192.168.2.849794192.210.150.268787TCP
                  2024-12-08T09:16:07.243403+010020327761Malware Command and Control Activity Detected192.168.2.849795192.210.150.268787TCP
                  2024-12-08T09:16:09.479369+010020327761Malware Command and Control Activity Detected192.168.2.849796192.210.150.268787TCP
                  2024-12-08T09:16:11.713443+010020327761Malware Command and Control Activity Detected192.168.2.849797192.210.150.268787TCP
                  2024-12-08T09:16:13.952222+010020327761Malware Command and Control Activity Detected192.168.2.849798192.210.150.268787TCP
                  2024-12-08T09:16:16.165464+010020327761Malware Command and Control Activity Detected192.168.2.849799192.210.150.268787TCP
                  2024-12-08T09:16:18.509492+010020327761Malware Command and Control Activity Detected192.168.2.849800192.210.150.268787TCP
                  2024-12-08T09:16:20.781708+010020327761Malware Command and Control Activity Detected192.168.2.849801192.210.150.268787TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 00000002.00000002.3878719298.00000000018D9000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["192.210.150.26:8787:0"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-R1T905", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": ""}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeReversingLabs: Detection: 60%
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeVirustotal: Detection: 70%Perma Link
                  Multi AV Scanner detection for submitted file
                  Source: uIarPolvHR.exeReversingLabs: Detection: 60%
                  Source: uIarPolvHR.exeVirustotal: Detection: 70%Perma Link
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 4.2.nonhazardousness.exe.2f00000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.nonhazardousness.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.nonhazardousness.exe.38f0000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.nonhazardousness.exe.3470000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.nonhazardousness.exe.38f0000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.nonhazardousness.exe.3470000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.nonhazardousness.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.nonhazardousness.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.nonhazardousness.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.nonhazardousness.exe.2f00000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.3878610708.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3878085476.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3878890270.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3878702344.0000000001803000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.1573273495.000000000142C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3878719298.00000000018D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3879043095.00000000045FE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.1566559449.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.1572582993.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.1573670320.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: nonhazardousness.exe PID: 6052, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: nonhazardousness.exe PID: 2352, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: nonhazardousness.exe PID: 2772, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: uIarPolvHR.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,2_2_0043293A
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,5_2_0043293A
                  Source: nonhazardousness.exeBinary or memory string: -----BEGIN PUBLIC KEY-----

                  Exploits

                  barindex
                  Yara detected UAC Bypass using CMSTP
                  Source: Yara matchFile source: 4.2.nonhazardousness.exe.2f00000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.nonhazardousness.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.nonhazardousness.exe.38f0000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.nonhazardousness.exe.3470000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.nonhazardousness.exe.38f0000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.nonhazardousness.exe.3470000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.nonhazardousness.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.nonhazardousness.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.nonhazardousness.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.nonhazardousness.exe.2f00000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.3878085476.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3878890270.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.1566559449.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.1572582993.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.1573670320.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: nonhazardousness.exe PID: 6052, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: nonhazardousness.exe PID: 2352, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: nonhazardousness.exe PID: 2772, type: MEMORYSTR

                  Privilege Escalation

                  barindex
                  Contains functionality to bypass UAC (CMSTPLUA)
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00406764 _wcslen,CoGetObject,2_2_00406764
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_00406764 _wcslen,CoGetObject,5_2_00406764
                  Source: uIarPolvHR.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DE445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_00DE445A
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DEC6D1 FindFirstFileW,FindClose,0_2_00DEC6D1
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DEC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00DEC75C
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DEEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00DEEF95
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DEF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00DEF0F2
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DEF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00DEF3F3
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DE37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00DE37EF
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DE3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00DE3B12
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DEBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00DEBCBC
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,2_2_0040B335
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,2_2_0041B42F
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,2_2_0040B53A
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_0044D5E9 FindFirstFileExA,2_2_0044D5E9
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,2_2_004089A9
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00406AC2 FindFirstFileW,FindNextFileW,2_2_00406AC2
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,2_2_00407A8C
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,2_2_00418C69
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,2_2_00408DA7
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00E2445A GetFileAttributesW,FindFirstFileW,FindClose,2_2_00E2445A
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00E2C6D1 FindFirstFileW,FindClose,2_2_00E2C6D1
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00E2C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_00E2C75C
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00E2EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00E2EF95
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00E2F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00E2F0F2
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00E2F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_00E2F3F3
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00E237EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00E237EF
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00E23B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00E23B12
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00E2BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_00E2BCBC
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,5_2_0040B335
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,5_2_0041B42F
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,5_2_0040B53A
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_0044D5E9 FindFirstFileExA,5_2_0044D5E9
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,5_2_004089A9
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_00406AC2 FindFirstFileW,FindNextFileW,5_2_00406AC2
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,5_2_00407A8C
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,5_2_00418C69
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,5_2_00408DA7
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,2_2_00406F06

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49706 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49705 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49707 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49709 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49708 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49712 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49714 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49716 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49718 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49720 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49728 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49717 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49726 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49719 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49723 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49729 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49721 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49730 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49725 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49734 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49738 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49732 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49733 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49731 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49742 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49739 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49744 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49750 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49746 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49766 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49749 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49748 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49753 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49745 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49755 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49769 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49754 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49743 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49778 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49788 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49786 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49757 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49770 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49782 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49773 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49765 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49783 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49764 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49790 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49774 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49775 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49768 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49758 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49771 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49784 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49792 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49741 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49781 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49795 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49752 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49777 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49789 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49800 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49763 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49760 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49756 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49794 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49767 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49772 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49793 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49762 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49759 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49787 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49779 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49722 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49799 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49780 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49797 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49736 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49761 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49798 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49785 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49776 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49796 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49715 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49747 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49740 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49751 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49791 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49801 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49724 -> 192.210.150.26:8787
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorIPs: 192.210.150.26
                  Source: Joe Sandbox ViewIP Address: 192.210.150.26 192.210.150.26
                  Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DF22EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00DF22EE
                  Source: nonhazardousness.exeString found in binary or memory: http://geoplugin.net/json.gp
                  Source: nonhazardousness.exe, 00000002.00000002.3878890270.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, nonhazardousness.exe, 00000002.00000002.3878085476.0000000000400000.00000040.00001000.00020000.00000000.sdmp, nonhazardousness.exe, 00000004.00000002.1566559449.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, nonhazardousness.exe, 00000005.00000002.1573670320.0000000003470000.00000004.00001000.00020000.00000000.sdmp, nonhazardousness.exe, 00000005.00000002.1572582993.0000000000400000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to register a low level keyboard hook
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_004099E4 SetWindowsHookExA 0000000D,004099D0,000000002_2_004099E4
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DF4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00DF4164
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DF4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00DF4164
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,2_2_004159C6
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00E34164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,2_2_00E34164
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,5_2_004159C6
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DF3F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00DF3F66
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DE001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00DE001C
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00E0CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00E0CABC
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00E4CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_00E4CABC
                  Source: Yara matchFile source: 4.2.nonhazardousness.exe.2f00000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.nonhazardousness.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.nonhazardousness.exe.38f0000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.nonhazardousness.exe.3470000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.nonhazardousness.exe.38f0000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.nonhazardousness.exe.3470000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.nonhazardousness.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.nonhazardousness.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.nonhazardousness.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.nonhazardousness.exe.2f00000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.3878085476.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3878890270.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.1566559449.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.1572582993.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.1573670320.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: nonhazardousness.exe PID: 6052, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: nonhazardousness.exe PID: 2352, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: nonhazardousness.exe PID: 2772, type: MEMORYSTR

                  E-Banking Fraud

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 4.2.nonhazardousness.exe.2f00000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.nonhazardousness.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.nonhazardousness.exe.38f0000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.nonhazardousness.exe.3470000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.nonhazardousness.exe.38f0000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.nonhazardousness.exe.3470000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.nonhazardousness.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.nonhazardousness.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.nonhazardousness.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.nonhazardousness.exe.2f00000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.3878610708.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3878085476.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3878890270.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3878702344.0000000001803000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.1573273495.000000000142C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3878719298.00000000018D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3879043095.00000000045FE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.1566559449.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.1572582993.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.1573670320.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: nonhazardousness.exe PID: 6052, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: nonhazardousness.exe PID: 2352, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: nonhazardousness.exe PID: 2772, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                  Spam, unwanted Advertisements and Ransom Demands

                  barindex
                  Contains functionalty to change the wallpaper
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_0041BB77 SystemParametersInfoW,2_2_0041BB77
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_0041BB77 SystemParametersInfoW,5_2_0041BB77

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 4.2.nonhazardousness.exe.2f00000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 4.2.nonhazardousness.exe.2f00000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 4.2.nonhazardousness.exe.2f00000.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 2.2.nonhazardousness.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 2.2.nonhazardousness.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 2.2.nonhazardousness.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 2.2.nonhazardousness.exe.38f0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 2.2.nonhazardousness.exe.38f0000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 2.2.nonhazardousness.exe.38f0000.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 5.2.nonhazardousness.exe.3470000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 5.2.nonhazardousness.exe.3470000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 5.2.nonhazardousness.exe.3470000.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 2.2.nonhazardousness.exe.38f0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 2.2.nonhazardousness.exe.38f0000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 2.2.nonhazardousness.exe.38f0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 5.2.nonhazardousness.exe.3470000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 5.2.nonhazardousness.exe.3470000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 5.2.nonhazardousness.exe.3470000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 5.2.nonhazardousness.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 5.2.nonhazardousness.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 5.2.nonhazardousness.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 2.2.nonhazardousness.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 2.2.nonhazardousness.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 2.2.nonhazardousness.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 5.2.nonhazardousness.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 5.2.nonhazardousness.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 5.2.nonhazardousness.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 4.2.nonhazardousness.exe.2f00000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 4.2.nonhazardousness.exe.2f00000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 4.2.nonhazardousness.exe.2f00000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000002.00000002.3878085476.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000002.00000002.3878085476.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 00000002.00000002.3878085476.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000002.00000002.3878890270.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000002.00000002.3878890270.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 00000002.00000002.3878890270.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000004.00000002.1566559449.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000004.00000002.1566559449.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 00000004.00000002.1566559449.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000005.00000002.1572582993.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000005.00000002.1572582993.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 00000005.00000002.1572582993.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000005.00000002.1573670320.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000005.00000002.1573670320.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 00000005.00000002.1573670320.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: Process Memory Space: nonhazardousness.exe PID: 6052, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: nonhazardousness.exe PID: 2352, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: nonhazardousness.exe PID: 2772, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Binary is likely a compiled AutoIt script file
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: This is a third-party compiled AutoIt script.0_2_00D83B3A
                  Source: uIarPolvHR.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: uIarPolvHR.exe, 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_6bd1bc04-7
                  Source: uIarPolvHR.exe, 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_599fa4f0-a
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: This is a third-party compiled AutoIt script.2_2_00DC3B3A
                  Source: nonhazardousness.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: nonhazardousness.exe, 00000002.00000002.3878185815.0000000000E74000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_6fef7404-f
                  Source: nonhazardousness.exe, 00000002.00000002.3878185815.0000000000E74000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_5a9912f2-a
                  Source: nonhazardousness.exe, 00000004.00000002.1564698054.0000000000E74000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_6c93c6d3-7
                  Source: nonhazardousness.exe, 00000004.00000002.1564698054.0000000000E74000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_80eac55d-c
                  Source: nonhazardousness.exe, 00000005.00000002.1572875642.0000000000E74000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_f94ec908-c
                  Source: nonhazardousness.exe, 00000005.00000002.1572875642.0000000000E74000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_604dc801-3
                  Windows Scripting host queries suspicious COM object (likely to drop second stage)
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeProcess Stats: CPU usage > 49%
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00D83633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,0_2_00D83633
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00E0C1AC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,0_2_00E0C1AC
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00E0C498 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,0_2_00E0C498
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00E0C5FE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,0_2_00E0C5FE
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00E0C57D SendMessageW,NtdllDialogWndProc_W,0_2_00E0C57D
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00E0C8BE NtdllDialogWndProc_W,0_2_00E0C8BE
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00E0C88F NtdllDialogWndProc_W,0_2_00E0C88F
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00E0C860 NtdllDialogWndProc_W,0_2_00E0C860
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00E0C93E ClientToScreen,NtdllDialogWndProc_W,0_2_00E0C93E
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00E0C909 NtdllDialogWndProc_W,0_2_00E0C909
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00E0CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00E0CABC
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00E0CA7C GetWindowLongW,NtdllDialogWndProc_W,0_2_00E0CA7C
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00D81290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,0_2_00D81290
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00D81287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,7524C8D0,NtdllDialogWndProc_W,0_2_00D81287
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00E0D3B8 NtdllDialogWndProc_W,0_2_00E0D3B8
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00E0D43E GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,0_2_00E0D43E
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00D816DE GetParent,NtdllDialogWndProc_W,0_2_00D816DE
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00D816B5 NtdllDialogWndProc_W,0_2_00D816B5
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00D8167D NtdllDialogWndProc_W,0_2_00D8167D
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00E0D78C NtdllDialogWndProc_W,0_2_00E0D78C
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00D8189B NtdllDialogWndProc_W,0_2_00D8189B
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00E0BC5D NtdllDialogWndProc_W,CallWindowProcW,0_2_00E0BC5D
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00E0BF8C ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,0_2_00E0BF8C
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00E0BF30 NtdllDialogWndProc_W,0_2_00E0BF30
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_0041CA9E NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,2_2_0041CA9E
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_0041ACC1 OpenProcess,NtSuspendProcess,CloseHandle,2_2_0041ACC1
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_0041ACED OpenProcess,NtResumeProcess,CloseHandle,2_2_0041ACED
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00DC3633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,2_2_00DC3633
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00E4C1AC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,2_2_00E4C1AC
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00E4C498 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,2_2_00E4C498
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00E4C5FE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,2_2_00E4C5FE
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00E4C57D SendMessageW,NtdllDialogWndProc_W,2_2_00E4C57D
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00E4C8BE NtdllDialogWndProc_W,2_2_00E4C8BE
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00E4C88F NtdllDialogWndProc_W,2_2_00E4C88F
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00E4C860 NtdllDialogWndProc_W,2_2_00E4C860
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00E4C93E ClientToScreen,NtdllDialogWndProc_W,2_2_00E4C93E
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00E4C909 NtdllDialogWndProc_W,2_2_00E4C909
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00E4CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_00E4CABC
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00E4CA7C GetWindowLongW,NtdllDialogWndProc_W,2_2_00E4CA7C
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00DC1290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,2_2_00DC1290
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00DC1287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,7524C8D0,NtdllDialogWndProc_W,2_2_00DC1287
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00E4D3B8 NtdllDialogWndProc_W,2_2_00E4D3B8
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00E4D43E GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,2_2_00E4D43E
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00DC16DE GetParent,NtdllDialogWndProc_W,2_2_00DC16DE
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00DC16B5 NtdllDialogWndProc_W,2_2_00DC16B5
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00DC167D NtdllDialogWndProc_W,2_2_00DC167D
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00E4D78C NtdllDialogWndProc_W,2_2_00E4D78C
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00DC189B NtdllDialogWndProc_W,2_2_00DC189B
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00E4BC5D NtdllDialogWndProc_W,CallWindowProcW,2_2_00E4BC5D
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00E4BF8C ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,2_2_00E4BF8C
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00E4BF30 NtdllDialogWndProc_W,2_2_00E4BF30
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_0041CA9E NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,5_2_0041CA9E
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_0041ACC1 OpenProcess,NtSuspendProcess,CloseHandle,5_2_0041ACC1
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_0041ACED OpenProcess,NtResumeProcess,CloseHandle,5_2_0041ACED
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DEA1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_00DEA1EF
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DD8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,75185590,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,0_2_00DD8310
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DE51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00DE51BD
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,2_2_004158B9
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00E251BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,2_2_00E251BD
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,5_2_004158B9
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DAD9750_2_00DAD975
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00D8FCE00_2_00D8FCE0
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DA21C50_2_00DA21C5
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DB62D20_2_00DB62D2
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00E003DA0_2_00E003DA
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DB242E0_2_00DB242E
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DA25FA0_2_00DA25FA
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00D966E10_2_00D966E1
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00D8E6A00_2_00D8E6A0
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DDE6160_2_00DDE616
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DB878F0_2_00DB878F
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DE88890_2_00DE8889
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DB68440_2_00DB6844
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00E008570_2_00E00857
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00D988080_2_00D98808
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DACB210_2_00DACB21
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DB6DB60_2_00DB6DB6
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00D96F9E0_2_00D96F9E
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00D930300_2_00D93030
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DAF1D90_2_00DAF1D9
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DA31870_2_00DA3187
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00D812870_2_00D81287
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DA14840_2_00DA1484
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00D955200_2_00D95520
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DA76960_2_00DA7696
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00D957600_2_00D95760
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DA19780_2_00DA1978
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DB9AB50_2_00DB9AB5
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00E07DDB0_2_00E07DDB
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DA1D900_2_00DA1D90
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DABDA60_2_00DABDA6
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00D93FE00_2_00D93FE0
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00D8DF000_2_00D8DF00
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_01064FB80_2_01064FB8
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_0041D0712_2_0041D071
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_004520D22_2_004520D2
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_0043D0982_2_0043D098
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_004371502_2_00437150
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_004361AA2_2_004361AA
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_004262542_2_00426254
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_004313772_2_00431377
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_0043651C2_2_0043651C
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_0041E5DF2_2_0041E5DF
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_0044C7392_2_0044C739
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_004367C62_2_004367C6
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_004267CB2_2_004267CB
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_0043C9DD2_2_0043C9DD
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00432A492_2_00432A49
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00436A8D2_2_00436A8D
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_0043CC0C2_2_0043CC0C
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00436D482_2_00436D48
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00434D222_2_00434D22
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00426E732_2_00426E73
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00440E202_2_00440E20
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_0043CE3B2_2_0043CE3B
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00412F452_2_00412F45
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00452F002_2_00452F00
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00426FAD2_2_00426FAD
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00DED9752_2_00DED975
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00DCFCE02_2_00DCFCE0
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00DE21C52_2_00DE21C5
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00DF62D22_2_00DF62D2
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00E403DA2_2_00E403DA
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00DF242E2_2_00DF242E
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00DE25FA2_2_00DE25FA
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00DD66E12_2_00DD66E1
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00DCE6A02_2_00DCE6A0
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00E1E6162_2_00E1E616
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00DF878F2_2_00DF878F
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00E288892_2_00E28889
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00DF68442_2_00DF6844
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00E408572_2_00E40857
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00DD88082_2_00DD8808
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00DECB212_2_00DECB21
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00DF6DB62_2_00DF6DB6
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00DD6F9E2_2_00DD6F9E
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00DD30302_2_00DD3030
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00DEF1D92_2_00DEF1D9
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00DE31872_2_00DE3187
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00DC12872_2_00DC1287
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00DE14842_2_00DE1484
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00DD55202_2_00DD5520
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00DE76962_2_00DE7696
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00DD57602_2_00DD5760
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00DE19782_2_00DE1978
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00DF9AB52_2_00DF9AB5
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00E47DDB2_2_00E47DDB
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00DE1D902_2_00DE1D90
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00DEBDA62_2_00DEBDA6
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00DD3FE02_2_00DD3FE0
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00DCDF002_2_00DCDF00
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_018022282_2_01802228
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 4_2_01041AB04_2_01041AB0
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_0041D0715_2_0041D071
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_004520D25_2_004520D2
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_0043D0985_2_0043D098
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_004371505_2_00437150
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_004361AA5_2_004361AA
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_004262545_2_00426254
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_004313775_2_00431377
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_0043651C5_2_0043651C
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_0041E5DF5_2_0041E5DF
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_0044C7395_2_0044C739
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_004367C65_2_004367C6
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_004267CB5_2_004267CB
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_0043C9DD5_2_0043C9DD
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_00432A495_2_00432A49
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_00436A8D5_2_00436A8D
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_0043CC0C5_2_0043CC0C
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_00436D485_2_00436D48
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_00434D225_2_00434D22
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_00426E735_2_00426E73
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_00440E205_2_00440E20
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_0043CE3B5_2_0043CE3B
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_00412F455_2_00412F45
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_00452F005_2_00452F00
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_00426FAD5_2_00426FAD
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_014549385_2_01454938
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: String function: 00D87DE1 appears 35 times
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: String function: 00DA0AE3 appears 70 times
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: String function: 00DA8900 appears 42 times
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: String function: 00444B14 appears 56 times
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: String function: 00404C9E appears 32 times
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: String function: 004020E7 appears 79 times
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: String function: 00DE0AE3 appears 70 times
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: String function: 00DC7DE1 appears 35 times
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: String function: 00401E8F appears 37 times
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: String function: 00401D64 appears 43 times
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: String function: 00447174 appears 36 times
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: String function: 004040BB appears 36 times
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: String function: 00401F66 appears 100 times
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: String function: 00410D8D appears 36 times
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: String function: 004338A5 appears 82 times
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: String function: 00401FAA appears 42 times
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: String function: 00403B40 appears 44 times
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: String function: 00DE8900 appears 42 times
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: String function: 00433FB0 appears 110 times
                  Source: uIarPolvHR.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: 4.2.nonhazardousness.exe.2f00000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 4.2.nonhazardousness.exe.2f00000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 4.2.nonhazardousness.exe.2f00000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 2.2.nonhazardousness.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 2.2.nonhazardousness.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 2.2.nonhazardousness.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 2.2.nonhazardousness.exe.38f0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 2.2.nonhazardousness.exe.38f0000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 2.2.nonhazardousness.exe.38f0000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 5.2.nonhazardousness.exe.3470000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 5.2.nonhazardousness.exe.3470000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 5.2.nonhazardousness.exe.3470000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 2.2.nonhazardousness.exe.38f0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 2.2.nonhazardousness.exe.38f0000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 2.2.nonhazardousness.exe.38f0000.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 5.2.nonhazardousness.exe.3470000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 5.2.nonhazardousness.exe.3470000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 5.2.nonhazardousness.exe.3470000.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 5.2.nonhazardousness.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 5.2.nonhazardousness.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 5.2.nonhazardousness.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 2.2.nonhazardousness.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 2.2.nonhazardousness.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 2.2.nonhazardousness.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 5.2.nonhazardousness.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 5.2.nonhazardousness.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 5.2.nonhazardousness.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 4.2.nonhazardousness.exe.2f00000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 4.2.nonhazardousness.exe.2f00000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 4.2.nonhazardousness.exe.2f00000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000002.00000002.3878085476.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000002.00000002.3878085476.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 00000002.00000002.3878085476.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000002.00000002.3878890270.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000002.00000002.3878890270.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 00000002.00000002.3878890270.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000004.00000002.1566559449.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000004.00000002.1566559449.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 00000004.00000002.1566559449.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000005.00000002.1572582993.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000005.00000002.1572582993.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 00000005.00000002.1572582993.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000005.00000002.1573670320.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000005.00000002.1573670320.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 00000005.00000002.1573670320.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: Process Memory Space: nonhazardousness.exe PID: 6052, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: nonhazardousness.exe PID: 2352, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: nonhazardousness.exe PID: 2772, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@8/8@0/1
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DEA06A GetLastError,FormatMessageW,0_2_00DEA06A
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DD81CB AdjustTokenPrivileges,CloseHandle,0_2_00DD81CB
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DD87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00DD87E1
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,2_2_00416AB7
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00E181CB AdjustTokenPrivileges,CloseHandle,2_2_00E181CB
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00E187E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,2_2_00E187E1
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,5_2_00416AB7
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DEB3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00DEB3FB
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DFEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00DFEE0D
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DEC397 CoInitialize,CoCreateInstance,CoUninitialize,0_2_00DEC397
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00D84E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00D84E89
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,2_2_00419BC4
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeFile created: C:\Users\user\AppData\Local\SancerreJump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-R1T905
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeFile created: C:\Users\user\AppData\Local\Temp\aut3E00.tmpJump to behavior
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nonhazardousness.vbs"
                  Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: uIarPolvHR.exeReversingLabs: Detection: 60%
                  Source: uIarPolvHR.exeVirustotal: Detection: 70%
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeFile read: C:\Users\user\Desktop\uIarPolvHR.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\uIarPolvHR.exe "C:\Users\user\Desktop\uIarPolvHR.exe"
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeProcess created: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe "C:\Users\user\Desktop\uIarPolvHR.exe"
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nonhazardousness.vbs"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe "C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe"
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeProcess created: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe "C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe"
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeProcess created: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe "C:\Users\user\Desktop\uIarPolvHR.exe"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe "C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeProcess created: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe "C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00ED7A50 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_00ED7A50
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DA8945 push ecx; ret 0_2_00DA8958
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00E0F808 push ds; ret 0_2_00E0F80A
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_004567E0 push eax; ret 2_2_004567FE
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_0045B9DD push esi; ret 2_2_0045B9E6
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00463EF3 push ds; retf 2_2_00463EEC
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00455EAF push ecx; ret 2_2_00455EC2
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00433FF6 push ecx; ret 2_2_00434009
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00DE8945 push ecx; ret 2_2_00DE8958
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00E4F808 push ds; ret 2_2_00E4F80A
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_004567E0 push eax; ret 5_2_004567FE
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_0045B9DD push esi; ret 5_2_0045B9E6
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_00463EF3 push ds; retf 5_2_00463EEC
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_00455EAF push ecx; ret 5_2_00455EC2
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_00433FF6 push ecx; ret 5_2_00434009
                  Source: initial sampleStatic PE information: section name: UPX0
                  Source: initial sampleStatic PE information: section name: UPX1
                  Source: initial sampleStatic PE information: section name: UPX0
                  Source: initial sampleStatic PE information: section name: UPX1
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00406128 ShellExecuteW,URLDownloadToFileW,2_2_00406128
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeFile created: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeJump to dropped file

                  Boot Survival

                  barindex
                  Drops VBS files to the startup folder
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nonhazardousness.vbsJump to dropped file
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nonhazardousness.vbsJump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nonhazardousness.vbsJump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,2_2_00419BC4
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00D848D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00D848D7
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00E05376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00E05376
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00DC48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,2_2_00DC48D7
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00E45376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,2_2_00E45376
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DA3187 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00DA3187
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Delayed program exit found
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_0040E54F Sleep,ExitProcess,2_2_0040E54F
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_0040E54F Sleep,ExitProcess,5_2_0040E54F
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,2_2_004198C2
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,5_2_004198C2
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeWindow / User API: threadDelayed 2416Jump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeWindow / User API: threadDelayed 7065Jump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeWindow / User API: foregroundWindowGot 1749Jump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-105772
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeAPI coverage: 4.4 %
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeAPI coverage: 6.0 %
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeAPI coverage: 2.0 %
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe TID: 1296Thread sleep count: 212 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe TID: 1296Thread sleep time: -106000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe TID: 1508Thread sleep count: 2416 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe TID: 1508Thread sleep time: -7248000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe TID: 1508Thread sleep count: 7065 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe TID: 1508Thread sleep time: -21195000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DE445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_00DE445A
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DEC6D1 FindFirstFileW,FindClose,0_2_00DEC6D1
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DEC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00DEC75C
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DEEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00DEEF95
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DEF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00DEF0F2
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DEF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00DEF3F3
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DE37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00DE37EF
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DE3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00DE3B12
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DEBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00DEBCBC
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,2_2_0040B335
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,2_2_0041B42F
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,2_2_0040B53A
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_0044D5E9 FindFirstFileExA,2_2_0044D5E9
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,2_2_004089A9
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00406AC2 FindFirstFileW,FindNextFileW,2_2_00406AC2
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,2_2_00407A8C
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,2_2_00418C69
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,2_2_00408DA7
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00E2445A GetFileAttributesW,FindFirstFileW,FindClose,2_2_00E2445A
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00E2C6D1 FindFirstFileW,FindClose,2_2_00E2C6D1
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00E2C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_00E2C75C
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00E2EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00E2EF95
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00E2F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00E2F0F2
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00E2F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_00E2F3F3
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00E237EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00E237EF
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00E23B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00E23B12
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00E2BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_00E2BCBC
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,5_2_0040B335
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,5_2_0041B42F
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,5_2_0040B53A
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_0044D5E9 FindFirstFileExA,5_2_0044D5E9
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,5_2_004089A9
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_00406AC2 FindFirstFileW,FindNextFileW,5_2_00406AC2
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,5_2_00407A8C
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,5_2_00418C69
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,5_2_00408DA7
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,2_2_00406F06
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00D849A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00D849A0
                  Source: nonhazardousness.exe, 00000002.00000002.3878702344.0000000001803000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllu
                  Source: wscript.exe, 00000003.00000002.1554332305.000002A0AC2C6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                  Source: nonhazardousness.exe, 00000005.00000003.1563082206.0000000001529000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwareworkstation.exesE
                  Source: nonhazardousness.exe, 00000004.00000003.1553586996.00000000010AC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwareworkstation.exe
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeAPI call chain: ExitProcess graph end nodegraph_0-104692
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeAPI call chain: ExitProcess graph end nodegraph_0-107282
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeAPI call chain: ExitProcess graph end node
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeAPI call chain: ExitProcess graph end node
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DF3F09 BlockInput,0_2_00DF3F09
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00D83B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00D83B3A
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DB5A7C RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,0_2_00DB5A7C
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00ED7A50 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_00ED7A50
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_010637C6 mov eax, dword ptr fs:[00000030h]0_2_010637C6
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_010637D8 mov eax, dword ptr fs:[00000030h]0_2_010637D8
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_01064E48 mov eax, dword ptr fs:[00000030h]0_2_01064E48
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_01064EA8 mov eax, dword ptr fs:[00000030h]0_2_01064EA8
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00442554 mov eax, dword ptr fs:[00000030h]2_2_00442554
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_01802118 mov eax, dword ptr fs:[00000030h]2_2_01802118
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_018020B8 mov eax, dword ptr fs:[00000030h]2_2_018020B8
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_01800A36 mov eax, dword ptr fs:[00000030h]2_2_01800A36
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_01800A48 mov eax, dword ptr fs:[00000030h]2_2_01800A48
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 4_2_01041940 mov eax, dword ptr fs:[00000030h]4_2_01041940
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 4_2_010419A0 mov eax, dword ptr fs:[00000030h]4_2_010419A0
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 4_2_010402BE mov eax, dword ptr fs:[00000030h]4_2_010402BE
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 4_2_010402D0 mov eax, dword ptr fs:[00000030h]4_2_010402D0
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_00442554 mov eax, dword ptr fs:[00000030h]5_2_00442554
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_01453146 mov eax, dword ptr fs:[00000030h]5_2_01453146
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_01453158 mov eax, dword ptr fs:[00000030h]5_2_01453158
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_014547C8 mov eax, dword ptr fs:[00000030h]5_2_014547C8
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_01454828 mov eax, dword ptr fs:[00000030h]5_2_01454828
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DD80A9 GetTokenInformation,GetLastError,GetProcessHeap,RtlAllocateHeap,GetTokenInformation,0_2_00DD80A9
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DAA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00DAA155
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DAA124 SetUnhandledExceptionFilter,0_2_00DAA124
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00434168
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_0043A65D
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00433B44
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00433CD7 SetUnhandledExceptionFilter,2_2_00433CD7
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00DEA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00DEA155
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00DEA124 SetUnhandledExceptionFilter,2_2_00DEA124
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00434168
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_0043A65D
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00433B44
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 5_2_00433CD7 SetUnhandledExceptionFilter,5_2_00433CD7
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe2_2_00410F36
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe5_2_00410F36
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DD87B1 LogonUserW,0_2_00DD87B1
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00D83B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00D83B3A
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00D848D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00D848D7
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DE4C53 mouse_event,0_2_00DE4C53
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe "C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DD7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00DD7CAF
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DD874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00DD874B
                  Source: uIarPolvHR.exe, 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmp, nonhazardousness.exe, 00000002.00000002.3878185815.0000000000E74000.00000040.00000001.01000000.00000004.sdmp, nonhazardousness.exe, 00000004.00000002.1564698054.0000000000E74000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                  Source: nonhazardousness.exe, 00000002.00000002.3878719298.00000000018D9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                  Source: uIarPolvHR.exe, nonhazardousness.exeBinary or memory string: Shell_TrayWnd
                  Source: nonhazardousness.exe, 00000002.00000002.3878719298.00000000018D9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerB
                  Source: nonhazardousness.exe, 00000002.00000002.3878702344.0000000001803000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager05\7
                  Source: nonhazardousness.exe, 00000002.00000002.3878702344.0000000001803000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager05\
                  Source: nonhazardousness.exe, 00000002.00000002.3878702344.0000000001803000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager05\6
                  Source: nonhazardousness.exe, 00000002.00000002.3878719298.00000000018D9000.00000004.00000020.00020000.00000000.sdmp, nonhazardousness.exe, 00000002.00000002.3878702344.0000000001803000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                  Source: nonhazardousness.exe, 00000002.00000002.3878719298.00000000018D9000.00000004.00000020.00020000.00000000.sdmp, logs.dat.2.drBinary or memory string: [Program Manager]
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DA862B cpuid 0_2_00DA862B
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: EnumSystemLocalesW,2_2_004470AE
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: GetLocaleInfoW,2_2_004510BA
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,2_2_004511E3
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: GetLocaleInfoW,2_2_004512EA
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,2_2_004513B7
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: GetLocaleInfoW,2_2_00447597
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: GetLocaleInfoA,2_2_0040E679
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,2_2_00450A7F
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: EnumSystemLocalesW,2_2_00450CF7
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: EnumSystemLocalesW,2_2_00450D42
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: EnumSystemLocalesW,2_2_00450DDD
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,2_2_00450E6A
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: EnumSystemLocalesW,5_2_004470AE
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: GetLocaleInfoW,5_2_004510BA
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,5_2_004511E3
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: GetLocaleInfoW,5_2_004512EA
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,5_2_004513B7
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: GetLocaleInfoW,5_2_00447597
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: GetLocaleInfoA,5_2_0040E679
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,5_2_00450A7F
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: EnumSystemLocalesW,5_2_00450CF7
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: EnumSystemLocalesW,5_2_00450D42
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: EnumSystemLocalesW,5_2_00450DDD
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,5_2_00450E6A
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DB4E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00DB4E87
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DC1E06 GetUserNameW,0_2_00DC1E06
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DB3F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00DB3F3A
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00D849A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00D849A0
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 4.2.nonhazardousness.exe.2f00000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.nonhazardousness.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.nonhazardousness.exe.38f0000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.nonhazardousness.exe.3470000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.nonhazardousness.exe.38f0000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.nonhazardousness.exe.3470000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.nonhazardousness.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.nonhazardousness.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.nonhazardousness.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.nonhazardousness.exe.2f00000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.3878610708.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3878085476.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3878890270.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3878702344.0000000001803000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.1573273495.000000000142C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3878719298.00000000018D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3879043095.00000000045FE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.1566559449.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.1572582993.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.1573670320.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: nonhazardousness.exe PID: 6052, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: nonhazardousness.exe PID: 2352, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: nonhazardousness.exe PID: 2772, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                  Contains functionality to steal Chrome passwords or cookies
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data2_2_0040B21B
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data5_2_0040B21B
                  Contains functionality to steal Firefox passwords or cookies
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\2_2_0040B335
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: \key3.db2_2_0040B335
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\5_2_0040B335
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: \key3.db5_2_0040B335
                  Source: nonhazardousness.exeBinary or memory string: WIN_81
                  Source: nonhazardousness.exeBinary or memory string: WIN_XP
                  Source: nonhazardousness.exeBinary or memory string: WIN_XPe
                  Source: nonhazardousness.exeBinary or memory string: WIN_VISTA
                  Source: nonhazardousness.exeBinary or memory string: WIN_7
                  Source: nonhazardousness.exeBinary or memory string: WIN_8
                  Source: nonhazardousness.exe, 00000005.00000002.1572875642.0000000000E74000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

                  Remote Access Functionality

                  barindex
                  Detected Remcos RAT
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-R1T905Jump to behavior
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-R1T905Jump to behavior
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 4.2.nonhazardousness.exe.2f00000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.nonhazardousness.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.nonhazardousness.exe.38f0000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.nonhazardousness.exe.3470000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.nonhazardousness.exe.38f0000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.nonhazardousness.exe.3470000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.nonhazardousness.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.nonhazardousness.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.nonhazardousness.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.nonhazardousness.exe.2f00000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.3878610708.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3878085476.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3878890270.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3878702344.0000000001803000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.1573273495.000000000142C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3878719298.00000000018D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3879043095.00000000045FE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.1566559449.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.1572582993.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.1573670320.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: nonhazardousness.exe PID: 6052, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: nonhazardousness.exe PID: 2352, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: nonhazardousness.exe PID: 2772, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: cmd.exe2_2_00405042
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: cmd.exe5_2_00405042
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DF6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00DF6283
                  Source: C:\Users\user\Desktop\uIarPolvHR.exeCode function: 0_2_00DF6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00DF6747
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00E36283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,2_2_00E36283
                  Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exeCode function: 2_2_00E36747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,2_2_00E36747

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information111
                  Scripting                  		2
                  Valid Accounts                  		2
                  Native API                  		111
                  Scripting                  		1
                  Exploitation for Privilege Escalation                  		1
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		11
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts1
                  Command and Scripting Interpreter                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Deobfuscate/Decode Files or Information                  		121
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol121
                  Input Capture                  		2
                  Encrypted Channel                  		Exfiltration Over Bluetooth1
                  Defacement
                  Email AddressesDNS ServerDomain Accounts2
                  Service Execution                  		2
                  Valid Accounts                  		1
                  Bypass User Account Control                  		21
                  Obfuscated Files or Information                  		2
                  Credentials In Files                  		1
                  System Service Discovery                  		SMB/Windows Admin Shares3
                  Clipboard Data                  		1
                  Remote Access Software                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCron1
                  Windows Service                  		2
                  Valid Accounts                  		1
                  Software Packing                  		NTDS3
                  File and Directory Discovery                  		Distributed Component Object ModelInput Capture1
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchd2
                  Registry Run Keys / Startup Folder                  		21
                  Access Token Manipulation                  		1
                  DLL Side-Loading                  		LSA Secrets26
                  System Information Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
                  Windows Service                  		1
                  Bypass User Account Control                  		Cached Domain Credentials131
                  Security Software Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items22
                  Process Injection                  		1
                  Masquerading                  		DCSync1
                  Virtualization/Sandbox Evasion                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/Job2
                  Registry Run Keys / Startup Folder                  		2
                  Valid Accounts                  		Proc Filesystem2
                  Process Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                  Virtualization/Sandbox Evasion                  		/etc/passwd and /etc/shadow11
                  Application Window Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron21
                  Access Token Manipulation                  		Network Sniffing1
                  System Owner/User Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                  Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd22
                  Process Injection                  		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  uIarPolvHR.exe61%ReversingLabsWin32.Trojan.AutoitInject
                  uIarPolvHR.exe70%VirustotalBrowse
                  uIarPolvHR.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe61%ReversingLabsWin32.Trojan.AutoitInject
                  C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe70%VirustotalBrowse

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  No Antivirus matches

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://geoplugin.net/json.gpnonhazardousness.exefalse
                    		high
                    http://geoplugin.net/json.gp/Cnonhazardousness.exe, 00000002.00000002.3878890270.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, nonhazardousness.exe, 00000002.00000002.3878085476.0000000000400000.00000040.00001000.00020000.00000000.sdmp, nonhazardousness.exe, 00000004.00000002.1566559449.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, nonhazardousness.exe, 00000005.00000002.1573670320.0000000003470000.00000004.00001000.00020000.00000000.sdmp, nonhazardousness.exe, 00000005.00000002.1572582993.0000000000400000.00000040.00001000.00020000.00000000.sdmpfalse
                      		high

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      192.210.150.26
                      		unknownUnited States
                      		36352AS-COLOCROSSINGUStrue

                      General Information

                      Joe Sandbox version:41.0.0 Charoite
                      Analysis ID:1570859
                      Start date and time:2024-12-08 09:11:17 +01:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 9m 16s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:10
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:uIarPolvHR.exe
                      renamed because original name is a hash value
                      Original Sample Name:f3c6c680b66ef4a132e3a9b61b83622d.exe
                      Detection:MAL
                      Classification:mal100.rans.troj.spyw.expl.evad.winEXE@8/8@0/1
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 54
                      • Number of non-executed functions: 280
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report creation exceeded maximum time and may have missing disassembly code information.
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size exceeded maximum capacity and may have missing disassembly code.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      03:12:47API Interceptor6822822x Sleep call for process: nonhazardousness.exe modified
                      09:12:19AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nonhazardousness.vbs

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      192.210.150.26IB9876789000.bat.exeGet hashmaliciousRemcosBrowse
                        z49FACTURA-0987678.exeGet hashmaliciousRemcosBrowse
                          FAT6789098700900.scr.exeGet hashmaliciousRemcosBrowse
                            Rgh99876k7e.exeGet hashmaliciousRemcosBrowse
                              SALKI098765R400.exeGet hashmaliciousRemcosBrowse
                                FTE98767800000.bat.exeGet hashmaliciousRemcosBrowse

                                  Domains

                                  No context

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  AS-COLOCROSSINGUSIB9876789000.bat.exeGet hashmaliciousRemcosBrowse
                                  • 192.210.150.26
                                  meerkat.x86.elfGet hashmaliciousMiraiBrowse
                                  • 104.168.61.38
                                  CGDL.docGet hashmaliciousUnknownBrowse
                                  • 192.3.172.208
                                  seemejkiss.htaGet hashmaliciousCobalt Strike, FormBook, HTMLPhisherBrowse
                                  • 107.175.113.196
                                  seemybestdayguvenu.htaGet hashmaliciousCobalt Strike, FormBook, HTMLPhisherBrowse
                                  • 172.245.123.29
                                  k4PAIh16E6.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                  • 192.3.118.10
                                  scan_241205-801_draft_PO.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                  • 104.168.7.16
                                  Transferencia de pago.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                  • 192.3.243.136
                                  LdSbZG1iH6.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                  • 192.3.64.152
                                  maybecreatebesthingswithgreatnicewhichgivenbreakingthingstobe.htaGet hashmaliciousCobalt Strike, FormBook, HTMLPhisherBrowse
                                  • 172.245.123.3

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\ProgramData\remcos\logs.dat

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):204
                                  Entropy (8bit):3.3536368279765596
                                  Encrypted:false
                                  SSDEEP:3:rhlKlyK1ukOlwi5JWRal2Jl+7R0DAlBG45klovDl64oojklovDl6v:6lZE1lj5YcIeeDAlOWA41gWAv
                                  MD5:01E81FE46B68C4B7A9912AB951339816
                                  SHA1:A82F3AFE1B979459322D3C9D14E8227D9B4D52EA
                                  SHA-256:406492191D9B4276F99002BA2353FE8CAA9C918BA590842F623C2A1B74E0FE5F
                                  SHA-512:917CF6D441D91A1FEE107E3CB8833C9A9E3A5FFFC669DC73A09FECA17C31AF11AB28BBB6F5A1622815C97BC26595589BED295B21BBB91E4C3FAF2610C2115270
                                  Malicious:true
                                  Yara Hits:
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                  Reputation:low
                                  Preview:....[.2.0.2.4./.1.2./.0.8. .0.3.:.1.2.:.1.5. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].........[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                  C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\uIarPolvHR.exe
                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                  Category:dropped
                                  Size (bytes):877056
                                  Entropy (8bit):7.9642457985398805
                                  Encrypted:false
                                  SSDEEP:24576:Erl6kD68JmlotQfwmqmLQjmVlWGEeXqhaf:yl328U2yfwmjQm1EeXY
                                  MD5:F3C6C680B66EF4A132E3A9B61B83622D
                                  SHA1:C720CC4FF63D365458E9BE977ED692263108DC87
                                  SHA-256:E51F50B3F520E3DE0F0916E0291AD093AA0C50F6C81010001CE5AA2AEE88F7B0
                                  SHA-512:331DAF042E405DB03632781216131B5495AF8AD3F024623757F56B45957BCB0CABC5FA8D08252AA613B03F0E07A685AE60CB260DEAA6EAE11745F8283750F5A2
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  • Antivirus: ReversingLabs, Detection: 61%
                                  • Antivirus: Virustotal, Detection: 70%, Browse
                                  Reputation:low
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L...x.Mg.........."......`..........Pz... ........@.......................................@...@.......@......................z..$............................~......................................4|..H...........................................UPX0....................................UPX1.....`... ...^..................@....rsrc................b..............@..............................................................................................................................................................................................................................................................................................................................................................3.91.UPX!....

                                  C:\Users\user\AppData\Local\Temp\aut3E00.tmp

                                  Download File
                                  Process:C:\Users\user\Desktop\uIarPolvHR.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):430776
                                  Entropy (8bit):7.986190092992074
                                  Encrypted:false
                                  SSDEEP:12288:g3VQ+Wc6kzDz/DTUcx4P9DWq6j5m+vUotFo2/3J:gt7n7DD4EqgI+vL3R
                                  MD5:1DEF978F5FB49C0B560386C53E8E65D9
                                  SHA1:343BF4D40B82513AE5BDB2C17B1550AEE378D83B
                                  SHA-256:8D6030D9E059BA0BF270F8343ED9EF45394C8BE3607EC137EA1C3D7F30EEBECC
                                  SHA-512:178A4B7A727FD5E380E8C0701F4FF7DBD23C9CB5C1E8DF3DC47E2750917C2BBA0485462ADE1913D9B7BC573350FC208C1253F62B4D183F59771FF717C03ED589
                                  Malicious:false
                                  Reputation:low
                                  Preview:EA06......:.*.6.K.L*..V.7...Y..H..*U.%J..4U......7...fj.5...K..?s...{..bjPO...2..n...gB.I..I.fC(.Ej.K..>.L.W(..-k...2..*.=..'g.y.....v.......?f...3..w......1,...o>W.f..w.p>..o.#....^.]r...`......./.m.z+...`..?...........s!..r..../8....t..@........4.:.._..h.45..Qiq..B.^.Yj..Z..*..}N.]...3...n..C..I.N..hJ. ...T....Z..G...S..L.{....O.8..k7....Z.J..4.@.0.4W.T.d.Ti..P.a+.Q........R....C.2........S.....o.3.D...7.M.t0...Sq..J.'..).P....4T*.......T...\.aQ.....:.4..5>$.R.P@...}.iu..fS...(... ...h..@4>..6...P..........."k...5.....5..o....{9.T..`.LMo`.D>f...... *O...........D....f.Z.j....8w*=J...L.7z...H....*..o.X&..^g..B..9...K..%.*~....LaX..Cu%.Tj.O7l...Y".m..4....jGv)z..!yI=....}.].oO..+7)......x.]....."..\._......~eS...0+$....R.uJ.Op..f.z$......5.tV...Y.Y......u.i.>=..w..JGw...'U......\..X...O.M!W...%..T.Ui.J.....uX.....B(..4.cS.Jg.z..p.QbY|O6.r..uT..b#\..;.P.l.!...F..l\.....$.mY...~..lD+@..V .l.^9.J!M...s....*.M.....oh.|j...b'Y..&5..b..m.......TI

                                  C:\Users\user\AppData\Local\Temp\aut413D.tmp

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):430776
                                  Entropy (8bit):7.986190092992074
                                  Encrypted:false
                                  SSDEEP:12288:g3VQ+Wc6kzDz/DTUcx4P9DWq6j5m+vUotFo2/3J:gt7n7DD4EqgI+vL3R
                                  MD5:1DEF978F5FB49C0B560386C53E8E65D9
                                  SHA1:343BF4D40B82513AE5BDB2C17B1550AEE378D83B
                                  SHA-256:8D6030D9E059BA0BF270F8343ED9EF45394C8BE3607EC137EA1C3D7F30EEBECC
                                  SHA-512:178A4B7A727FD5E380E8C0701F4FF7DBD23C9CB5C1E8DF3DC47E2750917C2BBA0485462ADE1913D9B7BC573350FC208C1253F62B4D183F59771FF717C03ED589
                                  Malicious:false
                                  Reputation:low
                                  Preview:EA06......:.*.6.K.L*..V.7...Y..H..*U.%J..4U......7...fj.5...K..?s...{..bjPO...2..n...gB.I..I.fC(.Ej.K..>.L.W(..-k...2..*.=..'g.y.....v.......?f...3..w......1,...o>W.f..w.p>..o.#....^.]r...`......./.m.z+...`..?...........s!..r..../8....t..@........4.:.._..h.45..Qiq..B.^.Yj..Z..*..}N.]...3...n..C..I.N..hJ. ...T....Z..G...S..L.{....O.8..k7....Z.J..4.@.0.4W.T.d.Ti..P.a+.Q........R....C.2........S.....o.3.D...7.M.t0...Sq..J.'..).P....4T*.......T...\.aQ.....:.4..5>$.R.P@...}.iu..fS...(... ...h..@4>..6...P..........."k...5.....5..o....{9.T..`.LMo`.D>f...... *O...........D....f.Z.j....8w*=J...L.7z...H....*..o.X&..^g..B..9...K..%.*~....LaX..Cu%.Tj.O7l...Y".m..4....jGv)z..!yI=....}.].oO..+7)......x.]....."..\._......~eS...0+$....R.uJ.Op..f.z$......5.tV...Y.Y......u.i.>=..w..JGw...'U......\..X...O.M!W...%..T.Ui.J.....uX.....B(..4.cS.Jg.z..p.QbY|O6.r..uT..b#\..;.P.l.!...F..l\.....$.mY...~..lD+@..V .l.^9.J!M...s....*.M.....oh.|j...b'Y..&5..b..m.......TI

                                  C:\Users\user\AppData\Local\Temp\aut74DF.tmp

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):430776
                                  Entropy (8bit):7.986190092992074
                                  Encrypted:false
                                  SSDEEP:12288:g3VQ+Wc6kzDz/DTUcx4P9DWq6j5m+vUotFo2/3J:gt7n7DD4EqgI+vL3R
                                  MD5:1DEF978F5FB49C0B560386C53E8E65D9
                                  SHA1:343BF4D40B82513AE5BDB2C17B1550AEE378D83B
                                  SHA-256:8D6030D9E059BA0BF270F8343ED9EF45394C8BE3607EC137EA1C3D7F30EEBECC
                                  SHA-512:178A4B7A727FD5E380E8C0701F4FF7DBD23C9CB5C1E8DF3DC47E2750917C2BBA0485462ADE1913D9B7BC573350FC208C1253F62B4D183F59771FF717C03ED589
                                  Malicious:false
                                  Reputation:low
                                  Preview:EA06......:.*.6.K.L*..V.7...Y..H..*U.%J..4U......7...fj.5...K..?s...{..bjPO...2..n...gB.I..I.fC(.Ej.K..>.L.W(..-k...2..*.=..'g.y.....v.......?f...3..w......1,...o>W.f..w.p>..o.#....^.]r...`......./.m.z+...`..?...........s!..r..../8....t..@........4.:.._..h.45..Qiq..B.^.Yj..Z..*..}N.]...3...n..C..I.N..hJ. ...T....Z..G...S..L.{....O.8..k7....Z.J..4.@.0.4W.T.d.Ti..P.a+.Q........R....C.2........S.....o.3.D...7.M.t0...Sq..J.'..).P....4T*.......T...\.aQ.....:.4..5>$.R.P@...}.iu..fS...(... ...h..@4>..6...P..........."k...5.....5..o....{9.T..`.LMo`.D>f...... *O...........D....f.Z.j....8w*=J...L.7z...H....*..o.X&..^g..B..9...K..%.*~....LaX..Cu%.Tj.O7l...Y".m..4....jGv)z..!yI=....}.].oO..+7)......x.]....."..\._......~eS...0+$....R.uJ.Op..f.z$......5.tV...Y.Y......u.i.>=..w..JGw...'U......\..X...O.M!W...%..T.Ui.J.....uX.....B(..4.cS.Jg.z..p.QbY|O6.r..uT..b#\..;.P.l.!...F..l\.....$.mY...~..lD+@..V .l.^9.J!M...s....*.M.....oh.|j...b'Y..&5..b..m.......TI

                                  C:\Users\user\AppData\Local\Temp\aut7925.tmp

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):430776
                                  Entropy (8bit):7.986190092992074
                                  Encrypted:false
                                  SSDEEP:12288:g3VQ+Wc6kzDz/DTUcx4P9DWq6j5m+vUotFo2/3J:gt7n7DD4EqgI+vL3R
                                  MD5:1DEF978F5FB49C0B560386C53E8E65D9
                                  SHA1:343BF4D40B82513AE5BDB2C17B1550AEE378D83B
                                  SHA-256:8D6030D9E059BA0BF270F8343ED9EF45394C8BE3607EC137EA1C3D7F30EEBECC
                                  SHA-512:178A4B7A727FD5E380E8C0701F4FF7DBD23C9CB5C1E8DF3DC47E2750917C2BBA0485462ADE1913D9B7BC573350FC208C1253F62B4D183F59771FF717C03ED589
                                  Malicious:false
                                  Reputation:low
                                  Preview:EA06......:.*.6.K.L*..V.7...Y..H..*U.%J..4U......7...fj.5...K..?s...{..bjPO...2..n...gB.I..I.fC(.Ej.K..>.L.W(..-k...2..*.=..'g.y.....v.......?f...3..w......1,...o>W.f..w.p>..o.#....^.]r...`......./.m.z+...`..?...........s!..r..../8....t..@........4.:.._..h.45..Qiq..B.^.Yj..Z..*..}N.]...3...n..C..I.N..hJ. ...T....Z..G...S..L.{....O.8..k7....Z.J..4.@.0.4W.T.d.Ti..P.a+.Q........R....C.2........S.....o.3.D...7.M.t0...Sq..J.'..).P....4T*.......T...\.aQ.....:.4..5>$.R.P@...}.iu..fS...(... ...h..@4>..6...P..........."k...5.....5..o....{9.T..`.LMo`.D>f...... *O...........D....f.Z.j....8w*=J...L.7z...H....*..o.X&..^g..B..9...K..%.*~....LaX..Cu%.Tj.O7l...Y".m..4....jGv)z..!yI=....}.].oO..+7)......x.]....."..\._......~eS...0+$....R.uJ.Op..f.z$......5.tV...Y.Y......u.i.>=..w..JGw...'U......\..X...O.M!W...%..T.Ui.J.....uX.....B(..4.cS.Jg.z..p.QbY|O6.r..uT..b#\..;.P.l.!...F..l\.....$.mY...~..lD+@..V .l.^9.J!M...s....*.M.....oh.|j...b'Y..&5..b..m.......TI

                                  C:\Users\user\AppData\Local\Temp\overroughly

                                  Download File
                                  Process:C:\Users\user\Desktop\uIarPolvHR.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):492544
                                  Entropy (8bit):7.677259266653322
                                  Encrypted:false
                                  SSDEEP:12288:6blCQepuDoIfDXczyBB/nRwTnQD/Y+ngf0SsK5Q:6b2uVfDMzYB/nonyQ+ng6r
                                  MD5:5DA0E2A6AF58F3C61E2A9D03160B0BE6
                                  SHA1:077B3FB750BEB67EB8615C3101CEB91E2C9F8CA1
                                  SHA-256:6412B25824B53394B1B61F6DAD679D0701F99DD9DAA27A3FD1893AB0D5883FD8
                                  SHA-512:166EA3DE661E775BC46EBDCDEB70337D1692A73BEB8450D3251C327C3364D70CED003467E3574A874FBA599A834BD5BD07697ADF3E6F78B52DD410988C64B90B
                                  Malicious:false
                                  Reputation:low
                                  Preview:...RTMEKP0UK.A7.G4571SHuPRZDRWMEKT0UK5GA7OG4571SH5PRZDRWMEK\1UK;X.9O.=...R..q.2-!w=7$3B4&.$ Y!(@.UTs:@>r3*r...k9_1..JL=kG4571SH.y.............M.g..}.._...A...[.n..x...w........M......r......k.............j.......x......\f...y..&qt.....Vj......^,/.}..SH5PRZDR..EK.1PK^.ePOG4571SH.PP[OSY]E+Q0Uk7GA7OG..41SX5PR*ARWM.KT UK5EA7JG5571SH0PSZDRWME.S0UO5GA7OG657.SH%PRJDRWMUKT UK5GA7_G4571SH5PRZd.QMAJT0U+2G..OG4571SH5PRZDRWMEKT.RK.|A7_.25.1SH5PRZDRWMEKT0UK5G..IG,571..3P.ZDRWMEKT0UK57D7.C4571SH5PRZDRWMEKT0UK5GA7OG.ARI'H5PO.ARW]EKTPPK5CA7OG4571SH5PRZdRW-k90Q!*5GA.NG4E21S.4PR>ARWMEKT0UK5GA7.G4u.U2<TPRZ(.WMEKS0UE5GA.IG4571SH5PRZDR.ME.zB&9VGA7..457QTH5.RZD.QMEKT0UK5GA7OGt57q}:P<=9DR.vEKT.RK5{A7O.3571SH5PRZDRWM.KTrUK5GA7OG4571SH5PRZDRWMEKT0UK5GA7OG4571SH5PRZDRWMEKT0UK5GA7OG4571SH5PRZDRWMEKT0UK5GA7OG4571SH5PRZDRWMEKT0UK5GA7OG4571SH5PRZDRWMEKT0UK5GA7OG4571SH5PRZDRWMEKT0UK5GA7OG4571SH5PRZDRWMEKT0UK5GA7OG4571SH5PRZDRWMEKT0UK5GA7OG4571SH5PRZDRWMEKT0UK5GA7OG4571SH5PRZDRWMEKT0UK5GA7OG4571SH5PRZDRWMEKT0UK

                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nonhazardousness.vbs

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):292
                                  Entropy (8bit):3.3925469544812112
                                  Encrypted:false
                                  SSDEEP:6:DMM8lfm3OOQdUfclwL1UEZ+lX12l5fZsD6E3T0cMMlm6nriIM8lfQVn:DsO+vNlwBQ1CZu6YMkm4mA2n
                                  MD5:619B77AF8DFF98F1660A77EAB503B3B2
                                  SHA1:6D9AD1890F575BD9D7553B3D2ED7A1DE7E89C9F3
                                  SHA-256:6BF9E025D26CD655FD577DD1B1431E6924B1262BB0EC65267742C402AF238FFE
                                  SHA-512:57AD245FCDA37A3850C09A485FD86EB06BEC3FDE6AB9D29DE57410ACC3C743F3FD20C26DD5A9021103423F383D43D981A0C4A2CED983C4956583CA2F2274D77E
                                  Malicious:true
                                  Reputation:low
                                  Preview:S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.h.u.b.e.r.t.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.S.a.n.c.e.r.r.e.\.n.o.n.h.a.z.a.r.d.o.u.s.n.e.s.s...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                  Entropy (8bit):7.9642457985398805
                                  TrID:
                                  • Win32 Executable (generic) a (10002005/4) 99.39%
                                  • UPX compressed Win32 Executable (30571/9) 0.30%
                                  • Win32 EXE Yoda's Crypter (26571/9) 0.26%
                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                  • DOS Executable Generic (2002/1) 0.02%
                                  File name:uIarPolvHR.exe
                                  File size:877'056 bytes
                                  MD5:f3c6c680b66ef4a132e3a9b61b83622d
                                  SHA1:c720cc4ff63d365458e9be977ed692263108dc87
                                  SHA256:e51f50b3f520e3de0f0916e0291ad093aa0c50f6c81010001ce5aa2aee88f7b0
                                  SHA512:331daf042e405db03632781216131b5495af8ad3f024623757f56b45957bcb0cabc5fa8d08252aa613b03f0e07a685ae60cb260deaa6eae11745f8283750f5a2
                                  SSDEEP:24576:Erl6kD68JmlotQfwmqmLQjmVlWGEeXqhaf:yl328U2yfwmjQm1EeXY
                                  TLSH:DE15235688E3E422C64D673845299C9049A47D73DF9DB62EC724D62FFC32307E84AB2D
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

                                  File Icon

                                  Icon Hash:aaf3e3e3938382a0

                                  Static PE Info

                                  General

                                  Entrypoint:0x557a50
                                  Entrypoint Section:UPX1
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                  Time Stamp:0x674DBF78 [Mon Dec 2 14:08:56 2024 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:5
                                  OS Version Minor:1
                                  File Version Major:5
                                  File Version Minor:1
                                  Subsystem Version Major:5
                                  Subsystem Version Minor:1
                                  Import Hash:fc6683d30d9f25244a50fd5357825e79

                                  Entrypoint Preview

                                  Instruction
                                  pushad
                                  mov esi, 00502000h
                                  lea edi, dword ptr [esi-00101000h]
                                  push edi
                                  jmp 00007FBF111C96BDh
                                  nop
                                  mov al, byte ptr [esi]
                                  inc esi
                                  mov byte ptr [edi], al
                                  inc edi
                                  add ebx, ebx
                                  jne 00007FBF111C96B9h
                                  mov ebx, dword ptr [esi]
                                  sub esi, FFFFFFFCh
                                  adc ebx, ebx
                                  jc 00007FBF111C969Fh
                                  mov eax, 00000001h
                                  add ebx, ebx
                                  jne 00007FBF111C96B9h
                                  mov ebx, dword ptr [esi]
                                  sub esi, FFFFFFFCh
                                  adc ebx, ebx
                                  adc eax, eax
                                  add ebx, ebx
                                  jnc 00007FBF111C96BDh
                                  jne 00007FBF111C96DAh
                                  mov ebx, dword ptr [esi]
                                  sub esi, FFFFFFFCh
                                  adc ebx, ebx
                                  jc 00007FBF111C96D1h
                                  dec eax
                                  add ebx, ebx
                                  jne 00007FBF111C96B9h
                                  mov ebx, dword ptr [esi]
                                  sub esi, FFFFFFFCh
                                  adc ebx, ebx
                                  adc eax, eax
                                  jmp 00007FBF111C9686h
                                  add ebx, ebx
                                  jne 00007FBF111C96B9h
                                  mov ebx, dword ptr [esi]
                                  sub esi, FFFFFFFCh
                                  adc ebx, ebx
                                  adc ecx, ecx
                                  jmp 00007FBF111C9704h
                                  xor ecx, ecx
                                  sub eax, 03h
                                  jc 00007FBF111C96C3h
                                  shl eax, 08h
                                  mov al, byte ptr [esi]
                                  inc esi
                                  xor eax, FFFFFFFFh
                                  je 00007FBF111C9727h
                                  sar eax, 1
                                  mov ebp, eax
                                  jmp 00007FBF111C96BDh
                                  add ebx, ebx
                                  jne 00007FBF111C96B9h
                                  mov ebx, dword ptr [esi]
                                  sub esi, FFFFFFFCh
                                  adc ebx, ebx
                                  jc 00007FBF111C967Eh
                                  inc ecx
                                  add ebx, ebx
                                  jne 00007FBF111C96B9h
                                  mov ebx, dword ptr [esi]
                                  sub esi, FFFFFFFCh
                                  adc ebx, ebx
                                  jc 00007FBF111C9670h
                                  add ebx, ebx
                                  jne 00007FBF111C96B9h
                                  mov ebx, dword ptr [esi]
                                  sub esi, FFFFFFFCh
                                  adc ebx, ebx
                                  adc ecx, ecx
                                  add ebx, ebx
                                  jnc 00007FBF111C96A1h
                                  jne 00007FBF111C96BBh
                                  mov ebx, dword ptr [esi]
                                  sub esi, FFFFFFFCh
                                  adc ebx, ebx
                                  jnc 00007FBF111C9696h
                                  add ecx, 02h
                                  cmp ebp, FFFFFB00h
                                  adc ecx, 02h
                                  lea edx, dword ptr [edi+ebp]
                                  cmp ebp, FFFFFFFCh
                                  jbe 00007FBF111C96C0h
                                  mov al, byte ptr [edx]

                                  Rich Headers

                                  Programming Language:
                                  • [ASM] VS2013 build 21005
                                  • [ C ] VS2013 build 21005
                                  • [C++] VS2013 build 21005
                                  • [ C ] VS2008 SP1 build 30729
                                  • [IMP] VS2008 SP1 build 30729
                                  • [ASM] VS2013 UPD4 build 31101
                                  • [RES] VS2013 build 21005
                                  • [LNK] VS2013 UPD4 build 31101

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x1d7abc0x424.rsrc
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x1580000x7fabc.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x1d7ee00xc.rsrc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x157c340x48UPX1
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  UPX00x10000x1010000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  UPX10x1020000x560000x55e00c297fde4c4d6a55c0dfe9847c88bc555False0.9871383733624454data7.935370984862536IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .rsrc0x1580000x800000x80000fb6c21f358a2462e28c2ea7ea4524cf6False0.9602775573730469data7.958556116442093IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                  Resources

                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                  RT_ICON0x1585ac0x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                  RT_ICON0x1586d80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                  RT_ICON0x1588040x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                  RT_ICON0x1589300x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                  RT_ICON0x158c1c0x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                  RT_ICON0x158d480xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                  RT_ICON0x159bf40x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                  RT_ICON0x15a4a00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                  RT_ICON0x15aa0c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                  RT_ICON0x15cfb80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                  RT_ICON0x15e0640x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                  RT_MENU0xcd4a00x50emptyEnglishGreat Britain0
                                  RT_STRING0xcd4f00x594emptyEnglishGreat Britain0
                                  RT_STRING0xcda840x68aemptyEnglishGreat Britain0
                                  RT_STRING0xce1100x490emptyEnglishGreat Britain0
                                  RT_STRING0xce5a00x5fcemptyEnglishGreat Britain0
                                  RT_STRING0xceb9c0x65cemptyEnglishGreat Britain0
                                  RT_STRING0xcf1f80x466emptyEnglishGreat Britain0
                                  RT_STRING0xcf6600x158emptyEnglishGreat Britain0
                                  RT_RCDATA0x15e4d00x79053data1.0003247938769293
                                  RT_GROUP_ICON0x1d75280x76dataEnglishGreat Britain0.6610169491525424
                                  RT_GROUP_ICON0x1d75a40x14dataEnglishGreat Britain1.25
                                  RT_GROUP_ICON0x1d75bc0x14dataEnglishGreat Britain1.15
                                  RT_GROUP_ICON0x1d75d40x14dataEnglishGreat Britain1.25
                                  RT_VERSION0x1d75ec0xdcdataEnglishGreat Britain0.6181818181818182
                                  RT_MANIFEST0x1d76cc0x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                  Imports

                                  DLLImport
                                  KERNEL32.DLLLoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
                                  ADVAPI32.dllGetAce
                                  COMCTL32.dllImageList_Remove
                                  COMDLG32.dllGetOpenFileNameW
                                  GDI32.dllLineTo
                                  IPHLPAPI.DLLIcmpSendEcho
                                  MPR.dllWNetUseConnectionW
                                  ole32.dllCoGetObject
                                  OLEAUT32.dllVariantInit
                                  PSAPI.DLLGetProcessMemoryInfo
                                  SHELL32.dllDragFinish
                                  USER32.dllGetDC
                                  USERENV.dllLoadUserProfileW
                                  UxTheme.dllIsThemeActive
                                  VERSION.dllVerQueryValueW
                                  WININET.dllFtpOpenFileW
                                  WINMM.dlltimeGetTime
                                  WSOCK32.dllconnect

                                  Possible Origin

                                  Language of compilation systemCountry where language is spokenMap
                                  EnglishGreat Britain

                                  Network Behavior

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Dec 8, 2024 09:12:15.812989950 CET497058787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:15.932445049 CET878749705192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:12:15.932687044 CET497058787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:15.940594912 CET497058787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:16.294485092 CET497058787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:16.431919098 CET878749705192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:12:16.432212114 CET878749705192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:12:18.242022991 CET878749705192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:12:18.242208958 CET497058787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:18.242253065 CET497058787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:18.361498117 CET878749705192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:12:19.248249054 CET497068787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:19.367449999 CET878749706192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:12:19.367537975 CET497068787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:19.368019104 CET497068787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:19.492216110 CET878749706192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:12:21.324331999 CET878749706192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:12:21.324412107 CET497068787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:21.328161001 CET497068787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:21.447366953 CET878749706192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:12:22.451597929 CET497078787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:22.570863008 CET878749707192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:12:22.570965052 CET497078787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:22.571557045 CET497078787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:22.690824986 CET878749707192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:12:24.511882067 CET878749707192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:12:24.512098074 CET497078787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:24.512151003 CET497078787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:24.631582022 CET878749707192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:12:25.514662027 CET497088787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:25.634133101 CET878749708192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:12:25.634288073 CET497088787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:25.634771109 CET497088787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:25.754018068 CET878749708192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:12:27.571218967 CET878749708192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:12:27.571297884 CET497088787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:27.571415901 CET497088787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:27.690992117 CET878749708192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:12:28.576695919 CET497098787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:28.698404074 CET878749709192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:12:28.698508978 CET497098787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:28.699135065 CET497098787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:28.818584919 CET878749709192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:12:30.632797003 CET878749709192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:12:30.633013964 CET497098787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:30.633099079 CET497098787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:30.752686024 CET878749709192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:12:31.639267921 CET497128787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:31.759216070 CET878749712192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:12:31.759361029 CET497128787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:31.759932995 CET497128787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:31.879291058 CET878749712192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:12:33.704104900 CET878749712192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:12:33.704334021 CET497128787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:33.704514027 CET497128787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:33.823810101 CET878749712192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:12:34.717052937 CET497148787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:34.836410999 CET878749714192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:12:34.836500883 CET497148787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:34.837090015 CET497148787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:34.956366062 CET878749714192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:12:36.790359020 CET878749714192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:12:36.791054964 CET497148787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:36.791276932 CET497148787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:36.911994934 CET878749714192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:12:37.795641899 CET497158787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:37.914901972 CET878749715192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:12:37.917893887 CET497158787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:37.918451071 CET497158787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:38.037847996 CET878749715192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:12:39.851705074 CET878749715192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:12:39.851774931 CET497158787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:39.851851940 CET497158787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:39.971097946 CET878749715192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:12:40.857832909 CET497168787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:40.977119923 CET878749716192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:12:40.977210045 CET497168787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:40.977828979 CET497168787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:41.097260952 CET878749716192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:12:42.915211916 CET878749716192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:12:42.915353060 CET497168787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:42.915574074 CET497168787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:43.034832954 CET878749716192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:12:43.920181990 CET497178787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:44.039535046 CET878749717192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:12:44.039627075 CET497178787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:44.040062904 CET497178787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:44.159373045 CET878749717192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:12:45.976669073 CET878749717192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:12:45.977025986 CET497178787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:45.977025986 CET497178787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:46.096586943 CET878749717192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:12:46.983236074 CET497188787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:47.103009939 CET878749718192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:12:47.103234053 CET497188787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:47.103938103 CET497188787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:47.223288059 CET878749718192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:12:49.045337915 CET878749718192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:12:49.045778990 CET497188787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:49.045778990 CET497188787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:49.165105104 CET878749718192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:12:50.061093092 CET497198787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:50.180334091 CET878749719192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:12:50.180494070 CET497198787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:50.181207895 CET497198787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:50.300463915 CET878749719192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:12:52.121779919 CET878749719192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:12:52.121934891 CET497198787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:52.122144938 CET497198787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:52.241656065 CET878749719192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:12:53.123554945 CET497208787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:53.242842913 CET878749720192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:12:53.245138884 CET497208787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:53.245578051 CET497208787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:53.364850044 CET878749720192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:12:55.180157900 CET878749720192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:12:55.180241108 CET497208787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:55.180284977 CET497208787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:55.299689054 CET878749720192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:12:56.185687065 CET497218787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:56.305028915 CET878749721192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:12:56.305169106 CET497218787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:56.305609941 CET497218787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:56.425107002 CET878749721192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:12:58.262501001 CET878749721192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:12:58.262586117 CET497218787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:58.262687922 CET497218787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:58.381934881 CET878749721192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:12:59.264281034 CET497228787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:59.383507967 CET878749722192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:12:59.383650064 CET497228787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:59.384152889 CET497228787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:12:59.503386974 CET878749722192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:01.320704937 CET878749722192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:01.320777893 CET497228787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:01.320846081 CET497228787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:01.440072060 CET878749722192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:02.326453924 CET497238787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:02.445786953 CET878749723192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:02.447199106 CET497238787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:02.447643042 CET497238787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:02.566975117 CET878749723192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:04.387372017 CET878749723192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:04.387474060 CET497238787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:04.387510061 CET497238787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:04.506828070 CET878749723192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:05.389086962 CET497248787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:05.508464098 CET878749724192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:05.508554935 CET497248787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:05.508917093 CET497248787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:05.628139973 CET878749724192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:07.447043896 CET878749724192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:07.447104931 CET497248787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:07.447159052 CET497248787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:07.566370010 CET878749724192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:08.451586962 CET497258787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:08.570992947 CET878749725192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:08.571202993 CET497258787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:08.571657896 CET497258787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:08.690917015 CET878749725192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:10.509629965 CET878749725192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:10.509736061 CET497258787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:10.509804964 CET497258787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:10.629198074 CET878749725192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:11.513920069 CET497268787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:11.633234978 CET878749726192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:11.633385897 CET497268787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:11.633851051 CET497268787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:11.753063917 CET878749726192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:13.575541019 CET878749726192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:13.575669050 CET497268787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:13.575761080 CET497268787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:13.694960117 CET878749726192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:14.592824936 CET497288787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:14.712497950 CET878749728192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:14.712599993 CET497288787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:14.713063955 CET497288787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:14.832293034 CET878749728192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:16.653384924 CET878749728192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:16.655227900 CET497288787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:16.655227900 CET497288787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:16.774583101 CET878749728192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:17.711457014 CET497298787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:17.832474947 CET878749729192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:17.832586050 CET497298787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:17.840396881 CET497298787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:17.959867001 CET878749729192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:19.774918079 CET878749729192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:19.775144100 CET497298787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:19.775162935 CET497298787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:19.894618988 CET878749729192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:20.779706955 CET497308787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:20.899013996 CET878749730192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:20.899099112 CET497308787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:20.899359941 CET497308787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:21.018727064 CET878749730192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:22.841533899 CET878749730192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:22.841691971 CET497308787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:22.841691971 CET497308787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:22.961146116 CET878749730192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:23.857938051 CET497318787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:23.977377892 CET878749731192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:23.981487989 CET497318787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:23.981583118 CET497318787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:24.100838900 CET878749731192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:25.918972969 CET878749731192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:25.919049978 CET497318787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:25.919111013 CET497318787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:26.039026022 CET878749731192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:26.920227051 CET497328787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:27.039501905 CET878749732192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:27.039596081 CET497328787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:27.040003061 CET497328787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:27.159275055 CET878749732192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:28.983182907 CET878749732192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:28.983248949 CET497328787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:28.983380079 CET497328787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:29.102822065 CET878749732192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:29.998507023 CET497338787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:30.117922068 CET878749733192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:30.118014097 CET497338787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:30.118304014 CET497338787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:30.237626076 CET878749733192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:32.059990883 CET878749733192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:32.060286999 CET497338787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:32.060286999 CET497338787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:32.179891109 CET878749733192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:33.076478958 CET497348787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:33.195827961 CET878749734192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:33.195914984 CET497348787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:33.196391106 CET497348787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:33.315690041 CET878749734192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:35.134368896 CET878749734192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:35.134439945 CET497348787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:35.134481907 CET497348787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:35.253807068 CET878749734192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:36.147025108 CET497368787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:36.266602039 CET878749736192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:36.269182920 CET497368787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:36.271421909 CET497368787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:36.390664101 CET878749736192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:38.216232061 CET878749736192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:38.216308117 CET497368787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:38.216351986 CET497368787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:38.337616920 CET878749736192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:39.232665062 CET497388787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:39.352076054 CET878749738192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:39.352158070 CET497388787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:39.352420092 CET497388787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:39.471775055 CET878749738192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:41.290076017 CET878749738192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:41.290158033 CET497388787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:41.290482044 CET497388787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:41.409655094 CET878749738192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:42.295367956 CET497398787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:42.414650917 CET878749739192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:42.414738894 CET497398787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:42.415020943 CET497398787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:42.535479069 CET878749739192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:44.353125095 CET878749739192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:44.353293896 CET497398787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:44.353332043 CET497398787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:44.472623110 CET878749739192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:45.357682943 CET497408787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:45.477118015 CET878749740192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:45.477214098 CET497408787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:45.477709055 CET497408787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:45.596915960 CET878749740192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:47.419912100 CET878749740192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:47.419981956 CET497408787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:47.420046091 CET497408787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:47.539550066 CET878749740192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:48.436439037 CET497418787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:48.556008101 CET878749741192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:48.556380033 CET497418787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:48.556380033 CET497418787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:48.675795078 CET878749741192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:50.497742891 CET878749741192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:50.497828007 CET497418787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:50.497876883 CET497418787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:50.617258072 CET878749741192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:51.514280081 CET497428787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:51.636310101 CET878749742192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:51.637192965 CET497428787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:51.637470007 CET497428787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:51.757813931 CET878749742192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:53.572031975 CET878749742192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:53.572110891 CET497428787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:53.572168112 CET497428787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:53.691476107 CET878749742192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:54.576646090 CET497438787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:54.697225094 CET878749743192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:54.697464943 CET497438787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:54.697762966 CET497438787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:54.818146944 CET878749743192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:56.638360023 CET878749743192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:56.638438940 CET497438787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:56.638492107 CET497438787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:56.758093119 CET878749743192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:57.610553026 CET497448787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:57.729979038 CET878749744192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:57.730149031 CET497448787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:57.730447054 CET497448787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:57.849771023 CET878749744192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:59.665663004 CET878749744192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:13:59.665745020 CET497448787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:59.665796995 CET497448787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:13:59.785185099 CET878749744192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:00.615668058 CET497458787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:00.735047102 CET878749745192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:00.739161968 CET497458787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:00.741188049 CET497458787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:00.860913992 CET878749745192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:02.702239037 CET878749745192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:02.702334881 CET497458787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:02.702400923 CET497458787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:02.821780920 CET878749745192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:03.607795954 CET497468787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:03.727346897 CET878749746192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:03.727576017 CET497468787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:03.727881908 CET497468787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:03.847254038 CET878749746192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:05.669728994 CET878749746192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:05.669867992 CET497468787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:05.669867992 CET497468787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:05.789350986 CET878749746192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:06.549062967 CET497478787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:06.669002056 CET878749747192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:06.669352055 CET497478787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:06.670128107 CET497478787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:06.789518118 CET878749747192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:08.604449034 CET878749747192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:08.604532003 CET497478787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:08.604587078 CET497478787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:08.723923922 CET878749747192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:09.451606989 CET497488787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:09.570961952 CET878749748192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:09.571125984 CET497488787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:09.572830915 CET497488787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:09.692178011 CET878749748192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:11.513696909 CET878749748192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:11.514003992 CET497488787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:11.514179945 CET497488787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:11.633443117 CET878749748192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:12.342391014 CET497498787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:12.461874962 CET878749749192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:12.462008953 CET497498787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:12.462297916 CET497498787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:12.581640959 CET878749749192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:14.425787926 CET878749749192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:14.425961971 CET497498787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:14.426045895 CET497498787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:14.545248032 CET878749749192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:15.217186928 CET497508787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:15.336487055 CET878749750192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:15.339107037 CET497508787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:15.339411974 CET497508787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:15.458720922 CET878749750192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:17.275262117 CET878749750192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:17.278261900 CET497508787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:17.278367996 CET497508787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:17.397614956 CET878749750192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:18.045404911 CET497518787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:18.164763927 CET878749751192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:18.164840937 CET497518787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:18.165371895 CET497518787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:18.284626007 CET878749751192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:20.103949070 CET878749751192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:20.104008913 CET497518787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:20.104053974 CET497518787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:20.223495007 CET878749751192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:20.842252016 CET497528787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:20.961772919 CET878749752192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:20.961853027 CET497528787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:20.962166071 CET497528787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:21.081438065 CET878749752192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:22.900532961 CET878749752192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:22.901122093 CET497528787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:22.901154041 CET497528787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:23.020456076 CET878749752192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:23.623327971 CET497538787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:23.742711067 CET878749753192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:23.742806911 CET497538787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:23.743191957 CET497538787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:23.862520933 CET878749753192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:25.701246977 CET878749753192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:25.703126907 CET497538787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:25.703170061 CET497538787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:25.822458029 CET878749753192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:26.404716015 CET497548787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:26.524388075 CET878749754192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:26.527151108 CET497548787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:26.527441025 CET497548787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:26.646912098 CET878749754192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:28.463630915 CET878749754192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:28.467252016 CET497548787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:28.467252016 CET497548787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:28.586685896 CET878749754192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:29.138972044 CET497558787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:29.258650064 CET878749755192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:29.258745909 CET497558787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:29.259037971 CET497558787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:29.378459930 CET878749755192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:31.201215029 CET878749755192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:31.201272964 CET497558787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:31.201368093 CET497558787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:31.320962906 CET878749755192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:31.858550072 CET497568787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:31.977988005 CET878749756192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:31.978137970 CET497568787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:31.978435040 CET497568787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:32.100531101 CET878749756192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:33.917498112 CET878749756192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:33.919178963 CET497568787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:33.919178963 CET497568787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:34.039112091 CET878749756192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:34.545310020 CET497578787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:34.664624929 CET878749757192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:34.665129900 CET497578787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:34.665419102 CET497578787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:34.784676075 CET878749757192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:36.611390114 CET878749757192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:36.611684084 CET497578787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:36.611754894 CET497578787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:36.731091022 CET878749757192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:37.217309952 CET497588787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:37.336857080 CET878749758192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:37.339093924 CET497588787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:37.339485884 CET497588787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:37.458725929 CET878749758192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:39.301497936 CET878749758192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:39.301553965 CET497588787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:39.301640987 CET497588787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:39.420969009 CET878749758192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:39.888812065 CET497598787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:40.008153915 CET878749759192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:40.011215925 CET497598787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:40.011408091 CET497598787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:40.130593061 CET878749759192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:41.951549053 CET878749759192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:41.951639891 CET497598787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:41.951639891 CET497598787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:42.071173906 CET878749759192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:42.530437946 CET497608787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:42.649774075 CET878749760192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:42.649880886 CET497608787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:42.650208950 CET497608787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:42.769469976 CET878749760192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:44.588356018 CET878749760192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:44.589211941 CET497608787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:44.589211941 CET497608787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:44.708592892 CET878749760192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:45.139107943 CET497618787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:45.258522034 CET878749761192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:45.258603096 CET497618787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:45.259021044 CET497618787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:45.378436089 CET878749761192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:47.223378897 CET878749761192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:47.223455906 CET497618787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:47.223488092 CET497618787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:47.342860937 CET878749761192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:47.764072895 CET497628787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:47.883307934 CET878749762192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:47.887151003 CET497628787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:47.889559031 CET497628787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:48.008928061 CET878749762192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:49.823079109 CET878749762192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:49.827136040 CET497628787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:49.827178955 CET497628787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:49.946481943 CET878749762192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:50.344680071 CET497638787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:50.464319944 CET878749763192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:50.464443922 CET497638787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:50.464910030 CET497638787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:50.584247112 CET878749763192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:52.401686907 CET878749763192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:52.403100967 CET497638787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:52.403166056 CET497638787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:52.522597075 CET878749763192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:52.904555082 CET497648787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:53.023916960 CET878749764192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:53.023998976 CET497648787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:53.024437904 CET497648787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:53.143976927 CET878749764192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:55.020276070 CET878749764192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:55.021748066 CET497648787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:55.021809101 CET497648787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:55.141216040 CET878749764192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:55.507540941 CET497658787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:55.626878977 CET878749765192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:55.626966953 CET497658787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:55.627260923 CET497658787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:55.746665955 CET878749765192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:57.630645990 CET878749765192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:57.631059885 CET497658787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:57.631108046 CET497658787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:57.750492096 CET878749765192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:58.126485109 CET497668787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:58.245825052 CET878749766192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:14:58.246001005 CET497668787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:58.246367931 CET497668787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:14:58.365669966 CET878749766192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:00.186500072 CET878749766192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:00.186562061 CET497668787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:00.186614990 CET497668787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:00.305973053 CET878749766192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:00.639292955 CET497678787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:00.758935928 CET878749767192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:00.759062052 CET497678787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:00.759362936 CET497678787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:00.878670931 CET878749767192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:02.698844910 CET878749767192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:02.699001074 CET497678787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:02.699182987 CET497678787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:02.818468094 CET878749767192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:03.139199018 CET497688787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:03.258680105 CET878749768192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:03.258794069 CET497688787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:03.259054899 CET497688787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:03.378302097 CET878749768192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:05.217706919 CET878749768192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:05.219158888 CET497688787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:05.219158888 CET497688787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:05.338481903 CET878749768192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:05.642236948 CET497698787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:05.761650085 CET878749769192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:05.761862040 CET497698787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:05.762061119 CET497698787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:05.881416082 CET878749769192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:07.718293905 CET878749769192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:07.718367100 CET497698787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:07.718477964 CET497698787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:07.837730885 CET878749769192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:08.183438063 CET497708787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:08.302805901 CET878749770192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:08.302880049 CET497708787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:08.305861950 CET497708787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:08.438775063 CET878749770192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:10.248969078 CET878749770192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:10.249033928 CET497708787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:10.249070883 CET497708787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:10.368441105 CET878749770192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:10.638853073 CET497718787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:10.758179903 CET878749771192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:10.758253098 CET497718787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:10.758558989 CET497718787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:10.877849102 CET878749771192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:12.698484898 CET878749771192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:12.698565960 CET497718787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:12.698602915 CET497718787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:12.818114042 CET878749771192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:13.076427937 CET497728787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:13.196032047 CET878749772192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:13.196115017 CET497728787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:13.196593046 CET497728787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:13.315917015 CET878749772192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:15.139882088 CET878749772192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:15.139949083 CET497728787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:15.140041113 CET497728787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:15.259695053 CET878749772192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:15.519347906 CET497738787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:15.638777018 CET878749773192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:15.638853073 CET497738787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:15.639337063 CET497738787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:15.758620024 CET878749773192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:17.573369980 CET878749773192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:17.573450089 CET497738787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:17.573502064 CET497738787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:17.692749977 CET878749773192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:17.954705000 CET497748787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:18.074064016 CET878749774192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:18.074270964 CET497748787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:18.074480057 CET497748787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:18.193797112 CET878749774192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:20.030282974 CET878749774192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:20.030349970 CET497748787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:20.030389071 CET497748787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:20.149651051 CET878749774192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:20.373387098 CET497758787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:20.492779016 CET878749775192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:20.492866993 CET497758787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:20.493216038 CET497758787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:20.612463951 CET878749775192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:22.458077908 CET878749775192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:22.458149910 CET497758787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:22.458229065 CET497758787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:22.577481985 CET878749775192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:22.794985056 CET497768787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:22.914657116 CET878749776192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:22.914755106 CET497768787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:22.915148973 CET497768787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:23.034518957 CET878749776192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:24.854866982 CET878749776192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:24.855024099 CET497768787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:24.855087996 CET497768787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:24.974426985 CET878749776192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:25.185774088 CET497778787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:25.305182934 CET878749777192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:25.305255890 CET497778787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:25.305668116 CET497778787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:25.424938917 CET878749777192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:27.249821901 CET878749777192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:27.249886990 CET497778787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:27.249964952 CET497778787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:27.370302916 CET878749777192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:27.561158895 CET497788787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:27.680706024 CET878749778192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:27.680891991 CET497788787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:27.681128025 CET497788787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:27.800386906 CET878749778192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:29.624427080 CET878749778192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:29.624499083 CET497788787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:29.624582052 CET497788787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:29.743894100 CET878749778192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:29.935894012 CET497798787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:30.055234909 CET878749779192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:30.059072018 CET497798787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:30.059319973 CET497798787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:30.283911943 CET878749779192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:31.996334076 CET878749779192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:31.996510983 CET497798787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:31.996510983 CET497798787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:32.115850925 CET878749779192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:32.297000885 CET497808787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:32.416424036 CET878749780192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:32.417073965 CET497808787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:32.417206049 CET497808787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:32.536482096 CET878749780192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:34.390526056 CET878749780192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:34.390594006 CET497808787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:34.390630007 CET497808787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:34.509872913 CET878749780192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:34.670217991 CET497818787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:34.789690971 CET878749781192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:34.789805889 CET497818787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:34.790093899 CET497818787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:34.909392118 CET878749781192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:36.750704050 CET878749781192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:36.750833035 CET497818787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:36.750833035 CET497818787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:36.870457888 CET878749781192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:37.031009912 CET497828787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:37.150552034 CET878749782192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:37.150778055 CET497828787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:37.155020952 CET497828787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:37.274389982 CET878749782192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:39.089271069 CET878749782192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:39.095086098 CET497828787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:39.095124006 CET497828787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:39.214659929 CET878749782192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:39.357606888 CET497838787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:39.476979017 CET878749783192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:39.477052927 CET497838787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:39.477489948 CET497838787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:39.596760988 CET878749783192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:41.422774076 CET878749783192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:41.423053980 CET497838787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:41.423247099 CET497838787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:41.542892933 CET878749783192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:41.685947895 CET497848787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:41.805332899 CET878749784192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:41.805438042 CET497848787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:41.805756092 CET497848787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:41.925648928 CET878749784192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:43.749645948 CET878749784192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:43.749730110 CET497848787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:43.749764919 CET497848787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:43.869219065 CET878749784192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:43.998080015 CET497858787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:44.117517948 CET878749785192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:44.117683887 CET497858787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:44.118000031 CET497858787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:44.238303900 CET878749785192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:46.062123060 CET878749785192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:46.062199116 CET497858787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:46.062254906 CET497858787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:46.181555986 CET878749785192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:46.311531067 CET497868787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:46.430906057 CET878749786192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:46.431006908 CET497868787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:46.431293011 CET497868787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:46.550602913 CET878749786192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:48.371860981 CET878749786192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:48.375067949 CET497868787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:48.375122070 CET497868787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:48.494466066 CET878749786192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:48.607603073 CET497878787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:48.727054119 CET878749787192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:48.727139950 CET497878787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:48.727473974 CET497878787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:48.846854925 CET878749787192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:50.718590975 CET878749787192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:50.718696117 CET497878787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:50.718771935 CET497878787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:50.838088036 CET878749787192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:50.951261997 CET497888787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:51.070516109 CET878749788192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:51.070635080 CET497888787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:51.070946932 CET497888787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:51.190263033 CET878749788192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:53.052180052 CET878749788192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:53.052238941 CET497888787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:53.052319050 CET497888787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:53.171631098 CET878749788192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:53.263736010 CET497898787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:53.383054018 CET878749789192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:53.385263920 CET497898787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:53.385555983 CET497898787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:53.504829884 CET878749789192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:55.349693060 CET878749789192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:55.349754095 CET497898787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:55.349822998 CET497898787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:55.469445944 CET878749789192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:55.560647964 CET497908787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:55.680145979 CET878749790192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:55.683176041 CET497908787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:55.683362007 CET497908787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:55.803091049 CET878749790192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:57.621457100 CET878749790192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:57.621539116 CET497908787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:57.621607065 CET497908787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:57.740952015 CET878749790192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:57.826272011 CET497918787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:57.945838928 CET878749791192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:57.945919037 CET497918787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:57.946252108 CET497918787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:58.065601110 CET878749791192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:59.913019896 CET878749791192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:15:59.914104939 CET497918787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:15:59.914185047 CET497918787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:16:00.033605099 CET878749791192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:16:00.107470036 CET497928787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:16:00.226872921 CET878749792192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:16:00.226980925 CET497928787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:16:00.227442026 CET497928787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:16:00.346697092 CET878749792192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:16:02.407187939 CET878749792192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:16:02.411094904 CET497928787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:16:02.424272060 CET497928787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:16:02.543627024 CET878749792192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:16:02.623080969 CET497938787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:16:02.743746042 CET878749793192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:16:02.743829966 CET497938787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:16:02.744381905 CET497938787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:16:02.863878012 CET878749793192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:16:04.683514118 CET878749793192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:16:04.683582067 CET497938787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:16:04.683629990 CET497938787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:16:04.803082943 CET878749793192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:16:04.873223066 CET497948787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:16:04.992633104 CET878749794192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:16:04.992727041 CET497948787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:16:04.993195057 CET497948787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:16:05.112487078 CET878749794192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:16:06.937654972 CET878749794192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:16:06.937752008 CET497948787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:16:06.937791109 CET497948787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:16:07.057251930 CET878749794192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:16:07.123275995 CET497958787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:16:07.242726088 CET878749795192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:16:07.243083000 CET497958787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:16:07.243402958 CET497958787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:16:07.362657070 CET878749795192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:16:09.184616089 CET878749795192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:16:09.187052965 CET497958787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:16:09.187094927 CET497958787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:16:09.306451082 CET878749795192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:16:09.357523918 CET497968787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:16:09.477020025 CET878749796192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:16:09.479182005 CET497968787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:16:09.479368925 CET497968787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:16:09.598655939 CET878749796192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:16:11.418801069 CET878749796192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:16:11.419154882 CET497968787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:16:11.419713020 CET497968787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:16:11.538989067 CET878749796192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:16:11.591846943 CET497978787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:16:11.711261988 CET878749797192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:16:11.713124037 CET497978787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:16:11.713443041 CET497978787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:16:11.832704067 CET878749797192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:16:13.656506062 CET878749797192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:16:13.659086943 CET497978787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:16:13.659145117 CET497978787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:16:13.778628111 CET878749797192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:16:13.826446056 CET497988787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:16:13.951828957 CET878749798192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:16:13.951951027 CET497988787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:16:13.952222109 CET497988787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:16:14.071778059 CET878749798192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:16:15.886620045 CET878749798192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:16:15.886684895 CET497988787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:16:15.886728048 CET497988787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:16:16.006088972 CET878749798192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:16:16.045051098 CET497998787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:16:16.164753914 CET878749799192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:16:16.165183067 CET497998787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:16:16.165463924 CET497998787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:16:16.285207033 CET878749799192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:16:18.106369972 CET878749799192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:16:18.107084036 CET497998787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:16:18.193933010 CET497998787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:16:18.313534021 CET878749799192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:16:18.388783932 CET498008787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:16:18.509147882 CET878749800192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:16:18.509237051 CET498008787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:16:18.509491920 CET498008787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:16:18.628832102 CET878749800192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:16:20.449431896 CET878749800192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:16:20.451045036 CET498008787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:16:20.451085091 CET498008787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:16:20.570517063 CET878749800192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:16:20.591928959 CET498018787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:16:20.711385965 CET878749801192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:16:20.711514950 CET498018787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:16:20.781708002 CET498018787192.168.2.8192.210.150.26
                                  Dec 8, 2024 09:16:20.901153088 CET878749801192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:16:22.653290987 CET878749801192.210.150.26192.168.2.8
                                  Dec 8, 2024 09:16:22.653373957 CET498018787192.168.2.8192.210.150.26

                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:03:12:13
                                  Start date:08/12/2024
                                  Path:C:\Users\user\Desktop\uIarPolvHR.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\uIarPolvHR.exe"
                                  Imagebase:0xd80000
                                  File size:877'056 bytes
                                  MD5 hash:F3C6C680B66EF4A132E3A9B61B83622D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:2
                                  Start time:03:12:14
                                  Start date:08/12/2024
                                  Path:C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\uIarPolvHR.exe"
                                  Imagebase:0xdc0000
                                  File size:877'056 bytes
                                  MD5 hash:F3C6C680B66EF4A132E3A9B61B83622D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.3878610708.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000002.00000002.3878085476.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.3878085476.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000002.00000002.3878085476.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000002.00000002.3878085476.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                  • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000002.00000002.3878085476.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                  • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000002.00000002.3878085476.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000002.00000002.3878890270.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.3878890270.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000002.00000002.3878890270.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000002.00000002.3878890270.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                  • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000002.00000002.3878890270.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                  • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000002.00000002.3878890270.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.3878702344.0000000001803000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.3878719298.00000000018D9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.3879043095.00000000045FE000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                  Antivirus matches:
                                  • Detection: 100%, Joe Sandbox ML
                                  • Detection: 61%, ReversingLabs
                                  • Detection: 70%, Virustotal, Browse
                                  Reputation:low
                                  Has exited:false

                                  General

                                  Target ID:3
                                  Start time:03:12:27
                                  Start date:08/12/2024
                                  Path:C:\Windows\System32\wscript.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nonhazardousness.vbs"
                                  Imagebase:0x7ff771700000
                                  File size:170'496 bytes
                                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:4
                                  Start time:03:12:27
                                  Start date:08/12/2024
                                  Path:C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe"
                                  Imagebase:0xdc0000
                                  File size:877'056 bytes
                                  MD5 hash:F3C6C680B66EF4A132E3A9B61B83622D
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000004.00000002.1566559449.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.1566559449.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000004.00000002.1566559449.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000004.00000002.1566559449.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                  • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000004.00000002.1566559449.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                  • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000004.00000002.1566559449.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:5
                                  Start time:03:12:28
                                  Start date:08/12/2024
                                  Path:C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe"
                                  Imagebase:0xdc0000
                                  File size:877'056 bytes
                                  MD5 hash:F3C6C680B66EF4A132E3A9B61B83622D
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.1573273495.000000000142C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000005.00000002.1572582993.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.1572582993.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000005.00000002.1572582993.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000005.00000002.1572582993.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                  • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000005.00000002.1572582993.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                  • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000005.00000002.1572582993.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000005.00000002.1573670320.0000000003470000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.1573670320.0000000003470000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000005.00000002.1573670320.0000000003470000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000005.00000002.1573670320.0000000003470000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                  • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000005.00000002.1573670320.0000000003470000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                  • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000005.00000002.1573670320.0000000003470000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                  Reputation:low
                                  Has exited:true

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:3.2%
                                    Dynamic/Decrypted Code Coverage:0.4%
                                    Signature Coverage:10.1%
                                    Total number of Nodes:2000
                                    Total number of Limit Nodes:159
                                    execution_graph 104538 d81078 104543 d8708b 104538->104543 104540 d8108c 104574 da2d40 104540->104574 104544 d8709b __ftell_nolock 104543->104544 104577 d87667 104544->104577 104548 d8715a 104589 da050b 104548->104589 104555 d87667 59 API calls 104556 d8718b 104555->104556 104608 d87d8c 104556->104608 104558 d87194 RegOpenKeyExW 104559 dbe8b1 RegQueryValueExW 104558->104559 104563 d871b6 Mailbox 104558->104563 104560 dbe8ce 104559->104560 104561 dbe943 RegCloseKey 104559->104561 104612 da0db6 104560->104612 104561->104563 104567 dbe955 _wcscat Mailbox __NMSG_WRITE 104561->104567 104563->104540 104564 dbe8e7 104622 d8522e 104564->104622 104567->104563 104571 d879f2 59 API calls 104567->104571 104573 d83f74 59 API calls 104567->104573 104634 d87de1 104567->104634 104568 dbe929 104568->104561 104569 dbe90f 104625 d87bcc 104569->104625 104571->104567 104573->104567 104699 da2c44 104574->104699 104576 d81096 104578 da0db6 Mailbox 59 API calls 104577->104578 104579 d87688 104578->104579 104580 da0db6 Mailbox 59 API calls 104579->104580 104581 d87151 104580->104581 104582 d84706 104581->104582 104638 db1940 104582->104638 104585 d87de1 59 API calls 104586 d84739 104585->104586 104640 d84750 104586->104640 104588 d84743 Mailbox 104588->104548 104590 db1940 __ftell_nolock 104589->104590 104591 da0518 GetFullPathNameW 104590->104591 104592 da053a 104591->104592 104593 d87bcc 59 API calls 104592->104593 104594 d87165 104593->104594 104595 d87cab 104594->104595 104596 dbed4a 104595->104596 104597 d87cbf 104595->104597 104667 d88029 104596->104667 104662 d87c50 104597->104662 104600 d87173 104602 d83f74 104600->104602 104601 dbed55 __NMSG_WRITE _memmove 104603 d83f82 104602->104603 104607 d83fa4 _memmove 104602->104607 104605 da0db6 Mailbox 59 API calls 104603->104605 104604 da0db6 Mailbox 59 API calls 104606 d83fb8 104604->104606 104605->104607 104606->104555 104607->104604 104609 d87d99 104608->104609 104610 d87da6 104608->104610 104609->104558 104611 da0db6 Mailbox 59 API calls 104610->104611 104611->104609 104615 da0dbe 104612->104615 104614 da0dd8 104614->104564 104615->104614 104617 da0ddc std::exception::exception 104615->104617 104670 da571c 104615->104670 104687 da33a1 RtlDecodePointer 104615->104687 104688 da859b RaiseException 104617->104688 104619 da0e06 104689 da84d1 58 API calls _free 104619->104689 104621 da0e18 104621->104564 104623 da0db6 Mailbox 59 API calls 104622->104623 104624 d85240 RegQueryValueExW 104623->104624 104624->104568 104624->104569 104626 d87bd8 __NMSG_WRITE 104625->104626 104627 d87c45 104625->104627 104629 d87bee 104626->104629 104630 d87c13 104626->104630 104628 d87d2c 59 API calls 104627->104628 104633 d87bf6 _memmove 104628->104633 104698 d87f27 59 API calls Mailbox 104629->104698 104631 d88029 59 API calls 104630->104631 104631->104633 104633->104568 104635 d87df0 __NMSG_WRITE _memmove 104634->104635 104636 da0db6 Mailbox 59 API calls 104635->104636 104637 d87e2e 104636->104637 104637->104567 104639 d84713 GetModuleFileNameW 104638->104639 104639->104585 104641 db1940 __ftell_nolock 104640->104641 104642 d8475d GetFullPathNameW 104641->104642 104643 d84799 104642->104643 104644 d8477c 104642->104644 104645 d87d8c 59 API calls 104643->104645 104646 d87bcc 59 API calls 104644->104646 104647 d84788 104645->104647 104646->104647 104650 d87726 104647->104650 104651 d87734 104650->104651 104654 d87d2c 104651->104654 104653 d84794 104653->104588 104655 d87d3a 104654->104655 104657 d87d43 _memmove 104654->104657 104655->104657 104658 d87e4f 104655->104658 104657->104653 104659 d87e62 104658->104659 104661 d87e5f _memmove 104658->104661 104660 da0db6 Mailbox 59 API calls 104659->104660 104660->104661 104661->104657 104663 d87c5f __NMSG_WRITE 104662->104663 104664 d88029 59 API calls 104663->104664 104665 d87c70 _memmove 104663->104665 104666 dbed07 _memmove 104664->104666 104665->104600 104668 da0db6 Mailbox 59 API calls 104667->104668 104669 d88033 104668->104669 104669->104601 104671 da5797 104670->104671 104677 da5728 104670->104677 104696 da33a1 RtlDecodePointer 104671->104696 104673 da579d 104697 da8b28 58 API calls __getptd_noexit 104673->104697 104676 da575b RtlAllocateHeap 104676->104677 104686 da578f 104676->104686 104677->104676 104679 da5733 104677->104679 104680 da5783 104677->104680 104684 da5781 104677->104684 104693 da33a1 RtlDecodePointer 104677->104693 104679->104677 104690 daa16b 58 API calls __NMSG_WRITE 104679->104690 104691 daa1c8 58 API calls 5 library calls 104679->104691 104692 da309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 104679->104692 104694 da8b28 58 API calls __getptd_noexit 104680->104694 104695 da8b28 58 API calls __getptd_noexit 104684->104695 104686->104615 104687->104615 104688->104619 104689->104621 104690->104679 104691->104679 104693->104677 104694->104684 104695->104686 104696->104673 104697->104686 104698->104633 104700 da2c50 _doexit 104699->104700 104707 da3217 104700->104707 104706 da2c77 _doexit 104706->104576 104724 da9c0b 104707->104724 104709 da2c59 104710 da2c88 RtlDecodePointer RtlDecodePointer 104709->104710 104711 da2c65 104710->104711 104712 da2cb5 104710->104712 104721 da2c82 104711->104721 104712->104711 104770 da87a4 59 API calls 2 library calls 104712->104770 104714 da2d18 RtlEncodePointer RtlEncodePointer 104714->104711 104715 da2cec 104715->104711 104719 da2d06 RtlEncodePointer 104715->104719 104772 da8864 61 API calls 2 library calls 104715->104772 104716 da2cc7 104716->104714 104716->104715 104771 da8864 61 API calls 2 library calls 104716->104771 104719->104714 104720 da2d00 104720->104711 104720->104719 104773 da3220 104721->104773 104725 da9c2f RtlEnterCriticalSection 104724->104725 104726 da9c1c 104724->104726 104725->104709 104731 da9c93 104726->104731 104728 da9c22 104728->104725 104755 da30b5 58 API calls 3 library calls 104728->104755 104732 da9c9f _doexit 104731->104732 104733 da9ca8 104732->104733 104734 da9cc0 104732->104734 104756 daa16b 58 API calls __NMSG_WRITE 104733->104756 104747 da9ce1 _doexit 104734->104747 104759 da881d 58 API calls 2 library calls 104734->104759 104736 da9cad 104757 daa1c8 58 API calls 5 library calls 104736->104757 104739 da9cd5 104741 da9ceb 104739->104741 104742 da9cdc 104739->104742 104740 da9cb4 104758 da309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 104740->104758 104745 da9c0b __lock 58 API calls 104741->104745 104760 da8b28 58 API calls __getptd_noexit 104742->104760 104748 da9cf2 104745->104748 104747->104728 104749 da9cff 104748->104749 104750 da9d17 104748->104750 104761 da9e2b InitializeCriticalSectionAndSpinCount 104749->104761 104762 da2d55 104750->104762 104753 da9d0b 104768 da9d33 RtlLeaveCriticalSection _doexit 104753->104768 104756->104736 104757->104740 104759->104739 104760->104747 104761->104753 104763 da2d87 __dosmaperr 104762->104763 104764 da2d5e RtlFreeHeap 104762->104764 104763->104753 104764->104763 104765 da2d73 104764->104765 104769 da8b28 58 API calls __getptd_noexit 104765->104769 104767 da2d79 GetLastError 104767->104763 104768->104747 104769->104767 104770->104716 104771->104715 104772->104720 104776 da9d75 RtlLeaveCriticalSection 104773->104776 104775 da2c87 104775->104706 104776->104775 104777 dc416f 104781 dd5fe6 104777->104781 104779 dc417a 104780 dd5fe6 85 API calls 104779->104780 104780->104779 104782 dd6020 104781->104782 104788 dd5ff3 104781->104788 104782->104779 104783 dd6022 104820 d89328 84 API calls Mailbox 104783->104820 104784 dd6027 104792 d89837 104784->104792 104788->104782 104788->104783 104788->104784 104790 dd601a 104788->104790 104819 d895a0 59 API calls _wcsstr 104790->104819 104793 d8984b 104792->104793 104794 d89851 104792->104794 104810 d87b2e 104793->104810 104795 dbf5d3 __i64tow 104794->104795 104796 d89899 104794->104796 104800 d89857 __itow 104794->104800 104801 dbf4da 104794->104801 104821 da3698 83 API calls 3 library calls 104796->104821 104799 da0db6 Mailbox 59 API calls 104802 d89871 104799->104802 104800->104799 104803 da0db6 Mailbox 59 API calls 104801->104803 104805 dbf552 Mailbox _wcscpy 104801->104805 104802->104793 104804 d87de1 59 API calls 104802->104804 104806 dbf51f 104803->104806 104804->104793 104822 da3698 83 API calls 3 library calls 104805->104822 104807 da0db6 Mailbox 59 API calls 104806->104807 104808 dbf545 104807->104808 104808->104805 104809 d87de1 59 API calls 104808->104809 104809->104805 104811 dbec6b 104810->104811 104812 d87b40 104810->104812 104829 dd7bdb 59 API calls _memmove 104811->104829 104823 d87a51 104812->104823 104815 d87b4c 104815->104782 104816 dbec75 104830 d88047 104816->104830 104818 dbec7d Mailbox 104819->104782 104820->104784 104821->104800 104822->104795 104824 d87a5f 104823->104824 104828 d87a85 _memmove 104823->104828 104825 da0db6 Mailbox 59 API calls 104824->104825 104824->104828 104826 d87ad4 104825->104826 104827 da0db6 Mailbox 59 API calls 104826->104827 104827->104828 104828->104815 104829->104816 104831 d8805a 104830->104831 104832 d88052 104830->104832 104831->104818 104834 d87f77 59 API calls 2 library calls 104832->104834 104834->104831 104835 dbfdfc 104881 d8ab30 Mailbox _memmove 104835->104881 104841 d8b525 104926 de9e4a 89 API calls 4 library calls 104841->104926 104842 dc0055 104925 de9e4a 89 API calls 4 library calls 104842->104925 104844 d8b475 104851 d88047 59 API calls 104844->104851 104845 d8b47a 104845->104842 104862 dc09e5 104845->104862 104848 da0db6 59 API calls Mailbox 104863 d89f37 Mailbox 104848->104863 104849 dc0064 104857 d8a057 104851->104857 104854 d88047 59 API calls 104854->104863 104855 d87667 59 API calls 104855->104863 104856 da2d40 67 API calls __cinit 104856->104863 104858 d87de1 59 API calls 104858->104881 104859 dd6e8f 59 API calls 104859->104863 104860 dc09d6 104931 de9e4a 89 API calls 4 library calls 104860->104931 104932 de9e4a 89 API calls 4 library calls 104862->104932 104863->104842 104863->104844 104863->104845 104863->104848 104863->104854 104863->104855 104863->104856 104863->104857 104863->104859 104863->104860 104864 d8a55a 104863->104864 104890 d8c8c0 331 API calls 2 library calls 104863->104890 104891 d8b900 60 API calls Mailbox 104863->104891 104930 de9e4a 89 API calls 4 library calls 104864->104930 104867 d8b2b6 104919 d8f6a3 331 API calls 104867->104919 104870 dc086a 104928 d89c90 59 API calls Mailbox 104870->104928 104872 dc0878 104929 de9e4a 89 API calls 4 library calls 104872->104929 104874 dc085c 104874->104857 104927 dd617e 59 API calls Mailbox 104874->104927 104875 d8b21c 104917 d89d3c 60 API calls Mailbox 104875->104917 104877 da0db6 59 API calls Mailbox 104877->104881 104878 d8b22d 104918 d89d3c 60 API calls Mailbox 104878->104918 104879 dd6e8f 59 API calls 104879->104881 104881->104841 104881->104857 104881->104858 104881->104863 104881->104867 104881->104870 104881->104872 104881->104874 104881->104875 104881->104877 104881->104879 104884 dfdf23 104881->104884 104887 dfdf37 104881->104887 104892 d89ea0 104881->104892 104916 d89c90 59 API calls Mailbox 104881->104916 104920 dfc193 85 API calls 2 library calls 104881->104920 104921 dfc2e0 96 API calls Mailbox 104881->104921 104922 de7956 59 API calls Mailbox 104881->104922 104923 dfbc6b 331 API calls Mailbox 104881->104923 104924 dd617e 59 API calls Mailbox 104881->104924 104933 dfcadd 104884->104933 104886 dfdf33 104886->104881 104888 dfcadd 130 API calls 104887->104888 104889 dfdf47 104888->104889 104889->104881 104890->104863 104891->104863 104893 d89ebf 104892->104893 104911 d89eed Mailbox 104892->104911 104894 da0db6 Mailbox 59 API calls 104893->104894 104894->104911 104895 d8b475 104896 d88047 59 API calls 104895->104896 104909 d8a057 104896->104909 104897 d8b47a 104898 dc0055 104897->104898 104915 dc09e5 104897->104915 105060 de9e4a 89 API calls 4 library calls 104898->105060 104899 d87667 59 API calls 104899->104911 104903 da0db6 59 API calls Mailbox 104903->104911 104904 dc0064 104904->104881 104906 d88047 59 API calls 104906->104911 104908 da2d40 67 API calls __cinit 104908->104911 104909->104881 104910 dd6e8f 59 API calls 104910->104911 104911->104895 104911->104897 104911->104898 104911->104899 104911->104903 104911->104906 104911->104908 104911->104909 104911->104910 104912 dc09d6 104911->104912 104914 d8a55a 104911->104914 105058 d8c8c0 331 API calls 2 library calls 104911->105058 105059 d8b900 60 API calls Mailbox 104911->105059 105062 de9e4a 89 API calls 4 library calls 104912->105062 105061 de9e4a 89 API calls 4 library calls 104914->105061 105063 de9e4a 89 API calls 4 library calls 104915->105063 104916->104881 104917->104878 104918->104867 104919->104841 104920->104881 104921->104881 104922->104881 104923->104881 104924->104881 104925->104849 104926->104874 104927->104857 104928->104874 104929->104874 104930->104857 104931->104862 104932->104857 104934 d89837 84 API calls 104933->104934 104935 dfcb1a 104934->104935 104936 dfcb61 Mailbox 104935->104936 104971 dfd7a5 104935->104971 104936->104886 104938 dfcbb2 Mailbox 104938->104936 104944 d89837 84 API calls 104938->104944 104958 dfcdb9 104938->104958 105003 dffbce 59 API calls 2 library calls 104938->105003 105004 dfcfdf 61 API calls 2 library calls 104938->105004 104939 dfcf2e 105021 dfd8c8 92 API calls Mailbox 104939->105021 104942 dfcf3d 104943 dfcdc7 104942->104943 104945 dfcf49 104942->104945 104984 dfc96e 104943->104984 104944->104938 104945->104936 104950 dfce00 104999 da0c08 104950->104999 104953 dfce1a 105005 de9e4a 89 API calls 4 library calls 104953->105005 104954 dfce33 105006 d892ce 104954->105006 104957 dfce25 GetCurrentProcess TerminateProcess 104957->104954 104958->104939 104958->104943 104963 dfcfa4 104963->104936 104966 dfcfb8 FreeLibrary 104963->104966 104964 dfce6b 105018 dfd649 107 API calls _free 104964->105018 104966->104936 104970 dfce7c 104970->104963 105019 d88d40 59 API calls Mailbox 104970->105019 105020 d89d3c 60 API calls Mailbox 104970->105020 105022 dfd649 107 API calls _free 104970->105022 104972 d87e4f 59 API calls 104971->104972 104973 dfd7c0 CharLowerBuffW 104972->104973 105023 ddf167 104973->105023 104977 d87667 59 API calls 104978 dfd7f9 104977->104978 105030 d8784b 104978->105030 104980 dfd810 104982 d87d2c 59 API calls 104980->104982 104981 dfd858 Mailbox 104981->104938 104983 dfd81c Mailbox 104982->104983 104983->104981 105043 dfcfdf 61 API calls 2 library calls 104983->105043 104985 dfc989 104984->104985 104986 dfc9de 104984->104986 104987 da0db6 Mailbox 59 API calls 104985->104987 104990 dfda50 104986->104990 104989 dfc9ab 104987->104989 104988 da0db6 Mailbox 59 API calls 104988->104989 104989->104986 104989->104988 104991 dfdc79 Mailbox 104990->104991 104998 dfda73 _strcat _wcscpy __NMSG_WRITE 104990->104998 104991->104950 104992 d89be6 59 API calls 104992->104998 104993 d89b3c 59 API calls 104993->104998 104994 d89b98 59 API calls 104994->104998 104995 d89837 84 API calls 104995->104998 104996 da571c 58 API calls __crtLCMapStringA_stat 104996->104998 104998->104991 104998->104992 104998->104993 104998->104994 104998->104995 104998->104996 105047 de5887 61 API calls 2 library calls 104998->105047 105000 da0c1d 104999->105000 105001 da0cb5 VirtualProtect 105000->105001 105002 da0c83 105000->105002 105001->105002 105002->104953 105002->104954 105003->104938 105004->104938 105005->104957 105007 d892d6 105006->105007 105008 da0db6 Mailbox 59 API calls 105007->105008 105009 d892e4 105008->105009 105010 d892f0 105009->105010 105048 d891fc 59 API calls Mailbox 105009->105048 105012 d89050 105010->105012 105049 d89160 105012->105049 105014 d8905f 105015 da0db6 Mailbox 59 API calls 105014->105015 105016 d890fb 105014->105016 105015->105016 105016->104970 105017 d88d40 59 API calls Mailbox 105016->105017 105017->104964 105018->104970 105019->104970 105020->104970 105021->104942 105022->104970 105024 ddf192 __NMSG_WRITE 105023->105024 105025 ddf1d1 105024->105025 105028 ddf1c7 105024->105028 105029 ddf278 105024->105029 105025->104977 105025->104983 105028->105025 105044 d878c4 61 API calls 105028->105044 105029->105025 105045 d878c4 61 API calls 105029->105045 105031 d8785a 105030->105031 105032 d878b7 105030->105032 105031->105032 105033 d87865 105031->105033 105034 d87d2c 59 API calls 105032->105034 105035 dbeb09 105033->105035 105036 d87880 105033->105036 105039 d87888 _memmove 105034->105039 105038 d88029 59 API calls 105035->105038 105046 d87f27 59 API calls Mailbox 105036->105046 105040 dbeb13 105038->105040 105039->104980 105041 da0db6 Mailbox 59 API calls 105040->105041 105042 dbeb33 105041->105042 105043->104981 105044->105028 105045->105029 105046->105039 105047->104998 105048->105010 105050 d89169 Mailbox 105049->105050 105051 dbf19f 105050->105051 105056 d89173 105050->105056 105052 da0db6 Mailbox 59 API calls 105051->105052 105054 dbf1ab 105052->105054 105053 d8917a 105053->105014 105056->105053 105057 d89c90 59 API calls Mailbox 105056->105057 105057->105056 105058->104911 105059->104911 105060->104904 105061->104909 105062->104915 105063->104909 105064 d83633 105065 d8366a 105064->105065 105066 d83688 105065->105066 105067 d836e7 105065->105067 105103 d836e5 105065->105103 105068 d8374b PostQuitMessage 105066->105068 105069 d83695 105066->105069 105071 d836ed 105067->105071 105072 dbd0cc 105067->105072 105106 d836d8 105068->105106 105074 d836a0 105069->105074 105075 dbd154 105069->105075 105070 d836ca NtdllDefWindowProc_W 105070->105106 105076 d836f2 105071->105076 105077 d83715 SetTimer RegisterClipboardFormatW 105071->105077 105113 d91070 10 API calls Mailbox 105072->105113 105079 d836a8 105074->105079 105080 d83755 105074->105080 105129 de2527 71 API calls _memset 105075->105129 105083 d836f9 KillTimer 105076->105083 105084 dbd06f 105076->105084 105081 d8373e CreatePopupMenu 105077->105081 105077->105106 105078 dbd0f3 105114 d91093 331 API calls Mailbox 105078->105114 105087 dbd139 105079->105087 105088 d836b3 105079->105088 105111 d844a0 64 API calls _memset 105080->105111 105081->105106 105109 d8443a Shell_NotifyIconW _memset 105083->105109 105091 dbd0a8 MoveWindow 105084->105091 105092 dbd074 105084->105092 105087->105070 105128 dd7c36 59 API calls Mailbox 105087->105128 105094 d836be 105088->105094 105095 dbd124 105088->105095 105089 dbd166 105089->105070 105089->105106 105091->105106 105097 dbd078 105092->105097 105098 dbd097 SetFocus 105092->105098 105093 d8370c 105110 d83114 DeleteObject DestroyWindow Mailbox 105093->105110 105094->105070 105115 d8443a Shell_NotifyIconW _memset 105094->105115 105127 de2d36 81 API calls _memset 105095->105127 105096 d83764 105096->105106 105097->105094 105101 dbd081 105097->105101 105098->105106 105112 d91070 10 API calls Mailbox 105101->105112 105103->105070 105107 dbd118 105116 d8434a 105107->105116 105109->105093 105110->105106 105111->105096 105112->105106 105113->105078 105114->105094 105115->105107 105117 d84375 _memset 105116->105117 105130 d84182 105117->105130 105121 d84430 Shell_NotifyIconW 105123 d84422 105121->105123 105122 d84414 Shell_NotifyIconW 105122->105123 105134 d8407c 105123->105134 105124 d843fa 105124->105121 105124->105122 105126 d84429 105126->105103 105127->105096 105128->105103 105129->105089 105131 dbd423 105130->105131 105132 d84196 105130->105132 105131->105132 105133 dbd42c DestroyCursor 105131->105133 105132->105124 105156 de2f94 62 API calls _W_store_winword 105132->105156 105133->105132 105135 d84098 105134->105135 105136 d8416f Mailbox 105134->105136 105157 d87a16 105135->105157 105136->105126 105139 dbd3c8 LoadStringW 105143 dbd3e2 105139->105143 105140 d840b3 105141 d87bcc 59 API calls 105140->105141 105142 d840c8 105141->105142 105142->105143 105144 d840d9 105142->105144 105145 d87b2e 59 API calls 105143->105145 105146 d840e3 105144->105146 105147 d84174 105144->105147 105150 dbd3ec 105145->105150 105149 d87b2e 59 API calls 105146->105149 105148 d88047 59 API calls 105147->105148 105153 d840ed _memset _wcscpy 105148->105153 105149->105153 105151 d87cab 59 API calls 105150->105151 105150->105153 105152 dbd40e 105151->105152 105154 d87cab 59 API calls 105152->105154 105155 d84155 Shell_NotifyIconW 105153->105155 105154->105153 105155->105136 105156->105124 105158 da0db6 Mailbox 59 API calls 105157->105158 105159 d87a3b 105158->105159 105160 d88029 59 API calls 105159->105160 105161 d840a6 105160->105161 105161->105139 105161->105140 105162 da7c56 105163 da7c62 _doexit 105162->105163 105199 da9e08 GetStartupInfoW 105163->105199 105165 da7c67 105201 da8b7c GetProcessHeap 105165->105201 105167 da7cbf 105168 da7cca 105167->105168 105284 da7da6 58 API calls 3 library calls 105167->105284 105202 da9ae6 105168->105202 105171 da7cd0 105173 da7cdb __RTC_Initialize 105171->105173 105285 da7da6 58 API calls 3 library calls 105171->105285 105223 dad5d2 105173->105223 105175 da7cea 105176 da7cf6 GetCommandLineW 105175->105176 105286 da7da6 58 API calls 3 library calls 105175->105286 105242 db4f23 GetEnvironmentStringsW 105176->105242 105179 da7cf5 105179->105176 105182 da7d10 105183 da7d1b 105182->105183 105287 da30b5 58 API calls 3 library calls 105182->105287 105252 db4d58 105183->105252 105186 da7d21 105187 da7d2c 105186->105187 105288 da30b5 58 API calls 3 library calls 105186->105288 105266 da30ef 105187->105266 105190 da7d34 105191 da7d3f __wwincmdln 105190->105191 105289 da30b5 58 API calls 3 library calls 105190->105289 105272 d847d0 105191->105272 105194 da7d53 105195 da7d62 105194->105195 105290 da3358 58 API calls _doexit 105194->105290 105291 da30e0 58 API calls _doexit 105195->105291 105198 da7d67 _doexit 105200 da9e1e 105199->105200 105200->105165 105201->105167 105292 da3187 36 API calls 2 library calls 105202->105292 105204 da9aeb 105293 da9d3c InitializeCriticalSectionAndSpinCount __ioinit 105204->105293 105206 da9af0 105207 da9af4 105206->105207 105295 da9d8a TlsAlloc 105206->105295 105294 da9b5c 61 API calls 2 library calls 105207->105294 105210 da9af9 105210->105171 105211 da9b06 105211->105207 105212 da9b11 105211->105212 105296 da87d5 105212->105296 105215 da9b53 105304 da9b5c 61 API calls 2 library calls 105215->105304 105218 da9b58 105218->105171 105219 da9b32 105219->105215 105220 da9b38 105219->105220 105303 da9a33 58 API calls 4 library calls 105220->105303 105222 da9b40 GetCurrentThreadId 105222->105171 105224 dad5de _doexit 105223->105224 105225 da9c0b __lock 58 API calls 105224->105225 105226 dad5e5 105225->105226 105227 da87d5 __calloc_crt 58 API calls 105226->105227 105228 dad5f6 105227->105228 105229 dad661 GetStartupInfoW 105228->105229 105230 dad601 _doexit @_EH4_CallFilterFunc@8 105228->105230 105231 dad676 105229->105231 105235 dad7a5 105229->105235 105230->105175 105234 da87d5 __calloc_crt 58 API calls 105231->105234 105231->105235 105239 dad6c4 105231->105239 105232 dad86d 105318 dad87d RtlLeaveCriticalSection _doexit 105232->105318 105234->105231 105235->105232 105236 dad7f2 GetStdHandle 105235->105236 105237 dad805 GetFileType 105235->105237 105317 da9e2b InitializeCriticalSectionAndSpinCount 105235->105317 105236->105235 105237->105235 105238 dad6f8 GetFileType 105238->105239 105239->105235 105239->105238 105316 da9e2b InitializeCriticalSectionAndSpinCount 105239->105316 105243 da7d06 105242->105243 105244 db4f34 105242->105244 105248 db4b1b GetModuleFileNameW 105243->105248 105319 da881d 58 API calls 2 library calls 105244->105319 105246 db4f5a _memmove 105247 db4f70 FreeEnvironmentStringsW 105246->105247 105247->105243 105249 db4b4f _wparse_cmdline 105248->105249 105251 db4b8f _wparse_cmdline 105249->105251 105320 da881d 58 API calls 2 library calls 105249->105320 105251->105182 105253 db4d71 __NMSG_WRITE 105252->105253 105257 db4d69 105252->105257 105254 da87d5 __calloc_crt 58 API calls 105253->105254 105262 db4d9a __NMSG_WRITE 105254->105262 105255 db4df1 105256 da2d55 _free 58 API calls 105255->105256 105256->105257 105257->105186 105258 da87d5 __calloc_crt 58 API calls 105258->105262 105259 db4e16 105260 da2d55 _free 58 API calls 105259->105260 105260->105257 105262->105255 105262->105257 105262->105258 105262->105259 105263 db4e2d 105262->105263 105321 db4607 58 API calls 2 library calls 105262->105321 105322 da8dc6 IsProcessorFeaturePresent 105263->105322 105265 db4e39 105265->105186 105268 da30fb __IsNonwritableInCurrentImage 105266->105268 105345 daa4d1 105268->105345 105269 da3119 __initterm_e 105270 da2d40 __cinit 67 API calls 105269->105270 105271 da3138 _doexit __IsNonwritableInCurrentImage 105269->105271 105270->105271 105271->105190 105273 d847ea 105272->105273 105283 d84889 105272->105283 105274 d84824 7524C8D0 105273->105274 105348 da336c 105274->105348 105278 d84850 105360 d848fd SystemParametersInfoW SystemParametersInfoW 105278->105360 105280 d8485c 105361 d83b3a 105280->105361 105282 d84864 SystemParametersInfoW 105282->105283 105283->105194 105284->105168 105285->105173 105286->105179 105290->105195 105291->105198 105292->105204 105293->105206 105294->105210 105295->105211 105298 da87dc 105296->105298 105299 da8817 105298->105299 105300 da87fa 105298->105300 105305 db51f6 105298->105305 105299->105215 105302 da9de6 TlsSetValue 105299->105302 105300->105298 105300->105299 105313 daa132 Sleep 105300->105313 105302->105219 105303->105222 105304->105218 105306 db5201 105305->105306 105310 db521c 105305->105310 105307 db520d 105306->105307 105306->105310 105314 da8b28 58 API calls __getptd_noexit 105307->105314 105308 db522c RtlAllocateHeap 105308->105310 105311 db5212 105308->105311 105310->105308 105310->105311 105315 da33a1 RtlDecodePointer 105310->105315 105311->105298 105313->105300 105314->105311 105315->105310 105316->105239 105317->105235 105318->105230 105319->105246 105320->105251 105321->105262 105323 da8dd1 105322->105323 105328 da8c59 105323->105328 105327 da8dec 105327->105265 105329 da8c73 _memset ___raise_securityfailure 105328->105329 105330 da8c93 IsDebuggerPresent 105329->105330 105336 daa155 SetUnhandledExceptionFilter UnhandledExceptionFilter 105330->105336 105332 da8d57 ___raise_securityfailure 105337 dac5f6 105332->105337 105334 da8d7a 105335 daa140 GetCurrentProcess TerminateProcess 105334->105335 105335->105327 105336->105332 105338 dac5fe 105337->105338 105339 dac600 IsProcessorFeaturePresent 105337->105339 105338->105334 105341 db590a 105339->105341 105344 db58b9 5 API calls 2 library calls 105341->105344 105343 db59ed 105343->105334 105344->105343 105346 daa4d4 RtlEncodePointer 105345->105346 105346->105346 105347 daa4ee 105346->105347 105347->105269 105349 da9c0b __lock 58 API calls 105348->105349 105350 da3377 RtlDecodePointer RtlEncodePointer 105349->105350 105413 da9d75 RtlLeaveCriticalSection 105350->105413 105352 d84849 105353 da33d4 105352->105353 105354 da33f8 105353->105354 105355 da33de 105353->105355 105354->105278 105355->105354 105414 da8b28 58 API calls __getptd_noexit 105355->105414 105357 da33e8 105415 da8db6 9 API calls __controlfp_s 105357->105415 105359 da33f3 105359->105278 105360->105280 105362 d83b47 __ftell_nolock 105361->105362 105363 d87667 59 API calls 105362->105363 105364 d83b51 GetCurrentDirectoryW 105363->105364 105416 d83766 105364->105416 105366 d83b7a IsDebuggerPresent 105367 d83b88 105366->105367 105368 dbd272 MessageBoxA 105366->105368 105369 d83c61 105367->105369 105371 dbd28c 105367->105371 105372 d83ba5 105367->105372 105368->105371 105370 d83c68 SetCurrentDirectoryW 105369->105370 105373 d83c75 Mailbox 105370->105373 105615 d87213 59 API calls Mailbox 105371->105615 105497 d87285 105372->105497 105373->105282 105376 dbd29c 105381 dbd2b2 SetCurrentDirectoryW 105376->105381 105378 d83bc3 GetFullPathNameW 105379 d87bcc 59 API calls 105378->105379 105380 d83bfe 105379->105380 105513 d9092d 105380->105513 105381->105373 105384 d83c1c 105385 d83c26 105384->105385 105616 dd874b AllocateAndInitializeSid CheckTokenMembership FreeSid 105384->105616 105529 d83a46 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 105385->105529 105389 dbd2cf 105389->105385 105391 dbd2e0 105389->105391 105393 d84706 61 API calls 105391->105393 105392 d83c30 105394 d83c43 105392->105394 105396 d8434a 68 API calls 105392->105396 105395 dbd2e8 105393->105395 105537 d909d0 105394->105537 105398 d87de1 59 API calls 105395->105398 105396->105394 105400 dbd2f5 105398->105400 105399 d83c4e 105399->105369 105614 d8443a Shell_NotifyIconW _memset 105399->105614 105401 dbd2ff 105400->105401 105402 dbd324 105400->105402 105404 d87cab 59 API calls 105401->105404 105405 d87cab 59 API calls 105402->105405 105407 dbd30a 105404->105407 105406 dbd320 GetForegroundWindow ShellExecuteW 105405->105406 105410 dbd354 Mailbox 105406->105410 105409 d87b2e 59 API calls 105407->105409 105411 dbd317 105409->105411 105410->105369 105412 d87cab 59 API calls 105411->105412 105412->105406 105413->105352 105414->105357 105415->105359 105417 d87667 59 API calls 105416->105417 105418 d8377c 105417->105418 105617 d83d31 105418->105617 105420 d8379a 105421 d84706 61 API calls 105420->105421 105422 d837ae 105421->105422 105423 d87de1 59 API calls 105422->105423 105424 d837bb 105423->105424 105631 d84ddd 105424->105631 105427 d837dc Mailbox 105431 d88047 59 API calls 105427->105431 105428 dbd173 105687 de955b 105428->105687 105434 d837ef 105431->105434 105432 dbd192 105433 da2d55 _free 58 API calls 105432->105433 105436 dbd19f 105433->105436 105655 d8928a 105434->105655 105438 d84e4a 84 API calls 105436->105438 105440 dbd1a8 105438->105440 105444 d83ed0 59 API calls 105440->105444 105441 d87de1 59 API calls 105442 d83808 105441->105442 105658 d884c0 105442->105658 105446 dbd1c3 105444->105446 105445 d8381a Mailbox 105447 d87de1 59 API calls 105445->105447 105448 d83ed0 59 API calls 105446->105448 105449 d83840 105447->105449 105450 dbd1df 105448->105450 105451 d884c0 69 API calls 105449->105451 105452 d84706 61 API calls 105450->105452 105455 d8384f Mailbox 105451->105455 105453 dbd204 105452->105453 105454 d83ed0 59 API calls 105453->105454 105456 dbd210 105454->105456 105457 d87667 59 API calls 105455->105457 105458 d88047 59 API calls 105456->105458 105459 d8386d 105457->105459 105460 dbd21e 105458->105460 105662 d83ed0 105459->105662 105462 d83ed0 59 API calls 105460->105462 105464 dbd22d 105462->105464 105470 d88047 59 API calls 105464->105470 105466 d83887 105466->105440 105467 d83891 105466->105467 105468 da2efd _W_store_winword 60 API calls 105467->105468 105469 d8389c 105468->105469 105469->105446 105471 d838a6 105469->105471 105472 dbd24f 105470->105472 105473 da2efd _W_store_winword 60 API calls 105471->105473 105474 d83ed0 59 API calls 105472->105474 105475 d838b1 105473->105475 105477 dbd25c 105474->105477 105475->105450 105476 d838bb 105475->105476 105478 da2efd _W_store_winword 60 API calls 105476->105478 105477->105477 105480 d838c6 105478->105480 105479 d83907 105479->105464 105481 d83914 105479->105481 105480->105464 105480->105479 105482 d83ed0 59 API calls 105480->105482 105484 d892ce 59 API calls 105481->105484 105483 d838ea 105482->105483 105485 d88047 59 API calls 105483->105485 105486 d83924 105484->105486 105487 d838f8 105485->105487 105488 d89050 59 API calls 105486->105488 105490 d83ed0 59 API calls 105487->105490 105489 d83932 105488->105489 105678 d88ee0 105489->105678 105490->105479 105492 d8928a 59 API calls 105494 d8394f 105492->105494 105493 d88ee0 60 API calls 105493->105494 105494->105492 105494->105493 105495 d83ed0 59 API calls 105494->105495 105496 d83995 Mailbox 105494->105496 105495->105494 105496->105366 105498 d87292 __ftell_nolock 105497->105498 105499 d872ab 105498->105499 105500 dbea22 _memset 105498->105500 105501 d84750 60 API calls 105499->105501 105502 dbea3e 762ED0D0 105500->105502 105503 d872b4 105501->105503 105504 dbea8d 105502->105504 106521 da0791 105503->106521 105507 d87bcc 59 API calls 105504->105507 105509 dbeaa2 105507->105509 105509->105509 105510 d872c9 106539 d8686a 105510->106539 105514 d9093a __ftell_nolock 105513->105514 106767 d86d80 105514->106767 105516 d9093f 105528 d83c14 105516->105528 106778 d9119e 89 API calls 105516->106778 105518 d9094c 105518->105528 106779 d93ee7 91 API calls Mailbox 105518->106779 105520 d90955 105521 d90959 GetFullPathNameW 105520->105521 105520->105528 105522 d87bcc 59 API calls 105521->105522 105523 d90985 105522->105523 105524 d87bcc 59 API calls 105523->105524 105525 d90992 105524->105525 105526 dc4cab _wcscat 105525->105526 105527 d87bcc 59 API calls 105525->105527 105527->105528 105528->105376 105528->105384 105530 d83ab0 LoadImageW RegisterClassExW 105529->105530 105531 dbd261 105529->105531 106816 d83041 GetSysColorBrush RegisterClassExW RegisterClipboardFormatW 105530->106816 106820 d847a0 LoadImageW EnumResourceNamesW 105531->106820 105535 dbd26a 105536 d839d5 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 105536->105392 105538 dc4cc3 105537->105538 105552 d909f5 105537->105552 106956 de9e4a 89 API calls 4 library calls 105538->106956 105540 d90ce4 105541 d90cfa 105540->105541 106953 d91070 10 API calls Mailbox 105540->106953 105541->105399 105543 d90ee4 105543->105541 105545 d90ef1 105543->105545 105546 d90a4b PeekMessageW 105567 d90a05 Mailbox 105546->105567 105550 dc4e81 Sleep 105550->105567 105552->105567 106957 d89e5d 60 API calls 105552->106957 106958 dd6349 331 API calls 105552->106958 105556 d90e43 PeekMessageW 105556->105567 105557 d90ea5 TranslateMessage DispatchMessageW 105557->105556 105558 dc4d50 TranslateAcceleratorW 105558->105556 105558->105567 105559 d89e5d 60 API calls 105559->105567 105560 d90d13 timeGetTime 105560->105567 105561 dc581f WaitForSingleObject 105563 dc583c GetExitCodeProcess CloseHandle 105561->105563 105561->105567 105570 d90f95 105563->105570 105564 d90e5f Sleep 105573 d90e70 Mailbox 105564->105573 105565 d88047 59 API calls 105565->105567 105566 d87667 59 API calls 105566->105573 105567->105540 105567->105546 105567->105550 105567->105556 105567->105557 105567->105558 105567->105559 105567->105560 105567->105561 105567->105564 105567->105565 105569 da0db6 59 API calls Mailbox 105567->105569 105567->105570 105571 dc5af8 Sleep 105567->105571 105567->105573 105575 d90f4e timeGetTime 105567->105575 105579 d89837 84 API calls 105567->105579 105595 d89ea0 304 API calls 105567->105595 105600 de9e4a 89 API calls 105567->105600 105602 d884c0 69 API calls 105567->105602 105603 d889b3 69 API calls 105567->105603 105604 d89c90 59 API calls Mailbox 105567->105604 105605 dd617e 59 API calls Mailbox 105567->105605 105607 d87de1 59 API calls 105567->105607 105608 dc55d5 VariantClear 105567->105608 105609 dd6e8f 59 API calls 105567->105609 105610 dc566b VariantClear 105567->105610 105611 d88cd4 59 API calls Mailbox 105567->105611 105612 dc5419 VariantClear 105567->105612 105613 d8b73c 304 API calls 105567->105613 106821 d8e6a0 105567->106821 106852 d8f460 105567->106852 106871 d8fce0 105567->106871 106951 d8e420 331 API calls 105567->106951 106952 d831ce IsDialogMessageW GetClassLongW 105567->106952 106959 e06018 59 API calls 105567->106959 106960 de9a15 59 API calls Mailbox 105567->106960 106961 ddd4f2 59 API calls 105567->106961 106962 dd60ef 59 API calls 2 library calls 105567->106962 106963 d88401 59 API calls 105567->106963 106964 d882df 59 API calls Mailbox 105567->106964 105569->105567 105570->105399 105571->105573 105573->105566 105573->105567 105573->105570 105574 da049f timeGetTime 105573->105574 105578 dc5b8f GetExitCodeProcess 105573->105578 105584 e05f25 110 API calls 105573->105584 105585 d8b7dd 109 API calls 105573->105585 105586 dc5874 105573->105586 105587 dc5c17 Sleep 105573->105587 105588 dc5078 Sleep 105573->105588 105590 d87de1 59 API calls 105573->105590 106965 de2408 60 API calls 105573->106965 106966 d89e5d 60 API calls 105573->106966 106967 d889b3 69 API calls Mailbox 105573->106967 106968 d8b73c 331 API calls 105573->106968 106969 dd64da 60 API calls 105573->106969 106970 de5244 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 105573->106970 106971 de3c55 66 API calls Mailbox 105573->106971 105574->105573 106955 d89e5d 60 API calls 105575->106955 105580 dc5bbb CloseHandle 105578->105580 105581 dc5ba5 WaitForSingleObject 105578->105581 105579->105567 105580->105573 105581->105567 105581->105580 105584->105573 105585->105573 105586->105570 105587->105567 105588->105567 105590->105573 105595->105567 105600->105567 105602->105567 105603->105567 105604->105567 105605->105567 105607->105567 105608->105567 105609->105567 105610->105567 105611->105567 105612->105567 105613->105567 105614->105369 105615->105376 105616->105389 105618 d83d3e __ftell_nolock 105617->105618 105619 d87bcc 59 API calls 105618->105619 105622 d83ea4 Mailbox 105618->105622 105621 d83d70 105619->105621 105630 d83da6 Mailbox 105621->105630 105728 d879f2 105621->105728 105622->105420 105623 d879f2 59 API calls 105623->105630 105624 d83e77 105624->105622 105625 d87de1 59 API calls 105624->105625 105627 d83e98 105625->105627 105626 d87de1 59 API calls 105626->105630 105628 d83f74 59 API calls 105627->105628 105628->105622 105629 d83f74 59 API calls 105629->105630 105630->105622 105630->105623 105630->105624 105630->105626 105630->105629 105731 d84bb5 105631->105731 105636 d84e08 LoadLibraryExW 105741 d84b6a 105636->105741 105637 dbd8e6 105638 d84e4a 84 API calls 105637->105638 105640 dbd8ed 105638->105640 105642 d84b6a 3 API calls 105640->105642 105644 dbd8f5 105642->105644 105767 d84f0b 105644->105767 105645 d84e2f 105645->105644 105646 d84e3b 105645->105646 105647 d84e4a 84 API calls 105646->105647 105649 d837d4 105647->105649 105649->105427 105649->105428 105652 dbd91c 105773 d84ec7 105652->105773 105654 dbd929 105656 da0db6 Mailbox 59 API calls 105655->105656 105657 d837fb 105656->105657 105657->105441 105659 d884cb 105658->105659 105660 d884f2 105659->105660 106194 d889b3 69 API calls Mailbox 105659->106194 105660->105445 105663 d83eda 105662->105663 105664 d83ef3 105662->105664 105666 d88047 59 API calls 105663->105666 105665 d87bcc 59 API calls 105664->105665 105667 d83879 105665->105667 105666->105667 105668 da2efd 105667->105668 105669 da2f09 105668->105669 105670 da2f7e 105668->105670 105676 da2f2e 105669->105676 106195 da8b28 58 API calls __getptd_noexit 105669->106195 106197 da2f90 60 API calls 4 library calls 105670->106197 105673 da2f8b 105673->105466 105674 da2f15 106196 da8db6 9 API calls __controlfp_s 105674->106196 105676->105466 105677 da2f20 105677->105466 105679 dbf17c 105678->105679 105681 d88ef7 105678->105681 105679->105681 106199 d88bdb 59 API calls Mailbox 105679->106199 105682 d88ff8 105681->105682 105683 d89040 105681->105683 105686 d88fff 105681->105686 105685 da0db6 Mailbox 59 API calls 105682->105685 106198 d89d3c 60 API calls Mailbox 105683->106198 105685->105686 105686->105494 105688 d84ee5 85 API calls 105687->105688 105689 de95ca 105688->105689 106200 de9734 96 API calls 2 library calls 105689->106200 105691 de95dc 105692 d84f0b 74 API calls 105691->105692 105720 dbd186 105691->105720 105693 de95f7 105692->105693 105694 d84f0b 74 API calls 105693->105694 105695 de9607 105694->105695 105696 d84f0b 74 API calls 105695->105696 105697 de9622 105696->105697 105698 d84f0b 74 API calls 105697->105698 105699 de963d 105698->105699 105700 d84ee5 85 API calls 105699->105700 105701 de9654 105700->105701 105702 da571c __crtLCMapStringA_stat 58 API calls 105701->105702 105703 de965b 105702->105703 105704 da571c __crtLCMapStringA_stat 58 API calls 105703->105704 105705 de9665 105704->105705 105706 d84f0b 74 API calls 105705->105706 105707 de9679 105706->105707 106201 de9109 GetSystemTimeAsFileTime 105707->106201 105709 de968c 105710 de96b6 105709->105710 105711 de96a1 105709->105711 105712 de96bc 105710->105712 105713 de971b 105710->105713 105714 da2d55 _free 58 API calls 105711->105714 106202 de8b06 105712->106202 105717 da2d55 _free 58 API calls 105713->105717 105715 de96a7 105714->105715 105718 da2d55 _free 58 API calls 105715->105718 105717->105720 105718->105720 105720->105432 105722 d84e4a 105720->105722 105721 da2d55 _free 58 API calls 105721->105720 105723 d84e54 105722->105723 105725 d84e5b 105722->105725 105724 da53a6 __fcloseall 83 API calls 105723->105724 105724->105725 105726 d84e6a 105725->105726 105727 d84e7b FreeLibrary 105725->105727 105726->105432 105727->105726 105729 d87e4f 59 API calls 105728->105729 105730 d879fd 105729->105730 105730->105621 105778 d84c03 105731->105778 105734 d84bdc 105736 d84bec FreeLibrary 105734->105736 105737 d84bf5 105734->105737 105735 d84c03 2 API calls 105735->105734 105736->105737 105738 da525b 105737->105738 105782 da5270 105738->105782 105740 d84dfc 105740->105636 105740->105637 105939 d84c36 105741->105939 105744 d84b8f 105746 d84baa 105744->105746 105747 d84ba1 FreeLibrary 105744->105747 105745 d84c36 2 API calls 105745->105744 105748 d84c70 105746->105748 105747->105746 105749 da0db6 Mailbox 59 API calls 105748->105749 105750 d84c85 105749->105750 105751 d8522e 59 API calls 105750->105751 105752 d84c91 _memmove 105751->105752 105753 d84ccc 105752->105753 105755 d84d89 105752->105755 105756 d84dc1 105752->105756 105754 d84ec7 69 API calls 105753->105754 105764 d84cd5 105754->105764 105943 d84e89 CreateStreamOnHGlobal 105755->105943 105954 de991b 95 API calls 105756->105954 105759 d84f0b 74 API calls 105759->105764 105760 d84d69 105760->105645 105762 dbd8a7 105763 d84ee5 85 API calls 105762->105763 105765 dbd8bb 105763->105765 105764->105759 105764->105760 105764->105762 105949 d84ee5 105764->105949 105766 d84f0b 74 API calls 105765->105766 105766->105760 105768 d84f1d 105767->105768 105769 dbd9cd 105767->105769 105978 da55e2 105768->105978 105772 de9109 GetSystemTimeAsFileTime 105772->105652 105774 d84ed6 105773->105774 105777 dbd990 105773->105777 106176 da5c60 105774->106176 105776 d84ede 105776->105654 105779 d84bd0 105778->105779 105780 d84c0c LoadLibraryA 105778->105780 105779->105734 105779->105735 105780->105779 105781 d84c1d GetProcAddress 105780->105781 105781->105779 105784 da527c _doexit 105782->105784 105783 da528f 105831 da8b28 58 API calls __getptd_noexit 105783->105831 105784->105783 105786 da52c0 105784->105786 105801 db04e8 105786->105801 105787 da5294 105832 da8db6 9 API calls __controlfp_s 105787->105832 105790 da52c5 105791 da52db 105790->105791 105792 da52ce 105790->105792 105794 da5305 105791->105794 105795 da52e5 105791->105795 105833 da8b28 58 API calls __getptd_noexit 105792->105833 105816 db0607 105794->105816 105834 da8b28 58 API calls __getptd_noexit 105795->105834 105796 da529f _doexit @_EH4_CallFilterFunc@8 105796->105740 105802 db04f4 _doexit 105801->105802 105803 da9c0b __lock 58 API calls 105802->105803 105813 db0502 105803->105813 105804 db0576 105836 db05fe 105804->105836 105805 db057d 105841 da881d 58 API calls 2 library calls 105805->105841 105808 db05f3 _doexit 105808->105790 105809 db0584 105809->105804 105842 da9e2b InitializeCriticalSectionAndSpinCount 105809->105842 105812 da9c93 __mtinitlocknum 58 API calls 105812->105813 105813->105804 105813->105805 105813->105812 105839 da6c50 59 API calls __lock 105813->105839 105840 da6cba RtlLeaveCriticalSection RtlLeaveCriticalSection _doexit 105813->105840 105814 db05aa RtlEnterCriticalSection 105814->105804 105825 db0627 __wopenfile 105816->105825 105817 db0641 105847 da8b28 58 API calls __getptd_noexit 105817->105847 105818 db07fc 105818->105817 105822 db085f 105818->105822 105820 db0646 105848 da8db6 9 API calls __controlfp_s 105820->105848 105844 db85a1 105822->105844 105823 da5310 105835 da5332 RtlLeaveCriticalSection RtlLeaveCriticalSection _fprintf 105823->105835 105825->105817 105825->105818 105849 da37cb 60 API calls 3 library calls 105825->105849 105827 db07f5 105827->105818 105850 da37cb 60 API calls 3 library calls 105827->105850 105829 db0814 105829->105818 105851 da37cb 60 API calls 3 library calls 105829->105851 105831->105787 105832->105796 105833->105796 105834->105796 105835->105796 105843 da9d75 RtlLeaveCriticalSection 105836->105843 105838 db0605 105838->105808 105839->105813 105840->105813 105841->105809 105842->105814 105843->105838 105852 db7d85 105844->105852 105846 db85ba 105846->105823 105847->105820 105848->105823 105849->105827 105850->105829 105851->105818 105853 db7d91 _doexit 105852->105853 105854 db7da7 105853->105854 105857 db7ddd 105853->105857 105936 da8b28 58 API calls __getptd_noexit 105854->105936 105856 db7dac 105937 da8db6 9 API calls __controlfp_s 105856->105937 105863 db7e4e 105857->105863 105860 db7df9 105938 db7e22 RtlLeaveCriticalSection __unlock_fhandle 105860->105938 105862 db7db6 _doexit 105862->105846 105864 db7e6e 105863->105864 105865 da44ea __wsopen_nolock 58 API calls 105864->105865 105868 db7e8a 105865->105868 105866 da8dc6 __invoke_watson 8 API calls 105867 db85a0 105866->105867 105869 db7d85 __wsopen_helper 103 API calls 105867->105869 105870 db7ec4 105868->105870 105876 db7ee7 105868->105876 105912 db7fc1 105868->105912 105871 db85ba 105869->105871 105872 da8af4 __write 58 API calls 105870->105872 105871->105860 105873 db7ec9 105872->105873 105874 da8b28 __flsbuf 58 API calls 105873->105874 105875 db7ed6 105874->105875 105878 da8db6 __controlfp_s 9 API calls 105875->105878 105877 db7fa5 105876->105877 105884 db7f83 105876->105884 105879 da8af4 __write 58 API calls 105877->105879 105905 db7ee0 105878->105905 105880 db7faa 105879->105880 105881 da8b28 __flsbuf 58 API calls 105880->105881 105882 db7fb7 105881->105882 105883 da8db6 __controlfp_s 9 API calls 105882->105883 105883->105912 105885 dad294 __alloc_osfhnd 61 API calls 105884->105885 105886 db8051 105885->105886 105887 db805b 105886->105887 105888 db807e 105886->105888 105890 da8af4 __write 58 API calls 105887->105890 105889 db7cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 105888->105889 105899 db80a0 105889->105899 105891 db8060 105890->105891 105893 da8b28 __flsbuf 58 API calls 105891->105893 105892 db811e GetFileType 105896 db816b 105892->105896 105897 db8129 GetLastError 105892->105897 105895 db806a 105893->105895 105894 db80ec GetLastError 105900 da8b07 __dosmaperr 58 API calls 105894->105900 105901 da8b28 __flsbuf 58 API calls 105895->105901 105908 dad52a __set_osfhnd 59 API calls 105896->105908 105898 da8b07 __dosmaperr 58 API calls 105897->105898 105902 db8150 CloseHandle 105898->105902 105899->105892 105899->105894 105903 db7cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 105899->105903 105904 db8111 105900->105904 105901->105905 105902->105904 105906 db815e 105902->105906 105907 db80e1 105903->105907 105910 da8b28 __flsbuf 58 API calls 105904->105910 105905->105860 105909 da8b28 __flsbuf 58 API calls 105906->105909 105907->105892 105907->105894 105914 db8189 105908->105914 105911 db8163 105909->105911 105910->105912 105911->105904 105912->105866 105913 db8344 105913->105912 105917 db8517 CloseHandle 105913->105917 105914->105913 105915 db18c1 __lseeki64_nolock 60 API calls 105914->105915 105930 db820a 105914->105930 105916 db81f3 105915->105916 105920 da8af4 __write 58 API calls 105916->105920 105916->105930 105918 db7cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 105917->105918 105919 db853e 105918->105919 105922 db8572 105919->105922 105923 db8546 GetLastError 105919->105923 105920->105930 105921 db0e5b 70 API calls __read_nolock 105921->105930 105922->105912 105924 da8b07 __dosmaperr 58 API calls 105923->105924 105925 db8552 105924->105925 105927 dad43d __free_osfhnd 59 API calls 105925->105927 105926 db0add __close_nolock 61 API calls 105926->105930 105927->105922 105928 db97a2 __chsize_nolock 82 API calls 105928->105930 105929 dad886 __write 78 API calls 105929->105930 105930->105913 105930->105921 105930->105926 105930->105928 105930->105929 105931 db83c1 105930->105931 105932 db18c1 60 API calls __lseeki64_nolock 105930->105932 105933 db0add __close_nolock 61 API calls 105931->105933 105932->105930 105934 db83c8 105933->105934 105935 da8b28 __flsbuf 58 API calls 105934->105935 105935->105912 105936->105856 105937->105862 105938->105862 105940 d84b83 105939->105940 105941 d84c3f LoadLibraryA 105939->105941 105940->105744 105940->105745 105941->105940 105942 d84c50 GetProcAddress 105941->105942 105942->105940 105944 d84ea3 FindResourceExW 105943->105944 105948 d84ec0 105943->105948 105945 dbd933 LoadResource 105944->105945 105944->105948 105946 dbd948 SizeofResource 105945->105946 105945->105948 105947 dbd95c LockResource 105946->105947 105946->105948 105947->105948 105948->105753 105950 dbd9ab 105949->105950 105951 d84ef4 105949->105951 105955 da584d 105951->105955 105953 d84f02 105953->105764 105954->105753 105959 da5859 _doexit 105955->105959 105956 da586b 105968 da8b28 58 API calls __getptd_noexit 105956->105968 105958 da5891 105970 da6c11 105958->105970 105959->105956 105959->105958 105960 da5870 105969 da8db6 9 API calls __controlfp_s 105960->105969 105963 da5897 105976 da57be 83 API calls 4 library calls 105963->105976 105965 da58a6 105977 da58c8 RtlLeaveCriticalSection RtlLeaveCriticalSection _fprintf 105965->105977 105967 da587b _doexit 105967->105953 105968->105960 105969->105967 105971 da6c43 RtlEnterCriticalSection 105970->105971 105972 da6c21 105970->105972 105974 da6c39 105971->105974 105972->105971 105973 da6c29 105972->105973 105975 da9c0b __lock 58 API calls 105973->105975 105974->105963 105975->105974 105976->105965 105977->105967 105981 da55fd 105978->105981 105980 d84f2e 105980->105772 105982 da5609 _doexit 105981->105982 105983 da564c 105982->105983 105985 da5644 _doexit 105982->105985 105987 da561f _memset 105982->105987 105984 da6c11 __lock_file 59 API calls 105983->105984 105986 da5652 105984->105986 105985->105980 105994 da541d 105986->105994 106008 da8b28 58 API calls __getptd_noexit 105987->106008 105990 da5639 106009 da8db6 9 API calls __controlfp_s 105990->106009 105995 da5453 105994->105995 105997 da5438 _memset 105994->105997 106010 da5686 RtlLeaveCriticalSection RtlLeaveCriticalSection _fprintf 105995->106010 105996 da5443 106106 da8b28 58 API calls __getptd_noexit 105996->106106 105997->105995 105997->105996 106006 da5493 105997->106006 105999 da5448 106107 da8db6 9 API calls __controlfp_s 105999->106107 106002 da55a4 _memset 106109 da8b28 58 API calls __getptd_noexit 106002->106109 106006->105995 106006->106002 106011 da46e6 106006->106011 106018 db0e5b 106006->106018 106086 db0ba7 106006->106086 106108 db0cc8 58 API calls 4 library calls 106006->106108 106008->105990 106009->105985 106010->105985 106012 da46f0 106011->106012 106013 da4705 106011->106013 106110 da8b28 58 API calls __getptd_noexit 106012->106110 106013->106006 106015 da46f5 106111 da8db6 9 API calls __controlfp_s 106015->106111 106017 da4700 106017->106006 106019 db0e7c 106018->106019 106020 db0e93 106018->106020 106121 da8af4 58 API calls __getptd_noexit 106019->106121 106021 db15cb 106020->106021 106025 db0ecd 106020->106025 106137 da8af4 58 API calls __getptd_noexit 106021->106137 106024 db0e81 106122 da8b28 58 API calls __getptd_noexit 106024->106122 106028 db0ed5 106025->106028 106034 db0eec 106025->106034 106026 db15d0 106138 da8b28 58 API calls __getptd_noexit 106026->106138 106123 da8af4 58 API calls __getptd_noexit 106028->106123 106031 db0ee1 106139 da8db6 9 API calls __controlfp_s 106031->106139 106032 db0eda 106124 da8b28 58 API calls __getptd_noexit 106032->106124 106035 db0f01 106034->106035 106036 db0f1b 106034->106036 106039 db0f39 106034->106039 106066 db0e88 106034->106066 106125 da8af4 58 API calls __getptd_noexit 106035->106125 106036->106035 106041 db0f26 106036->106041 106126 da881d 58 API calls 2 library calls 106039->106126 106112 db5c6b 106041->106112 106042 db0f49 106044 db0f6c 106042->106044 106045 db0f51 106042->106045 106129 db18c1 60 API calls 3 library calls 106044->106129 106127 da8b28 58 API calls __getptd_noexit 106045->106127 106046 db103a 106047 db10b3 ReadFile 106046->106047 106050 db1050 GetConsoleMode 106046->106050 106051 db1593 GetLastError 106047->106051 106052 db10d5 106047->106052 106054 db10b0 106050->106054 106055 db1064 106050->106055 106056 db15a0 106051->106056 106057 db1093 106051->106057 106052->106051 106061 db10a5 106052->106061 106053 db0f56 106128 da8af4 58 API calls __getptd_noexit 106053->106128 106054->106047 106055->106054 106059 db106a ReadConsoleW 106055->106059 106135 da8b28 58 API calls __getptd_noexit 106056->106135 106068 db1099 106057->106068 106130 da8b07 58 API calls 3 library calls 106057->106130 106059->106061 106063 db108d GetLastError 106059->106063 106061->106068 106070 db110a 106061->106070 106075 db1377 106061->106075 106062 db15a5 106136 da8af4 58 API calls __getptd_noexit 106062->106136 106063->106057 106066->106006 106067 da2d55 _free 58 API calls 106067->106066 106068->106066 106068->106067 106071 db1176 ReadFile 106070->106071 106079 db11f7 106070->106079 106076 db1197 GetLastError 106071->106076 106080 db11a1 106071->106080 106072 db12b4 106083 db1264 MultiByteToWideChar 106072->106083 106133 db18c1 60 API calls 3 library calls 106072->106133 106073 db12a4 106132 da8b28 58 API calls __getptd_noexit 106073->106132 106074 db147d ReadFile 106078 db14a0 GetLastError 106074->106078 106085 db14ae 106074->106085 106075->106068 106075->106074 106076->106080 106078->106085 106079->106068 106079->106072 106079->106073 106079->106083 106080->106070 106131 db18c1 60 API calls 3 library calls 106080->106131 106083->106063 106083->106068 106085->106075 106134 db18c1 60 API calls 3 library calls 106085->106134 106087 db0bb2 106086->106087 106092 db0bc7 106086->106092 106173 da8b28 58 API calls __getptd_noexit 106087->106173 106089 db0bb7 106174 da8db6 9 API calls __controlfp_s 106089->106174 106091 db0bfc 106094 da46e6 __flsbuf 58 API calls 106091->106094 106092->106091 106100 db0bc2 106092->106100 106175 db5fe4 58 API calls __malloc_crt 106092->106175 106095 db0c10 106094->106095 106140 db0d47 106095->106140 106097 db0c17 106098 da46e6 __flsbuf 58 API calls 106097->106098 106097->106100 106099 db0c3a 106098->106099 106099->106100 106101 da46e6 __flsbuf 58 API calls 106099->106101 106100->106006 106102 db0c46 106101->106102 106102->106100 106103 da46e6 __flsbuf 58 API calls 106102->106103 106104 db0c53 106103->106104 106105 da46e6 __flsbuf 58 API calls 106104->106105 106105->106100 106106->105999 106107->105995 106108->106006 106109->105999 106110->106015 106111->106017 106113 db5c83 106112->106113 106114 db5c76 106112->106114 106116 da8b28 __flsbuf 58 API calls 106113->106116 106117 db5c8f 106113->106117 106115 da8b28 __flsbuf 58 API calls 106114->106115 106119 db5c7b 106115->106119 106118 db5cb0 106116->106118 106117->106046 106120 da8db6 __controlfp_s 9 API calls 106118->106120 106119->106046 106120->106119 106121->106024 106122->106066 106123->106032 106124->106031 106125->106032 106126->106042 106127->106053 106128->106066 106129->106041 106130->106068 106131->106080 106132->106068 106133->106083 106134->106085 106135->106062 106136->106068 106137->106026 106138->106031 106139->106066 106141 db0d53 _doexit 106140->106141 106142 db0d60 106141->106142 106143 db0d77 106141->106143 106145 da8af4 __write 58 API calls 106142->106145 106144 db0e3b 106143->106144 106146 db0d8b 106143->106146 106147 da8af4 __write 58 API calls 106144->106147 106148 db0d65 106145->106148 106149 db0da9 106146->106149 106150 db0db6 106146->106150 106151 db0dae 106147->106151 106152 da8b28 __flsbuf 58 API calls 106148->106152 106153 da8af4 __write 58 API calls 106149->106153 106154 db0dd8 106150->106154 106155 db0dc3 106150->106155 106158 da8b28 __flsbuf 58 API calls 106151->106158 106162 db0d6c _doexit 106152->106162 106153->106151 106157 dad206 ___lock_fhandle 59 API calls 106154->106157 106156 da8af4 __write 58 API calls 106155->106156 106159 db0dc8 106156->106159 106160 db0dde 106157->106160 106161 db0dd0 106158->106161 106163 da8b28 __flsbuf 58 API calls 106159->106163 106164 db0df1 106160->106164 106165 db0e04 106160->106165 106167 da8db6 __controlfp_s 9 API calls 106161->106167 106162->106097 106163->106161 106166 db0e5b __read_nolock 70 API calls 106164->106166 106168 da8b28 __flsbuf 58 API calls 106165->106168 106169 db0dfd 106166->106169 106167->106162 106170 db0e09 106168->106170 106172 db0e33 __read RtlLeaveCriticalSection 106169->106172 106171 da8af4 __write 58 API calls 106170->106171 106171->106169 106172->106162 106173->106089 106174->106100 106175->106091 106177 da5c6c _doexit 106176->106177 106178 da5c7e 106177->106178 106179 da5c93 106177->106179 106190 da8b28 58 API calls __getptd_noexit 106178->106190 106181 da6c11 __lock_file 59 API calls 106179->106181 106183 da5c99 106181->106183 106182 da5c83 106191 da8db6 9 API calls __controlfp_s 106182->106191 106192 da58d0 67 API calls 6 library calls 106183->106192 106186 da5c8e _doexit 106186->105776 106187 da5ca4 106193 da5cc4 RtlLeaveCriticalSection RtlLeaveCriticalSection _fprintf 106187->106193 106189 da5cb6 106189->106186 106190->106182 106191->106186 106192->106187 106193->106189 106194->105660 106195->105674 106196->105677 106197->105673 106198->105686 106199->105681 106200->105691 106201->105709 106203 de8b1f 106202->106203 106204 de8b11 106202->106204 106206 de8b64 106203->106206 106207 da525b 115 API calls 106203->106207 106217 de8b28 106203->106217 106205 da525b 115 API calls 106204->106205 106205->106203 106233 de8d91 106206->106233 106208 de8b49 106207->106208 106208->106206 106210 de8b52 106208->106210 106214 da53a6 __fcloseall 83 API calls 106210->106214 106210->106217 106211 de8ba8 106212 de8bac 106211->106212 106213 de8bcd 106211->106213 106216 de8bb9 106212->106216 106219 da53a6 __fcloseall 83 API calls 106212->106219 106237 de89a9 106213->106237 106214->106217 106216->106217 106220 da53a6 __fcloseall 83 API calls 106216->106220 106217->105721 106219->106216 106220->106217 106221 de8bfb 106246 de8c2b 106221->106246 106222 de8bdb 106225 da53a6 __fcloseall 83 API calls 106222->106225 106227 de8be8 106222->106227 106225->106227 106227->106217 106228 da53a6 __fcloseall 83 API calls 106227->106228 106228->106217 106230 de8c16 106230->106217 106232 da53a6 __fcloseall 83 API calls 106230->106232 106232->106217 106234 de8db6 106233->106234 106236 de8d9f __tzset_nolock _memmove 106233->106236 106235 da55e2 __fread_nolock 74 API calls 106234->106235 106235->106236 106236->106211 106238 da571c __crtLCMapStringA_stat 58 API calls 106237->106238 106239 de89b8 106238->106239 106240 da571c __crtLCMapStringA_stat 58 API calls 106239->106240 106241 de89cc 106240->106241 106242 da571c __crtLCMapStringA_stat 58 API calls 106241->106242 106243 de89e0 106242->106243 106244 de8d0d 58 API calls 106243->106244 106245 de89f3 106243->106245 106244->106245 106245->106221 106245->106222 106250 de8c40 106246->106250 106247 de8cf8 106279 de8f35 106247->106279 106249 de8a05 74 API calls 106249->106250 106250->106247 106250->106249 106253 de8c02 106250->106253 106275 de8e12 106250->106275 106283 de8aa1 74 API calls 106250->106283 106254 de8d0d 106253->106254 106255 de8d1a 106254->106255 106256 de8d20 106254->106256 106257 da2d55 _free 58 API calls 106255->106257 106258 da2d55 _free 58 API calls 106256->106258 106259 de8d31 106256->106259 106257->106256 106258->106259 106260 de8c09 106259->106260 106261 da2d55 _free 58 API calls 106259->106261 106260->106230 106262 da53a6 106260->106262 106261->106260 106263 da53b2 _doexit 106262->106263 106264 da53de 106263->106264 106265 da53c6 106263->106265 106267 da6c11 __lock_file 59 API calls 106264->106267 106271 da53d6 _doexit 106264->106271 106332 da8b28 58 API calls __getptd_noexit 106265->106332 106269 da53f0 106267->106269 106268 da53cb 106333 da8db6 9 API calls __controlfp_s 106268->106333 106316 da533a 106269->106316 106271->106230 106276 de8e21 106275->106276 106278 de8e61 106275->106278 106276->106250 106278->106276 106284 de8ee8 106278->106284 106280 de8f53 106279->106280 106281 de8f42 106279->106281 106280->106253 106282 da4863 80 API calls 106281->106282 106282->106280 106283->106250 106285 de8f25 106284->106285 106286 de8f14 106284->106286 106285->106278 106288 da4863 106286->106288 106289 da486f _doexit 106288->106289 106290 da488d 106289->106290 106291 da48a5 106289->106291 106293 da489d _doexit 106289->106293 106313 da8b28 58 API calls __getptd_noexit 106290->106313 106294 da6c11 __lock_file 59 API calls 106291->106294 106293->106285 106296 da48ab 106294->106296 106295 da4892 106314 da8db6 9 API calls __controlfp_s 106295->106314 106301 da470a 106296->106301 106302 da4719 106301->106302 106307 da4737 106301->106307 106303 da4727 106302->106303 106302->106307 106311 da4751 _memmove 106302->106311 106304 da8b28 __flsbuf 58 API calls 106303->106304 106305 da472c 106304->106305 106306 da8db6 __controlfp_s 9 API calls 106305->106306 106306->106307 106315 da48dd RtlLeaveCriticalSection RtlLeaveCriticalSection _fprintf 106307->106315 106308 daae1e __flsbuf 78 API calls 106308->106311 106309 da4a3d __flush 78 API calls 106309->106311 106310 da46e6 __flsbuf 58 API calls 106310->106311 106311->106307 106311->106308 106311->106309 106311->106310 106312 dad886 __write 78 API calls 106311->106312 106312->106311 106313->106295 106314->106293 106315->106293 106317 da5349 106316->106317 106318 da535d 106316->106318 106371 da8b28 58 API calls __getptd_noexit 106317->106371 106320 da5359 106318->106320 106335 da4a3d 106318->106335 106334 da5415 RtlLeaveCriticalSection RtlLeaveCriticalSection _fprintf 106320->106334 106321 da534e 106372 da8db6 9 API calls __controlfp_s 106321->106372 106327 da46e6 __flsbuf 58 API calls 106328 da5377 106327->106328 106345 db0a02 106328->106345 106330 da537d 106330->106320 106331 da2d55 _free 58 API calls 106330->106331 106331->106320 106332->106268 106333->106271 106334->106271 106336 da4a50 106335->106336 106340 da4a74 106335->106340 106337 da46e6 __flsbuf 58 API calls 106336->106337 106336->106340 106338 da4a6d 106337->106338 106373 dad886 106338->106373 106341 db0b77 106340->106341 106342 da5371 106341->106342 106343 db0b84 106341->106343 106342->106327 106343->106342 106344 da2d55 _free 58 API calls 106343->106344 106344->106342 106346 db0a0e _doexit 106345->106346 106347 db0a1b 106346->106347 106348 db0a32 106346->106348 106498 da8af4 58 API calls __getptd_noexit 106347->106498 106350 db0abd 106348->106350 106352 db0a42 106348->106352 106503 da8af4 58 API calls __getptd_noexit 106350->106503 106351 db0a20 106499 da8b28 58 API calls __getptd_noexit 106351->106499 106355 db0a6a 106352->106355 106356 db0a60 106352->106356 106358 dad206 ___lock_fhandle 59 API calls 106355->106358 106500 da8af4 58 API calls __getptd_noexit 106356->106500 106357 db0a65 106504 da8b28 58 API calls __getptd_noexit 106357->106504 106361 db0a70 106358->106361 106363 db0a8e 106361->106363 106364 db0a83 106361->106364 106362 db0ac9 106505 da8db6 9 API calls __controlfp_s 106362->106505 106501 da8b28 58 API calls __getptd_noexit 106363->106501 106483 db0add 106364->106483 106367 db0a27 _doexit 106367->106330 106369 db0a89 106502 db0ab5 RtlLeaveCriticalSection __unlock_fhandle 106369->106502 106371->106321 106372->106320 106374 dad892 _doexit 106373->106374 106375 dad89f 106374->106375 106376 dad8b6 106374->106376 106474 da8af4 58 API calls __getptd_noexit 106375->106474 106378 dad955 106376->106378 106381 dad8ca 106376->106381 106480 da8af4 58 API calls __getptd_noexit 106378->106480 106380 dad8a4 106475 da8b28 58 API calls __getptd_noexit 106380->106475 106384 dad8e8 106381->106384 106385 dad8f2 106381->106385 106382 dad8ed 106481 da8b28 58 API calls __getptd_noexit 106382->106481 106476 da8af4 58 API calls __getptd_noexit 106384->106476 106401 dad206 106385->106401 106389 dad8f8 106391 dad90b 106389->106391 106392 dad91e 106389->106392 106390 dad961 106482 da8db6 9 API calls __controlfp_s 106390->106482 106410 dad975 106391->106410 106477 da8b28 58 API calls __getptd_noexit 106392->106477 106396 dad8ab _doexit 106396->106340 106397 dad917 106479 dad94d RtlLeaveCriticalSection __unlock_fhandle 106397->106479 106398 dad923 106478 da8af4 58 API calls __getptd_noexit 106398->106478 106402 dad212 _doexit 106401->106402 106403 dad261 RtlEnterCriticalSection 106402->106403 106405 da9c0b __lock 58 API calls 106402->106405 106404 dad287 _doexit 106403->106404 106404->106389 106406 dad237 106405->106406 106407 da9e2b __ioinit InitializeCriticalSectionAndSpinCount 106406->106407 106409 dad24f 106406->106409 106407->106409 106408 dad28b ___lock_fhandle RtlLeaveCriticalSection 106408->106403 106409->106408 106411 dad982 __ftell_nolock 106410->106411 106412 dad9e0 106411->106412 106413 dad9c1 106411->106413 106438 dad9b6 106411->106438 106416 dada38 106412->106416 106417 dada1c 106412->106417 106415 da8af4 __write 58 API calls 106413->106415 106414 dac5f6 __cftoe_l 6 API calls 106418 dae1d6 106414->106418 106419 dad9c6 106415->106419 106421 dada51 106416->106421 106425 db18c1 __lseeki64_nolock 60 API calls 106416->106425 106420 da8af4 __write 58 API calls 106417->106420 106418->106397 106422 da8b28 __flsbuf 58 API calls 106419->106422 106424 dada21 106420->106424 106423 db5c6b __flsbuf 58 API calls 106421->106423 106426 dad9cd 106422->106426 106427 dada5f 106423->106427 106428 da8b28 __flsbuf 58 API calls 106424->106428 106425->106421 106429 da8db6 __controlfp_s 9 API calls 106426->106429 106430 daddb8 106427->106430 106435 da99ac __beginthread 58 API calls 106427->106435 106431 dada28 106428->106431 106429->106438 106432 dae14b WriteFile 106430->106432 106433 daddd6 106430->106433 106434 da8db6 __controlfp_s 9 API calls 106431->106434 106436 daddab GetLastError 106432->106436 106442 dadd78 106432->106442 106437 dadefa 106433->106437 106445 daddec 106433->106445 106434->106438 106439 dada8b GetConsoleMode 106435->106439 106436->106442 106449 dadfef 106437->106449 106451 dadf05 106437->106451 106438->106414 106439->106430 106441 dadaca 106439->106441 106440 dae184 106440->106438 106446 da8b28 __flsbuf 58 API calls 106440->106446 106441->106430 106443 dadada GetConsoleCP 106441->106443 106442->106438 106442->106440 106448 daded8 106442->106448 106443->106440 106472 dadb09 106443->106472 106444 dade5b WriteFile 106444->106436 106450 dade98 106444->106450 106445->106440 106445->106444 106447 dae1b2 106446->106447 106452 da8af4 __write 58 API calls 106447->106452 106453 dae17b 106448->106453 106454 dadee3 106448->106454 106449->106440 106455 dae064 WideCharToMultiByte 106449->106455 106450->106445 106456 dadebc 106450->106456 106451->106440 106457 dadf6a WriteFile 106451->106457 106452->106438 106460 da8b07 __dosmaperr 58 API calls 106453->106460 106459 da8b28 __flsbuf 58 API calls 106454->106459 106455->106436 106466 dae0ab 106455->106466 106456->106442 106457->106436 106458 dadfb9 106457->106458 106458->106442 106458->106451 106458->106456 106461 dadee8 106459->106461 106460->106438 106463 da8af4 __write 58 API calls 106461->106463 106462 dae0b3 WriteFile 106465 dae106 GetLastError 106462->106465 106462->106466 106463->106438 106464 da35f5 __write_nolock 58 API calls 106464->106472 106465->106466 106466->106442 106466->106449 106466->106456 106466->106462 106467 db62ba 60 API calls __write_nolock 106467->106472 106468 db7a5e WriteConsoleW CreateFileW __putwch_nolock 106470 dadc5f 106468->106470 106469 dadbf2 WideCharToMultiByte 106469->106442 106471 dadc2d WriteFile 106469->106471 106470->106436 106470->106442 106470->106468 106470->106472 106473 dadc87 WriteFile 106470->106473 106471->106436 106471->106470 106472->106442 106472->106464 106472->106467 106472->106469 106472->106470 106473->106436 106473->106470 106474->106380 106475->106396 106476->106382 106477->106398 106478->106397 106479->106396 106480->106382 106481->106390 106482->106396 106506 dad4c3 106483->106506 106485 db0b41 106519 dad43d 59 API calls 2 library calls 106485->106519 106487 db0aeb 106487->106485 106488 db0b1f 106487->106488 106489 dad4c3 __chsize_nolock 58 API calls 106487->106489 106488->106485 106490 dad4c3 __chsize_nolock 58 API calls 106488->106490 106492 db0b16 106489->106492 106493 db0b2b CloseHandle 106490->106493 106491 db0b49 106494 db0b6b 106491->106494 106520 da8b07 58 API calls 3 library calls 106491->106520 106495 dad4c3 __chsize_nolock 58 API calls 106492->106495 106493->106485 106496 db0b37 GetLastError 106493->106496 106494->106369 106495->106488 106496->106485 106498->106351 106499->106367 106500->106357 106501->106369 106502->106367 106503->106357 106504->106362 106505->106367 106507 dad4ce 106506->106507 106508 dad4e3 106506->106508 106509 da8af4 __write 58 API calls 106507->106509 106511 da8af4 __write 58 API calls 106508->106511 106514 dad508 106508->106514 106510 dad4d3 106509->106510 106513 da8b28 __flsbuf 58 API calls 106510->106513 106512 dad512 106511->106512 106515 da8b28 __flsbuf 58 API calls 106512->106515 106516 dad4db 106513->106516 106514->106487 106517 dad51a 106515->106517 106516->106487 106518 da8db6 __controlfp_s 9 API calls 106517->106518 106518->106516 106519->106491 106520->106494 106522 da079e __ftell_nolock 106521->106522 106523 da079f GetLongPathNameW 106522->106523 106524 d87bcc 59 API calls 106523->106524 106525 d872bd 106524->106525 106526 d8700b 106525->106526 106527 d87667 59 API calls 106526->106527 106528 d8701d 106527->106528 106529 d84750 60 API calls 106528->106529 106530 d87028 106529->106530 106531 d87033 106530->106531 106532 dbe885 106530->106532 106533 d83f74 59 API calls 106531->106533 106536 dbe89f 106532->106536 106579 d87908 61 API calls 106532->106579 106535 d8703f 106533->106535 106573 d834c2 106535->106573 106538 d87052 Mailbox 106538->105510 106540 d84ddd 136 API calls 106539->106540 106541 d8688f 106540->106541 106542 dbe031 106541->106542 106544 d84ddd 136 API calls 106541->106544 106543 de955b 122 API calls 106542->106543 106545 dbe046 106543->106545 106546 d868a3 106544->106546 106547 dbe04a 106545->106547 106548 dbe067 106545->106548 106546->106542 106549 d868ab 106546->106549 106552 d84e4a 84 API calls 106547->106552 106553 da0db6 Mailbox 59 API calls 106548->106553 106550 dbe052 106549->106550 106551 d868b7 106549->106551 106673 de42f8 90 API calls _wprintf 106550->106673 106580 d86a8c 106551->106580 106552->106550 106570 dbe0ac Mailbox 106553->106570 106557 dbe060 106557->106548 106558 dbe260 106559 da2d55 _free 58 API calls 106558->106559 106560 dbe268 106559->106560 106561 d84e4a 84 API calls 106560->106561 106566 dbe271 106561->106566 106565 da2d55 _free 58 API calls 106565->106566 106566->106565 106567 d84e4a 84 API calls 106566->106567 106679 ddf7a1 89 API calls 4 library calls 106566->106679 106567->106566 106569 d87de1 59 API calls 106569->106570 106570->106558 106570->106566 106570->106569 106674 ddf73d 59 API calls 2 library calls 106570->106674 106675 ddf65e 61 API calls 2 library calls 106570->106675 106676 de737f 59 API calls Mailbox 106570->106676 106677 d8750f 59 API calls 2 library calls 106570->106677 106678 d8735d 59 API calls Mailbox 106570->106678 106575 d834d4 106573->106575 106578 d834f3 _memmove 106573->106578 106574 da0db6 Mailbox 59 API calls 106576 d8350a 106574->106576 106577 da0db6 Mailbox 59 API calls 106575->106577 106576->106538 106577->106578 106578->106574 106579->106532 106581 dbe41e 106580->106581 106582 d86ab5 106580->106582 106752 ddf7a1 89 API calls 4 library calls 106581->106752 106685 d857a6 60 API calls Mailbox 106582->106685 106585 d86ad7 106686 d857f6 67 API calls 106585->106686 106586 dbe431 106753 ddf7a1 89 API calls 4 library calls 106586->106753 106588 d86aec 106588->106586 106589 d86af4 106588->106589 106591 d87667 59 API calls 106589->106591 106593 d86b00 106591->106593 106592 dbe44d 106595 d86b61 106592->106595 106687 da0957 60 API calls __ftell_nolock 106593->106687 106597 d86b6f 106595->106597 106598 dbe460 106595->106598 106596 d86b0c 106601 d87667 59 API calls 106596->106601 106600 d87667 59 API calls 106597->106600 106599 d85c6f CloseHandle 106598->106599 106602 dbe46c 106599->106602 106603 d86b78 106600->106603 106604 d86b18 106601->106604 106605 d84ddd 136 API calls 106602->106605 106606 d87667 59 API calls 106603->106606 106607 d84750 60 API calls 106604->106607 106608 dbe488 106605->106608 106609 d86b81 106606->106609 106610 d86b26 106607->106610 106611 dbe4b1 106608->106611 106614 de955b 122 API calls 106608->106614 106690 d8459b 106609->106690 106688 d85850 ReadFile SetFilePointerEx 106610->106688 106754 ddf7a1 89 API calls 4 library calls 106611->106754 106619 dbe4a4 106614->106619 106615 d86b98 106620 d87b2e 59 API calls 106615->106620 106617 d86b52 106689 d85aee SetFilePointerEx SetFilePointerEx 106617->106689 106622 dbe4cd 106619->106622 106623 dbe4ac 106619->106623 106624 d86ba9 SetCurrentDirectoryW 106620->106624 106621 dbe4c8 106652 d86d0c Mailbox 106621->106652 106626 d84e4a 84 API calls 106622->106626 106625 d84e4a 84 API calls 106623->106625 106629 d86bbc Mailbox 106624->106629 106625->106611 106627 dbe4d2 106626->106627 106628 da0db6 Mailbox 59 API calls 106627->106628 106635 dbe506 106628->106635 106631 da0db6 Mailbox 59 API calls 106629->106631 106632 d86bcf 106631->106632 106634 d8522e 59 API calls 106632->106634 106633 d83bbb 106633->105369 106633->105378 106662 d86bda Mailbox __NMSG_WRITE 106634->106662 106755 d8750f 59 API calls 2 library calls 106635->106755 106637 d86ce7 106748 d85c6f 106637->106748 106640 dbe740 106761 de72df 59 API calls Mailbox 106640->106761 106641 d86cf3 SetCurrentDirectoryW 106641->106652 106644 dbe762 106762 dffbce 59 API calls 2 library calls 106644->106762 106647 dbe76f 106649 da2d55 _free 58 API calls 106647->106649 106648 dbe7d9 106765 ddf7a1 89 API calls 4 library calls 106648->106765 106649->106652 106680 d857d4 106652->106680 106653 dbe7f2 106653->106637 106656 dbe7d1 106764 ddf5f7 59 API calls 4 library calls 106656->106764 106658 d87de1 59 API calls 106658->106662 106662->106637 106662->106648 106662->106656 106662->106658 106741 d8586d 67 API calls _wcscpy 106662->106741 106742 d86f5d GetStringTypeW 106662->106742 106743 d86ecc 60 API calls __wcsnicmp 106662->106743 106744 d86faa GetStringTypeW __NMSG_WRITE 106662->106744 106745 da363d GetStringTypeW _iswctype 106662->106745 106746 d868dc 165 API calls 3 library calls 106662->106746 106747 d87213 59 API calls Mailbox 106662->106747 106663 d87de1 59 API calls 106668 dbe54f Mailbox 106663->106668 106666 dbe792 106763 ddf7a1 89 API calls 4 library calls 106666->106763 106668->106640 106668->106663 106668->106666 106756 ddf73d 59 API calls 2 library calls 106668->106756 106757 ddf65e 61 API calls 2 library calls 106668->106757 106758 de737f 59 API calls Mailbox 106668->106758 106759 d8750f 59 API calls 2 library calls 106668->106759 106760 d87213 59 API calls Mailbox 106668->106760 106670 dbe7ab 106671 da2d55 _free 58 API calls 106670->106671 106672 dbe7be 106671->106672 106672->106652 106673->106557 106674->106570 106675->106570 106676->106570 106677->106570 106678->106570 106679->106566 106681 d85c6f CloseHandle 106680->106681 106682 d857dc Mailbox 106681->106682 106683 d85c6f CloseHandle 106682->106683 106684 d857eb 106683->106684 106684->106633 106685->106585 106686->106588 106687->106596 106688->106617 106689->106595 106691 d87667 59 API calls 106690->106691 106692 d845b1 106691->106692 106693 d87667 59 API calls 106692->106693 106694 d845b9 106693->106694 106695 d87667 59 API calls 106694->106695 106696 d845c1 106695->106696 106697 d87667 59 API calls 106696->106697 106698 d845c9 106697->106698 106699 d845fd 106698->106699 106700 dbd4d2 106698->106700 106701 d8784b 59 API calls 106699->106701 106702 d88047 59 API calls 106700->106702 106703 d8460b 106701->106703 106704 dbd4db 106702->106704 106705 d87d2c 59 API calls 106703->106705 106706 d87d8c 59 API calls 106704->106706 106707 d84615 106705->106707 106709 d84640 106706->106709 106708 d8784b 59 API calls 106707->106708 106707->106709 106711 d84636 106708->106711 106710 d84680 106709->106710 106712 d8465f 106709->106712 106723 dbd4fb 106709->106723 106713 d8784b 59 API calls 106710->106713 106715 d87d2c 59 API calls 106711->106715 106717 d879f2 59 API calls 106712->106717 106714 d84691 106713->106714 106718 d846a3 106714->106718 106721 d88047 59 API calls 106714->106721 106715->106709 106716 dbd5cb 106719 d87bcc 59 API calls 106716->106719 106720 d84669 106717->106720 106722 d846b3 106718->106722 106724 d88047 59 API calls 106718->106724 106736 dbd588 106719->106736 106720->106710 106727 d8784b 59 API calls 106720->106727 106721->106718 106726 d846ba 106722->106726 106728 d88047 59 API calls 106722->106728 106723->106716 106725 dbd5b4 106723->106725 106735 dbd532 106723->106735 106724->106722 106725->106716 106731 dbd59f 106725->106731 106729 d88047 59 API calls 106726->106729 106738 d846c1 Mailbox 106726->106738 106727->106710 106728->106726 106729->106738 106730 d879f2 59 API calls 106730->106736 106734 d87bcc 59 API calls 106731->106734 106732 dbd590 106733 d87bcc 59 API calls 106732->106733 106733->106736 106734->106736 106735->106732 106739 dbd57b 106735->106739 106736->106710 106736->106730 106766 d87924 59 API calls 2 library calls 106736->106766 106738->106615 106740 d87bcc 59 API calls 106739->106740 106740->106736 106741->106662 106742->106662 106743->106662 106744->106662 106745->106662 106746->106662 106747->106662 106749 d85c88 106748->106749 106750 d85c79 106748->106750 106749->106750 106751 d85c8d CloseHandle 106749->106751 106750->106641 106751->106750 106752->106586 106753->106592 106754->106621 106755->106668 106756->106668 106757->106668 106758->106668 106759->106668 106760->106668 106761->106644 106762->106647 106763->106670 106764->106648 106765->106653 106766->106736 106768 d86ea9 106767->106768 106769 d86d95 106767->106769 106768->105516 106769->106768 106770 da0db6 Mailbox 59 API calls 106769->106770 106772 d86dbc 106770->106772 106771 da0db6 Mailbox 59 API calls 106777 d86e31 106771->106777 106772->106771 106777->106768 106780 d86240 106777->106780 106805 d8735d 59 API calls Mailbox 106777->106805 106806 dd6553 59 API calls Mailbox 106777->106806 106807 d8750f 59 API calls 2 library calls 106777->106807 106778->105518 106779->105520 106781 d87a16 59 API calls 106780->106781 106799 d86265 106781->106799 106782 d8646a 106810 d8750f 59 API calls 2 library calls 106782->106810 106784 d86484 Mailbox 106784->106777 106787 dbdff6 106813 ddf8aa 91 API calls 4 library calls 106787->106813 106791 d8750f 59 API calls 106791->106799 106792 dbe004 106814 d8750f 59 API calls 2 library calls 106792->106814 106793 d87d8c 59 API calls 106793->106799 106795 dbe01a 106795->106784 106796 d86799 _memmove 106815 ddf8aa 91 API calls 4 library calls 106796->106815 106797 dbdf92 106798 d88029 59 API calls 106797->106798 106800 dbdf9d 106798->106800 106799->106782 106799->106787 106799->106791 106799->106793 106799->106796 106799->106797 106802 d87e4f 59 API calls 106799->106802 106808 d85f6c 60 API calls 106799->106808 106809 d85d41 59 API calls Mailbox 106799->106809 106811 d85e72 60 API calls 106799->106811 106812 d87924 59 API calls 2 library calls 106799->106812 106804 da0db6 Mailbox 59 API calls 106800->106804 106803 d8643b CharUpperBuffW 106802->106803 106803->106799 106804->106796 106805->106777 106806->106777 106807->106777 106808->106799 106809->106799 106810->106784 106811->106799 106812->106799 106813->106792 106814->106795 106815->106784 106817 d830d2 LoadIconW 106816->106817 106819 d83107 106817->106819 106819->105536 106820->105535 106822 d8e6d5 106821->106822 106823 dc3aa9 106822->106823 106825 d8e73f 106822->106825 106836 d8e799 106822->106836 106824 d89ea0 331 API calls 106823->106824 106829 d87667 59 API calls 106825->106829 106825->106836 106827 d87667 59 API calls 106827->106836 106830 da2d40 __cinit 67 API calls 106830->106836 106832 dc3b26 106832->105567 106834 d884c0 69 API calls 106851 d8e970 Mailbox 106834->106851 106835 d89ea0 331 API calls 106835->106851 106836->106827 106836->106830 106836->106832 106837 d8e95a 106836->106837 106836->106851 106837->106851 106838 de9e4a 89 API calls 106838->106851 106840 d88d40 59 API calls 106840->106851 106849 d8f195 106850 d8ea78 106850->105567 106851->106834 106851->106835 106851->106838 106851->106840 106851->106849 106851->106850 106972 d87f77 59 API calls 2 library calls 106851->106972 106853 d8f4ba 106852->106853 106854 d8f650 106852->106854 106855 dc441e 106853->106855 106856 d8f4c6 106853->106856 106857 d87de1 59 API calls 106854->106857 107075 dfbc6b 331 API calls Mailbox 106855->107075 107073 d8f290 331 API calls 2 library calls 106856->107073 106863 d8f58c Mailbox 106857->106863 106862 d8f4fd 106862->106863 107209 d88180 106871->107209 106873 d8fd3d 106951->105567 106952->105567 106953->105543 106955->105567 106956->105552 106957->105552 106958->105552 106959->105567 106960->105567 106961->105567 106962->105567 106963->105567 106964->105567 106965->105573 106966->105573 106967->105573 106968->105573 106969->105573 106970->105573 106971->105573 106972->106851 107073->106862 107210 d8818f 107209->107210 107213 d881aa 107209->107213 107211 d87e4f 59 API calls 107210->107211 107213->106873 107251 d81055 107256 d82649 107251->107256 107254 da2d40 __cinit 67 API calls 107255 d81064 107254->107255 107257 d87667 59 API calls 107256->107257 107258 d826b7 107257->107258 107263 d83582 107258->107263 107261 d82754 107262 d8105a 107261->107262 107266 d83416 59 API calls 2 library calls 107261->107266 107262->107254 107267 d835b0 107263->107267 107266->107261 107268 d835bd 107267->107268 107269 d835a1 107267->107269 107268->107269 107270 d835c4 RegOpenKeyExW 107268->107270 107269->107261 107270->107269 107271 d835de RegQueryValueExW 107270->107271 107272 d835ff 107271->107272 107273 d83614 RegCloseKey 107271->107273 107272->107273 107273->107269 107274 ed7a50 107275 ed7a60 107274->107275 107276 ed7b7a LoadLibraryA 107275->107276 107279 ed7bbf VirtualProtect VirtualProtect 107275->107279 107277 ed7b91 107276->107277 107277->107275 107281 ed7ba3 GetProcAddress 107277->107281 107280 ed7c24 107279->107280 107280->107280 107281->107277 107282 ed7bb9 ExitProcess 107281->107282 107283 1063d18 107297 1061908 107283->107297 107285 1063e07 107300 1063c08 107285->107300 107303 1064e48 GetPEB 107297->107303 107299 1061f93 107299->107285 107301 1063c11 Sleep 107300->107301 107302 1063c1f 107301->107302 107304 1064e72 107303->107304 107304->107299 107305 d81066 107310 d8f76f 107305->107310 107307 d8106c 107308 da2d40 __cinit 67 API calls 107307->107308 107309 d81076 107308->107309 107311 d8f790 107310->107311 107343 d9ff03 107311->107343 107315 d8f7d7 107316 d87667 59 API calls 107315->107316 107317 d8f7e1 107316->107317 107318 d87667 59 API calls 107317->107318 107319 d8f7eb 107318->107319 107320 d87667 59 API calls 107319->107320 107321 d8f7f5 107320->107321 107322 d87667 59 API calls 107321->107322 107323 d8f833 107322->107323 107324 d87667 59 API calls 107323->107324 107325 d8f8fe 107324->107325 107353 d95f87 107325->107353 107329 d8f930 107330 d87667 59 API calls 107329->107330 107331 d8f93a 107330->107331 107381 d9fd9e 107331->107381 107333 d8f981 107334 d8f991 GetStdHandle 107333->107334 107335 d8f9dd 107334->107335 107336 dc45ab 107334->107336 107338 d8f9e5 OleInitialize 107335->107338 107336->107335 107337 dc45b4 107336->107337 107388 de6b38 64 API calls Mailbox 107337->107388 107338->107307 107340 dc45bb 107389 de7207 CreateThread 107340->107389 107342 dc45c7 CloseHandle 107342->107338 107390 d9ffdc 107343->107390 107346 d9ffdc 59 API calls 107347 d9ff45 107346->107347 107348 d87667 59 API calls 107347->107348 107349 d9ff51 107348->107349 107350 d87bcc 59 API calls 107349->107350 107351 d8f796 107350->107351 107352 da0162 6 API calls 107351->107352 107352->107315 107354 d87667 59 API calls 107353->107354 107355 d95f97 107354->107355 107356 d87667 59 API calls 107355->107356 107357 d95f9f 107356->107357 107397 d95a9d 107357->107397 107360 d95a9d 59 API calls 107361 d95faf 107360->107361 107362 d87667 59 API calls 107361->107362 107363 d95fba 107362->107363 107364 da0db6 Mailbox 59 API calls 107363->107364 107365 d8f908 107364->107365 107366 d960f9 107365->107366 107367 d96107 107366->107367 107368 d87667 59 API calls 107367->107368 107369 d96112 107368->107369 107370 d87667 59 API calls 107369->107370 107371 d9611d 107370->107371 107372 d87667 59 API calls 107371->107372 107373 d96128 107372->107373 107374 d87667 59 API calls 107373->107374 107375 d96133 107374->107375 107376 d95a9d 59 API calls 107375->107376 107377 d9613e 107376->107377 107378 da0db6 Mailbox 59 API calls 107377->107378 107379 d96145 RegisterClipboardFormatW 107378->107379 107379->107329 107382 dd576f 107381->107382 107383 d9fdae 107381->107383 107400 de9ae7 60 API calls 107382->107400 107385 da0db6 Mailbox 59 API calls 107383->107385 107387 d9fdb6 107385->107387 107386 dd577a 107387->107333 107388->107340 107389->107342 107401 de71ed 65 API calls 107389->107401 107391 d87667 59 API calls 107390->107391 107392 d9ffe7 107391->107392 107393 d87667 59 API calls 107392->107393 107394 d9ffef 107393->107394 107395 d87667 59 API calls 107394->107395 107396 d9ff3b 107395->107396 107396->107346 107398 d87667 59 API calls 107397->107398 107399 d95aa5 107398->107399 107399->107360 107400->107386 107402 d81016 107407 d84974 107402->107407 107405 da2d40 __cinit 67 API calls 107406 d81025 107405->107406 107408 da0db6 Mailbox 59 API calls 107407->107408 107409 d8497c 107408->107409 107410 d8101b 107409->107410 107414 d84936 107409->107414 107410->107405 107415 d8493f 107414->107415 107417 d84951 107414->107417 107416 da2d40 __cinit 67 API calls 107415->107416 107416->107417 107418 d849a0 107417->107418 107419 d87667 59 API calls 107418->107419 107420 d849b8 GetVersionExW 107419->107420 107421 d87bcc 59 API calls 107420->107421 107422 d849fb 107421->107422 107423 d87d2c 59 API calls 107422->107423 107426 d84a28 107422->107426 107424 d84a1c 107423->107424 107425 d87726 59 API calls 107424->107425 107425->107426 107427 dbd864 107426->107427 107428 d84a93 GetCurrentProcess IsWow64Process 107426->107428 107429 d84aac 107428->107429 107430 d84b2b GetSystemInfo 107429->107430 107431 d84ac2 107429->107431 107432 d84af8 107430->107432 107442 d84b37 107431->107442 107432->107410 107435 d84b1f GetSystemInfo 107438 d84ae9 107435->107438 107436 d84ad4 107437 d84b37 2 API calls 107436->107437 107439 d84adc GetNativeSystemInfo 107437->107439 107438->107432 107440 d84aef FreeLibrary 107438->107440 107439->107438 107440->107432 107443 d84ad0 107442->107443 107444 d84b40 LoadLibraryA 107442->107444 107443->107435 107443->107436 107444->107443 107445 d84b51 GetProcAddress 107444->107445 107445->107443

                                    Executed Functions

                                    Function 00D83B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153windowCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00D83B68
                                    • IsDebuggerPresent.KERNEL32 ref: 00D83B7A
                                    • GetFullPathNameW.KERNEL32(00007FFF,?,?,00E452F8,00E452E0,?,?), ref: 00D83BEB
                                      • Part of subcall function 00D87BCC: _memmove.LIBCMT ref: 00D87C06
                                      • Part of subcall function 00D9092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00D83C14,00E452F8,?,?,?), ref: 00D9096E
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00D83C6F
                                    • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00E37770,00000010), ref: 00DBD281
                                    • SetCurrentDirectoryW.KERNEL32(?,00E452F8,?,?,?), ref: 00DBD2B9
                                    • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00E34260,00E452F8,?,?,?), ref: 00DBD33F
                                    • ShellExecuteW.SHELL32(00000000,?,?), ref: 00DBD346
                                      • Part of subcall function 00D83A46: GetSysColorBrush.USER32(0000000F), ref: 00D83A50
                                      • Part of subcall function 00D83A46: LoadCursorW.USER32(00000000,00007F00), ref: 00D83A5F
                                      • Part of subcall function 00D83A46: LoadIconW.USER32(00000063), ref: 00D83A76
                                      • Part of subcall function 00D83A46: LoadIconW.USER32(000000A4), ref: 00D83A88
                                      • Part of subcall function 00D83A46: LoadIconW.USER32(000000A2), ref: 00D83A9A
                                      • Part of subcall function 00D83A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00D83AC0
                                      • Part of subcall function 00D83A46: RegisterClassExW.USER32(?), ref: 00D83B16
                                      • Part of subcall function 00D839D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00D83A03
                                      • Part of subcall function 00D839D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00D83A24
                                      • Part of subcall function 00D839D5: ShowWindow.USER32(00000000,?,?), ref: 00D83A38
                                      • Part of subcall function 00D839D5: ShowWindow.USER32(00000000,?,?), ref: 00D83A41
                                      • Part of subcall function 00D8434A: _memset.LIBCMT ref: 00D84370
                                      • Part of subcall function 00D8434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00D84415
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                    • String ID: This is a third-party compiled AutoIt script.$runas$%
                                    • API String ID: 529118366-3343222573
                                    • Opcode ID: 75b2ff06ba8d76575260a69347650551d7d6958be1f02d0b63f4b2766948e27f
                                    • Instruction ID: 3f248c7a6f193ac05f2913c25cee5d7c7a02b4310ec5b967e77e759af91a3560
                                    • Opcode Fuzzy Hash: 75b2ff06ba8d76575260a69347650551d7d6958be1f02d0b63f4b2766948e27f
                                    • Instruction Fuzzy Hash: 2A510576904248AFCB11FBB5EC06EED7B79EB46B00F144066F455B2162DAB0864ACB35
                                    Function 00D83633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151timewindowregistryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 758 d83633-d83681 760 d836e1-d836e3 758->760 761 d83683-d83686 758->761 760->761 764 d836e5 760->764 762 d83688-d8368f 761->762 763 d836e7 761->763 765 d8374b-d83753 PostQuitMessage 762->765 766 d83695-d8369a 762->766 768 d836ed-d836f0 763->768 769 dbd0cc-dbd0fa call d91070 call d91093 763->769 767 d836ca-d836d2 NtdllDefWindowProc_W 764->767 773 d83711-d83713 765->773 771 d836a0-d836a2 766->771 772 dbd154-dbd168 call de2527 766->772 774 d836d8-d836de 767->774 775 d836f2-d836f3 768->775 776 d83715-d8373c SetTimer RegisterClipboardFormatW 768->776 803 dbd0ff-dbd106 769->803 778 d836a8-d836ad 771->778 779 d83755-d83764 call d844a0 771->779 772->773 797 dbd16e 772->797 773->774 782 d836f9-d8370c KillTimer call d8443a call d83114 775->782 783 dbd06f-dbd072 775->783 776->773 780 d8373e-d83749 CreatePopupMenu 776->780 786 dbd139-dbd140 778->786 787 d836b3-d836b8 778->787 779->773 780->773 782->773 790 dbd0a8-dbd0c7 MoveWindow 783->790 791 dbd074-dbd076 783->791 786->767 793 dbd146-dbd14f call dd7c36 786->793 795 d836be-d836c4 787->795 796 dbd124-dbd134 call de2d36 787->796 790->773 799 dbd078-dbd07b 791->799 800 dbd097-dbd0a3 SetFocus 791->800 793->767 795->767 795->803 796->773 797->767 799->795 804 dbd081-dbd092 call d91070 799->804 800->773 803->767 808 dbd10c-dbd11f call d8443a call d8434a 803->808 804->773 808->767
                                    APIs
                                    • NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 00D836D2
                                    • KillTimer.USER32(?,00000001), ref: 00D836FC
                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00D8371F
                                    • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00D8372A
                                    • CreatePopupMenu.USER32 ref: 00D8373E
                                    • PostQuitMessage.USER32(00000000), ref: 00D8374D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
                                    • String ID: TaskbarCreated$%
                                    • API String ID: 157504867-3835587964
                                    • Opcode ID: 8d78775894ff89afdde4425e87cb6ca9351e0eb2b2b9e01b750a65f62ab84ff1
                                    • Instruction ID: a0bf6e24e90afbebbfbf41704621c9ec2c18e2693cb88d9e7b1a8c7958179530
                                    • Opcode Fuzzy Hash: 8d78775894ff89afdde4425e87cb6ca9351e0eb2b2b9e01b750a65f62ab84ff1
                                    • Instruction Fuzzy Hash: 9E415CB2100605FFDB247F6CEC0AB7D3765EB05700F180526F506B62A2EAA1DD5A9376
                                    Function 00D849A0 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 989 d849a0-d84a00 call d87667 GetVersionExW call d87bcc 994 d84b0b-d84b0d 989->994 995 d84a06 989->995 996 dbd767-dbd773 994->996 997 d84a09-d84a0e 995->997 998 dbd774-dbd778 996->998 999 d84b12-d84b13 997->999 1000 d84a14 997->1000 1002 dbd77b-dbd787 998->1002 1003 dbd77a 998->1003 1001 d84a15-d84a4c call d87d2c call d87726 999->1001 1000->1001 1011 d84a52-d84a53 1001->1011 1012 dbd864-dbd867 1001->1012 1002->998 1005 dbd789-dbd78e 1002->1005 1003->1002 1005->997 1007 dbd794-dbd79b 1005->1007 1007->996 1009 dbd79d 1007->1009 1013 dbd7a2-dbd7a5 1009->1013 1011->1013 1014 d84a59-d84a64 1011->1014 1015 dbd869 1012->1015 1016 dbd880-dbd884 1012->1016 1017 dbd7ab-dbd7c9 1013->1017 1018 d84a93-d84aaa GetCurrentProcess IsWow64Process 1013->1018 1019 dbd7ea-dbd7f0 1014->1019 1020 d84a6a-d84a6c 1014->1020 1021 dbd86c 1015->1021 1023 dbd86f-dbd878 1016->1023 1024 dbd886-dbd88f 1016->1024 1017->1018 1022 dbd7cf-dbd7d5 1017->1022 1025 d84aac 1018->1025 1026 d84aaf-d84ac0 1018->1026 1031 dbd7fa-dbd800 1019->1031 1032 dbd7f2-dbd7f5 1019->1032 1027 d84a72-d84a75 1020->1027 1028 dbd805-dbd811 1020->1028 1021->1023 1029 dbd7df-dbd7e5 1022->1029 1030 dbd7d7-dbd7da 1022->1030 1023->1016 1024->1021 1033 dbd891-dbd894 1024->1033 1025->1026 1034 d84b2b-d84b35 GetSystemInfo 1026->1034 1035 d84ac2-d84ad2 call d84b37 1026->1035 1036 d84a7b-d84a8a 1027->1036 1037 dbd831-dbd834 1027->1037 1039 dbd81b-dbd821 1028->1039 1040 dbd813-dbd816 1028->1040 1029->1018 1030->1018 1031->1018 1032->1018 1033->1023 1038 d84af8-d84b08 1034->1038 1046 d84b1f-d84b29 GetSystemInfo 1035->1046 1047 d84ad4-d84ae1 call d84b37 1035->1047 1043 d84a90 1036->1043 1044 dbd826-dbd82c 1036->1044 1037->1018 1042 dbd83a-dbd84f 1037->1042 1039->1018 1040->1018 1048 dbd859-dbd85f 1042->1048 1049 dbd851-dbd854 1042->1049 1043->1018 1044->1018 1051 d84ae9-d84aed 1046->1051 1054 d84b18-d84b1d 1047->1054 1055 d84ae3-d84ae7 GetNativeSystemInfo 1047->1055 1048->1018 1049->1018 1051->1038 1053 d84aef-d84af2 FreeLibrary 1051->1053 1053->1038 1054->1055 1055->1051
                                    APIs
                                    • GetVersionExW.KERNEL32(?), ref: 00D849CD
                                      • Part of subcall function 00D87BCC: _memmove.LIBCMT ref: 00D87C06
                                    • GetCurrentProcess.KERNEL32(?,00E0FAEC,00000000,00000000,?), ref: 00D84A9A
                                    • IsWow64Process.KERNEL32(00000000), ref: 00D84AA1
                                    • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00D84AE7
                                    • FreeLibrary.KERNEL32(00000000), ref: 00D84AF2
                                    • GetSystemInfo.KERNEL32(00000000), ref: 00D84B23
                                    • GetSystemInfo.KERNEL32(00000000), ref: 00D84B2F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                    • String ID:
                                    • API String ID: 1986165174-0
                                    • Opcode ID: 2572711690077e5a5f9fdb0c8853c753f95f3674d3467d27e9210dda20861575
                                    • Instruction ID: 206500cf663863f7b7aad2a2d942469500abac724aa55026d3b0f3bdaf842b1a
                                    • Opcode Fuzzy Hash: 2572711690077e5a5f9fdb0c8853c753f95f3674d3467d27e9210dda20861575
                                    • Instruction Fuzzy Hash: E191D33598A7C1DEC735EB7884501EABFF5AF2A304B4849AED0C797A01D220F548C779
                                    Function 00D84E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1086 d84e89-d84ea1 CreateStreamOnHGlobal 1087 d84ec1-d84ec6 1086->1087 1088 d84ea3-d84eba FindResourceExW 1086->1088 1089 dbd933-dbd942 LoadResource 1088->1089 1090 d84ec0 1088->1090 1089->1090 1091 dbd948-dbd956 SizeofResource 1089->1091 1090->1087 1091->1090 1092 dbd95c-dbd967 LockResource 1091->1092 1092->1090 1093 dbd96d-dbd98b 1092->1093 1093->1090
                                    APIs
                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00D84E99
                                    • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00D84D8E,?,?,00000000,00000000), ref: 00D84EB0
                                    • LoadResource.KERNEL32(?,00000000,?,?,00D84D8E,?,?,00000000,00000000,?,?,?,?,?,?,00D84E2F), ref: 00DBD937
                                    • SizeofResource.KERNEL32(?,00000000,?,?,00D84D8E,?,?,00000000,00000000,?,?,?,?,?,?,00D84E2F), ref: 00DBD94C
                                    • LockResource.KERNEL32(00D84D8E,?,?,00D84D8E,?,?,00000000,00000000,?,?,?,?,?,?,00D84E2F,00000000), ref: 00DBD95F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                    • String ID: SCRIPT
                                    • API String ID: 3051347437-3967369404
                                    • Opcode ID: e26f3a215dfde4865346594530a46aa78c979b8b381a1a1ad6b5ffc1173a6f3a
                                    • Instruction ID: eb2635bea4eed19048bf250baa2cd6a938ff7a6195ff45ef799054a1790304d8
                                    • Opcode Fuzzy Hash: e26f3a215dfde4865346594530a46aa78c979b8b381a1a1ad6b5ffc1173a6f3a
                                    • Instruction Fuzzy Hash: 4E119E70200701BFD7219BA6EC48F677BBAFBC5B11F144268F406A6660EB62E8448A70
                                    Function 00D8FCE0 Relevance: 9.8, APIs: 3, Strings: 2, Instructions: 1040COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: BuffCharUpper
                                    • String ID: pb$%
                                    • API String ID: 3964851224-1798441486
                                    • Opcode ID: 55ede6b5b88fddc2decef5989c7826bef8b7b68afa8806b995296ce5c3573f04
                                    • Instruction ID: b4c0c670e023bce0599e487b72813589ca2da35e88bbec0091b714e541befc69
                                    • Opcode Fuzzy Hash: 55ede6b5b88fddc2decef5989c7826bef8b7b68afa8806b995296ce5c3573f04
                                    • Instruction Fuzzy Hash: A8925B706083419FDB20DF14C490B2ABBE1FF89314F18896DE99A9B361D775EC45CBA2
                                    Function 00ED7A50 Relevance: 7.7, APIs: 5, Instructions: 206librarymemoryloaderCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1484 ed7a50-ed7a5d 1485 ed7a6a-ed7a6f 1484->1485 1486 ed7a71 1485->1486 1487 ed7a60-ed7a65 1486->1487 1488 ed7a73 1486->1488 1490 ed7a66-ed7a68 1487->1490 1489 ed7a78-ed7a7a 1488->1489 1491 ed7a7c-ed7a81 1489->1491 1492 ed7a83-ed7a87 1489->1492 1490->1485 1490->1486 1491->1492 1493 ed7a89 1492->1493 1494 ed7a94-ed7a97 1492->1494 1495 ed7a8b-ed7a92 1493->1495 1496 ed7ab3-ed7ab8 1493->1496 1497 ed7a99-ed7a9e 1494->1497 1498 ed7aa0-ed7aa2 1494->1498 1495->1494 1495->1496 1499 ed7acb-ed7acd 1496->1499 1500 ed7aba-ed7ac3 1496->1500 1497->1498 1498->1489 1503 ed7acf-ed7ad4 1499->1503 1504 ed7ad6 1499->1504 1501 ed7b3a-ed7b3d 1500->1501 1502 ed7ac5-ed7ac9 1500->1502 1505 ed7b42-ed7b45 1501->1505 1502->1504 1503->1504 1506 ed7ad8-ed7adb 1504->1506 1507 ed7aa4-ed7aa6 1504->1507 1508 ed7b47-ed7b49 1505->1508 1509 ed7add-ed7ae2 1506->1509 1510 ed7ae4 1506->1510 1511 ed7aaf-ed7ab1 1507->1511 1512 ed7aa8-ed7aad 1507->1512 1508->1505 1513 ed7b4b-ed7b4e 1508->1513 1509->1510 1510->1507 1514 ed7ae6-ed7ae8 1510->1514 1515 ed7b05-ed7b14 1511->1515 1512->1511 1513->1505 1516 ed7b50-ed7b6c 1513->1516 1517 ed7aea-ed7aef 1514->1517 1518 ed7af1-ed7af5 1514->1518 1519 ed7b24-ed7b31 1515->1519 1520 ed7b16-ed7b1d 1515->1520 1516->1508 1521 ed7b6e 1516->1521 1517->1518 1518->1514 1522 ed7af7 1518->1522 1519->1519 1524 ed7b33-ed7b35 1519->1524 1520->1520 1523 ed7b1f 1520->1523 1525 ed7b74-ed7b78 1521->1525 1526 ed7af9-ed7b00 1522->1526 1527 ed7b02 1522->1527 1523->1490 1524->1490 1528 ed7bbf-ed7bc2 1525->1528 1529 ed7b7a-ed7b90 LoadLibraryA 1525->1529 1526->1514 1526->1527 1527->1515 1531 ed7bc5-ed7bcc 1528->1531 1530 ed7b91-ed7b96 1529->1530 1530->1525 1532 ed7b98-ed7b9a 1530->1532 1533 ed7bce-ed7bd0 1531->1533 1534 ed7bf0-ed7c20 VirtualProtect * 2 1531->1534 1538 ed7b9c-ed7ba2 1532->1538 1539 ed7ba3-ed7bb0 GetProcAddress 1532->1539 1535 ed7be3-ed7bee 1533->1535 1536 ed7bd2-ed7be1 1533->1536 1537 ed7c24-ed7c28 1534->1537 1535->1536 1536->1531 1537->1537 1540 ed7c2a 1537->1540 1538->1539 1541 ed7bb9 ExitProcess 1539->1541 1542 ed7bb2-ed7bb7 1539->1542 1542->1530
                                    APIs
                                    • LoadLibraryA.KERNEL32(?), ref: 00ED7B8A
                                    • GetProcAddress.KERNEL32(?,00ED0FF9), ref: 00ED7BA8
                                    • ExitProcess.KERNEL32(?,00ED0FF9), ref: 00ED7BB9
                                    • VirtualProtect.KERNELBASE(00D80000,00001000,00000004,?,00000000), ref: 00ED7C07
                                    • VirtualProtect.KERNELBASE(00D80000,00001000), ref: 00ED7C1C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
                                    • String ID:
                                    • API String ID: 1996367037-0
                                    • Opcode ID: 88772f9ec1ee9797eed5a5da726c91e27b381b13ba9f00fce6bed8d9a9ee1d6e
                                    • Instruction ID: 0690d2fad84039abc35940ad671f70de44fe3923f12f98f5704942bc51241258
                                    • Opcode Fuzzy Hash: 88772f9ec1ee9797eed5a5da726c91e27b381b13ba9f00fce6bed8d9a9ee1d6e
                                    • Instruction Fuzzy Hash: 74512772A5C3524BD7208FB8CC806A9B791EB42368728277BD5E2E73C5F7A05D078760
                                    Function 00DE445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFileAttributesW.KERNELBASE(?,00DBE398), ref: 00DE446A
                                    • FindFirstFileW.KERNELBASE(?,?), ref: 00DE447B
                                    • FindClose.KERNEL32(00000000), ref: 00DE448B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: FileFind$AttributesCloseFirst
                                    • String ID:
                                    • API String ID: 48322524-0
                                    • Opcode ID: c550376bf1ec393e32d7ada2dfa5a6002d6c66ae36d8c200921f115ac0e99c8a
                                    • Instruction ID: a3d4b46515ba2e659eb205884725e3781ad64d80d6e1d0465ace83fe976f6e92
                                    • Opcode Fuzzy Hash: c550376bf1ec393e32d7ada2dfa5a6002d6c66ae36d8c200921f115ac0e99c8a
                                    • Instruction Fuzzy Hash: 2DE0DF329109416B8220BB79EC0D8EA779C9F05335F240726FA39D24E0EBB4999496A6
                                    Function 00D909D0 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D90A5B
                                    • timeGetTime.WINMM ref: 00D90D16
                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D90E53
                                    • Sleep.KERNEL32(0000000A), ref: 00D90E61
                                    • LockWindowUpdate.USER32(00000000,?,?), ref: 00D90EFA
                                    • DestroyWindow.USER32 ref: 00D90F06
                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D90F20
                                    • Sleep.KERNEL32(0000000A,?,?), ref: 00DC4E83
                                    • TranslateMessage.USER32(?), ref: 00DC5C60
                                    • DispatchMessageW.USER32(?), ref: 00DC5C6E
                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00DC5C82
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                                    • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pb$pb$pb$pb
                                    • API String ID: 4212290369-1420604165
                                    • Opcode ID: 560551b2f852bf1d3d727c40d1317f9c61e15d96878a08e7b085b6aaa42e9f0c
                                    • Instruction ID: 7c95534368e1607fea5bb2e002252de5111ab107796117338a505296d1472dd0
                                    • Opcode Fuzzy Hash: 560551b2f852bf1d3d727c40d1317f9c61e15d96878a08e7b085b6aaa42e9f0c
                                    • Instruction Fuzzy Hash: 07B2AF70608742DFDB24DB24D884F6ABBE5FF85304F18491DE499972A1C771E885CBB2
                                    Function 00DE9155 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 00DE8F5F: __time64.LIBCMT ref: 00DE8F69
                                      • Part of subcall function 00D84EE5: _fseek.LIBCMT ref: 00D84EFD
                                    • __wsplitpath.LIBCMT ref: 00DE9234
                                      • Part of subcall function 00DA40FB: __wsplitpath_helper.LIBCMT ref: 00DA413B
                                    • _wcscpy.LIBCMT ref: 00DE9247
                                    • _wcscat.LIBCMT ref: 00DE925A
                                    • __wsplitpath.LIBCMT ref: 00DE927F
                                    • _wcscat.LIBCMT ref: 00DE9295
                                    • _wcscat.LIBCMT ref: 00DE92A8
                                      • Part of subcall function 00DE8FA5: _memmove.LIBCMT ref: 00DE8FDE
                                      • Part of subcall function 00DE8FA5: _memmove.LIBCMT ref: 00DE8FED
                                    • _wcscmp.LIBCMT ref: 00DE91EF
                                      • Part of subcall function 00DE9734: _wcscmp.LIBCMT ref: 00DE9824
                                      • Part of subcall function 00DE9734: _wcscmp.LIBCMT ref: 00DE9837
                                    • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00DE9452
                                    • _wcsncpy.LIBCMT ref: 00DE94C5
                                    • DeleteFileW.KERNEL32(?,?), ref: 00DE94FB
                                    • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00DE9511
                                    • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00DE9522
                                    • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00DE9534
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                    • String ID:
                                    • API String ID: 1500180987-0
                                    • Opcode ID: fb53bc0ed482129ccbb3680991ba3164518b2310e31196c7c31a97483aee1313
                                    • Instruction ID: bca42f0679ec33365a076d61dee41a227355abda0fd54b11844ce96ce72433f0
                                    • Opcode Fuzzy Hash: fb53bc0ed482129ccbb3680991ba3164518b2310e31196c7c31a97483aee1313
                                    • Instruction Fuzzy Hash: 14C15BB1D01219AACF21EFA5CC91ADEB7BCEF55310F0040AAF609E6151EB309A848F75
                                    Function 00D8708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 00D84706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00E452F8,?,00D837AE,?), ref: 00D84724
                                      • Part of subcall function 00DA050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00D87165), ref: 00DA052D
                                    • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00D871A8
                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00DBE8C8
                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00DBE909
                                    • RegCloseKey.ADVAPI32(?), ref: 00DBE947
                                    • _wcscat.LIBCMT ref: 00DBE9A0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                    • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                    • API String ID: 2673923337-2727554177
                                    • Opcode ID: 08caf18ee77fbdb3f4eb84b381d5c43bffcbd4ec310962ceb078f39384b3d3d4
                                    • Instruction ID: 5118145b7fa0702ada1119d1b708206fefec22834e8cdbe37bae0158ccdccd17
                                    • Opcode Fuzzy Hash: 08caf18ee77fbdb3f4eb84b381d5c43bffcbd4ec310962ceb078f39384b3d3d4
                                    • Instruction Fuzzy Hash: 28718E75508301AEC710EF26E8419ABBBE8FF86310B44092EF445A71B0DBB1D94DCBB6
                                    Function 00D83A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • GetSysColorBrush.USER32(0000000F), ref: 00D83A50
                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00D83A5F
                                    • LoadIconW.USER32(00000063), ref: 00D83A76
                                    • LoadIconW.USER32(000000A4), ref: 00D83A88
                                    • LoadIconW.USER32(000000A2), ref: 00D83A9A
                                    • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00D83AC0
                                    • RegisterClassExW.USER32(?), ref: 00D83B16
                                      • Part of subcall function 00D83041: GetSysColorBrush.USER32(0000000F), ref: 00D83074
                                      • Part of subcall function 00D83041: RegisterClassExW.USER32(00000030), ref: 00D8309E
                                      • Part of subcall function 00D83041: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00D830AF
                                      • Part of subcall function 00D83041: LoadIconW.USER32(000000A9), ref: 00D830F2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
                                    • String ID: #$0$AutoIt v3
                                    • API String ID: 2880975755-4155596026
                                    • Opcode ID: b26977cb8bcb3948bb1c5446c8022d7170463dcf6a8ad67d46ec55e4a079d843
                                    • Instruction ID: 38dffd7ed4559ac886510de39b0cd1dd501320d888fbe2cc9782599cc933c9f9
                                    • Opcode Fuzzy Hash: b26977cb8bcb3948bb1c5446c8022d7170463dcf6a8ad67d46ec55e4a079d843
                                    • Instruction Fuzzy Hash: 65215976910304AFEB11DFA6EC09B9D7BB0FB09711F00012AF504B62B2D3F656598F99
                                    Function 00D83766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                    • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$R
                                    • API String ID: 1825951767-347772802
                                    • Opcode ID: 8abdcd29a09130998364dea2189d5cc9894168906b3dfec3d1d7561bc63cded4
                                    • Instruction ID: c29f80528cbc5f8d45b6f8fa0870967cdffd5836e9f245bf4193a64ba6be6ff2
                                    • Opcode Fuzzy Hash: 8abdcd29a09130998364dea2189d5cc9894168906b3dfec3d1d7561bc63cded4
                                    • Instruction Fuzzy Hash: 16A15A72900219AACB05FBA4DC91AEEB779FF15710F44052AF416B7192EF749A09CBB0
                                    Function 00D8301C Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 73registrywindowclipboardCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • GetSysColorBrush.USER32(0000000F), ref: 00D83074
                                    • RegisterClassExW.USER32(00000030), ref: 00D8309E
                                    • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00D830AF
                                    • LoadIconW.USER32(000000A9), ref: 00D830F2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Register$BrushClassClipboardColorFormatIconLoad
                                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                    • API String ID: 975902462-1005189915
                                    • Opcode ID: 3a742728e760a12c6056d61af4ce8161cc145f65275e969fa4df8671f4c1b1db
                                    • Instruction ID: 588bf46524b45e2b3d07f9a4044292fc4ed7ef7c3bf81077ab77632c83653f03
                                    • Opcode Fuzzy Hash: 3a742728e760a12c6056d61af4ce8161cc145f65275e969fa4df8671f4c1b1db
                                    • Instruction Fuzzy Hash: 9A3149B6941309EFDB50CFA5D849ACDBBF4FB0A310F14412AE580E62A1D7B5059ACF91
                                    Function 00D83041 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 54registrywindowclipboardCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • GetSysColorBrush.USER32(0000000F), ref: 00D83074
                                    • RegisterClassExW.USER32(00000030), ref: 00D8309E
                                    • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00D830AF
                                    • LoadIconW.USER32(000000A9), ref: 00D830F2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Register$BrushClassClipboardColorFormatIconLoad
                                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                    • API String ID: 975902462-1005189915
                                    • Opcode ID: 6445d9d0a1a61454400d5cdd5caa8e68fa387f8856193ef856bffab9069e935f
                                    • Instruction ID: 4efc5a04be467ed19bd7bbb913e5893e474aa3b4c42c291df4db8502cec030c3
                                    • Opcode Fuzzy Hash: 6445d9d0a1a61454400d5cdd5caa8e68fa387f8856193ef856bffab9069e935f
                                    • Instruction Fuzzy Hash: F021F7B6910308AFDB10DFA6EC49B9DBBF4FB0D700F00412AF510B62A1DBB245998F95
                                    Function 00D8F76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168comCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 00DA0162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00DA0193
                                      • Part of subcall function 00DA0162: MapVirtualKeyW.USER32(00000010,00000000), ref: 00DA019B
                                      • Part of subcall function 00DA0162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00DA01A6
                                      • Part of subcall function 00DA0162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00DA01B1
                                      • Part of subcall function 00DA0162: MapVirtualKeyW.USER32(00000011,00000000), ref: 00DA01B9
                                      • Part of subcall function 00DA0162: MapVirtualKeyW.USER32(00000012,00000000), ref: 00DA01C1
                                      • Part of subcall function 00D960F9: RegisterClipboardFormatW.USER32(WM_GETCONTROLNAME), ref: 00D96154
                                    • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00D8F9CD
                                    • OleInitialize.OLE32(00000000), ref: 00D8FA4A
                                    • CloseHandle.KERNEL32(00000000), ref: 00DC45C8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Virtual$Handle$ClipboardCloseFormatInitializeRegister
                                    • String ID: <W$\T$%$S
                                    • API String ID: 3094916012-191198415
                                    • Opcode ID: 777b3ea33a4f27a752c77fca35f7327ade88c4237314d77f8440306cb85b82d1
                                    • Instruction ID: 67a4ccf3014fd2c292fc3def6bfb4c4048c3184b3accc2255303ccd1663b48ac
                                    • Opcode Fuzzy Hash: 777b3ea33a4f27a752c77fca35f7327ade88c4237314d77f8440306cb85b82d1
                                    • Instruction Fuzzy Hash: 5C81B5BA901B40CFC384DF3BA8456187BE5FB8A316754513AD12AEB263E774448ECF21
                                    Function 01062228 Relevance: 10.7, APIs: 7, Instructions: 151fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1056 1062228-106227a call 1062128 CreateFileW 1059 1062283-1062290 1056->1059 1060 106227c-106227e 1056->1060 1063 1062292-106229e 1059->1063 1064 10622a3-10622ba VirtualAlloc 1059->1064 1061 10623dc-10623e0 1060->1061 1063->1061 1065 10622c3-10622e9 CreateFileW 1064->1065 1066 10622bc-10622be 1064->1066 1068 106230d-1062327 ReadFile 1065->1068 1069 10622eb-1062308 1065->1069 1066->1061 1070 106234b-106234f 1068->1070 1071 1062329-1062346 1068->1071 1069->1061 1072 1062370-1062387 WriteFile 1070->1072 1073 1062351-106236e 1070->1073 1071->1061 1075 10623b2-10623d7 CloseHandle VirtualFree 1072->1075 1076 1062389-10623b0 1072->1076 1073->1061 1075->1061 1076->1061
                                    APIs
                                    • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0106226D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1422627131.0000000001061000.00000040.00000020.00020000.00000000.sdmp, Offset: 01061000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_1061000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: CreateFile
                                    • String ID:
                                    • API String ID: 823142352-0
                                    • Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                    • Instruction ID: 45e82166cac3d5e246cb08ff230370d232c49e99ffc8ac558e3060a6e9dcb724
                                    • Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                    • Instruction Fuzzy Hash: 6651E875A50209FFEF60DFA4CC49FDE77B8AF48701F108954F64AEA1C0DA7496448B64
                                    Function 00D839D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1096 d839d5-d83a45 CreateWindowExW * 2 ShowWindow * 2
                                    APIs
                                    • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00D83A03
                                    • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00D83A24
                                    • ShowWindow.USER32(00000000,?,?), ref: 00D83A38
                                    • ShowWindow.USER32(00000000,?,?), ref: 00D83A41
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Window$CreateShow
                                    • String ID: AutoIt v3$edit
                                    • API String ID: 1584632944-3779509399
                                    • Opcode ID: 46a1b22b9dfe49c66688d893260033f7f74305b2b95d910c08d7f5b5ddc0bcf1
                                    • Instruction ID: fe1f65908710fc5329a9fe24c18bc22d79bb2549ab204e7f55010f3f9ef098d9
                                    • Opcode Fuzzy Hash: 46a1b22b9dfe49c66688d893260033f7f74305b2b95d910c08d7f5b5ddc0bcf1
                                    • Instruction Fuzzy Hash: 63F03A766402907FEA3157276C09E2B3E7DE7C7F50B00002FF900B25B1C2A10C56CAB4
                                    Function 00D8407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1449 d8407c-d84092 1450 d84098-d840ad call d87a16 1449->1450 1451 d8416f-d84173 1449->1451 1454 dbd3c8-dbd3d7 LoadStringW 1450->1454 1455 d840b3-d840d3 call d87bcc 1450->1455 1458 dbd3e2-dbd3fa call d87b2e call d86fe3 1454->1458 1455->1458 1459 d840d9-d840dd 1455->1459 1468 d840ed-d8416a call da2de0 call d8454e call da2dbc Shell_NotifyIconW call d85904 1458->1468 1471 dbd400-dbd41e call d87cab call d86fe3 call d87cab 1458->1471 1461 d840e3-d840e8 call d87b2e 1459->1461 1462 d84174-d8417d call d88047 1459->1462 1461->1468 1462->1468 1468->1451 1471->1468
                                    APIs
                                    • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00DBD3D7
                                      • Part of subcall function 00D87BCC: _memmove.LIBCMT ref: 00D87C06
                                    • _memset.LIBCMT ref: 00D840FC
                                    • _wcscpy.LIBCMT ref: 00D84150
                                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00D84160
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                    • String ID: Line:
                                    • API String ID: 3942752672-1585850449
                                    • Opcode ID: bb627225db70127dca98ba5607f480b4904d45369adf009029c73d30f437633f
                                    • Instruction ID: fed565200788e7df37b1aca084ccc6d84878bff76bc8ae4ca260d58cfccf2e85
                                    • Opcode Fuzzy Hash: bb627225db70127dca98ba5607f480b4904d45369adf009029c73d30f437633f
                                    • Instruction Fuzzy Hash: D031AF72408305AFD721FB60EC45FDB77E8EF45314F24451AF585A20A2EB70A648C7B6
                                    Function 00DA541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                    • String ID:
                                    • API String ID: 1559183368-0
                                    • Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                                    • Instruction ID: 37dc93871137711a20e1714e655babc47704d3950be5cbb16b54386358ee82d3
                                    • Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                                    • Instruction Fuzzy Hash: 8D51C571E00B05DBCB248F69E8405AE77B2EF46331F288729F825962D9D7B1DD508B71
                                    Function 00D8686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00D84DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00E452F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00D84E0F
                                    • _free.LIBCMT ref: 00DBE263
                                    • _free.LIBCMT ref: 00DBE2AA
                                      • Part of subcall function 00D86A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00D86BAD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: _free$CurrentDirectoryLibraryLoad
                                    • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                    • API String ID: 2861923089-1757145024
                                    • Opcode ID: 456427c23750f48f171461b9e72ee88bedded4b5dffe8430804dc57b9df4ecc4
                                    • Instruction ID: d3821cc8e59a6d51c5470d87d6e028da6217714102048f9596bc8c97b68b2215
                                    • Opcode Fuzzy Hash: 456427c23750f48f171461b9e72ee88bedded4b5dffe8430804dc57b9df4ecc4
                                    • Instruction Fuzzy Hash: 40914971900219EFCF14EFA4C8919EDB7B8FF19310B14452AF816AB2A1DB71A955CBB0
                                    Function 01063D18 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 163fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 01063C08: Sleep.KERNELBASE(000001F4), ref: 01063C19
                                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01063E73
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1422627131.0000000001061000.00000040.00000020.00020000.00000000.sdmp, Offset: 01061000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_1061000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: CreateFileSleep
                                    • String ID: RZDRWMEKT0UK5GA7OG4571SH5P
                                    • API String ID: 2694422964-251418507
                                    • Opcode ID: e246e630512e6dba88aef32a7f484b7a157dbfe6539e527ab1948bb9cab9dfe9
                                    • Instruction ID: e7eb104f6124cd8fcdc26a9c31379f110b0b9747c30cfa06a9ec1c2b40cf003f
                                    • Opcode Fuzzy Hash: e246e630512e6dba88aef32a7f484b7a157dbfe6539e527ab1948bb9cab9dfe9
                                    • Instruction Fuzzy Hash: 92618530D04288DAEF11DBB4C844BEFBBB9AF15304F044199E2897B2C1D7B91B45CBA5
                                    Function 00D835B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00D835A1,SwapMouseButtons,00000004,?), ref: 00D835D4
                                    • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00D835A1,SwapMouseButtons,00000004,?,?,?,?,00D82754), ref: 00D835F5
                                    • RegCloseKey.KERNELBASE(00000000,?,?,00D835A1,SwapMouseButtons,00000004,?,?,?,?,00D82754), ref: 00D83617
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: CloseOpenQueryValue
                                    • String ID: Control Panel\Mouse
                                    • API String ID: 3677997916-824357125
                                    • Opcode ID: 66ec829f83683b96c3760986ef05a27fee8ebe7be1d1733976cd6af453c94dc2
                                    • Instruction ID: 520c6293cb76893ebb1b06f06164b9a1add41bfa99ac1f42579169c340c2b240
                                    • Opcode Fuzzy Hash: 66ec829f83683b96c3760986ef05a27fee8ebe7be1d1733976cd6af453c94dc2
                                    • Instruction Fuzzy Hash: 23115A71510208BFDB209F69DC41DAEB7BCEF04B40F008469F809E7210E2719F549770
                                    Function 00DA470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                    • String ID:
                                    • API String ID: 2782032738-0
                                    • Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                    • Instruction ID: 9e669888446229250b80e03430dbc514eaa423b552c09e5a93d1ef3a1e5ec24d
                                    • Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                    • Instruction Fuzzy Hash: 0C41D475A007859BDB18CF79D8809AE77A5EFC7360B28813DE815C7680DBB4DD408BB0
                                    Function 00D84C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: _memmove
                                    • String ID: AU3!P/$EA06
                                    • API String ID: 4104443479-182974850
                                    • Opcode ID: b4b77c3dabd846b0c8008c431830504135fd125be59fa5a1e2ad93835e532cd1
                                    • Instruction ID: f63adda72ac0cc7f7094733406abe42f2a2bd83c78762a6ecac62ec1fba7c2ce
                                    • Opcode Fuzzy Hash: b4b77c3dabd846b0c8008c431830504135fd125be59fa5a1e2ad93835e532cd1
                                    • Instruction Fuzzy Hash: 1C414C22A0425A67DF22BB64CC517BE7FA6DB45310F6C4475FC829B286D6209D4483B1
                                    Function 00D87285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 00DBEA39
                                    • 762ED0D0.COMDLG32(?), ref: 00DBEA83
                                      • Part of subcall function 00D84750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D84743,?,?,00D837AE,?), ref: 00D84770
                                      • Part of subcall function 00DA0791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00DA07B0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: NamePath$FullLong_memset
                                    • String ID: X
                                    • API String ID: 3051022977-3081909835
                                    • Opcode ID: f7b24890f72dbfc6568b712c1ab07b2f65f95a6d471eb497a90a46870277df9d
                                    • Instruction ID: eb048efc3361b5361576dbe750a37019877294eba8570c679ff4f27e14092451
                                    • Opcode Fuzzy Hash: f7b24890f72dbfc6568b712c1ab07b2f65f95a6d471eb497a90a46870277df9d
                                    • Instruction Fuzzy Hash: 0621A131A002489BDB51AF94C845BEE7BFCAF49714F10401AE408B7241DBB49989CFB1
                                    Function 00DE8D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: __fread_nolock_memmove
                                    • String ID: EA06
                                    • API String ID: 1988441806-3962188686
                                    • Opcode ID: 6ee98825d4b92335684dcbaab288f8fe9eb9cbb079ccedad0462dee5972b12b7
                                    • Instruction ID: 465584367f6c3598289d6a7e06d4e6c9453f88dd1362a00d2b16b5074b85fe88
                                    • Opcode Fuzzy Hash: 6ee98825d4b92335684dcbaab288f8fe9eb9cbb079ccedad0462dee5972b12b7
                                    • Instruction Fuzzy Hash: 7E01F971C042587EDB18DAA8DC16EEE7BF8DB11311F00419AF556D2181E875E6049770
                                    Function 00DA0DB6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00DA571C: __FF_MSGBANNER.LIBCMT ref: 00DA5733
                                      • Part of subcall function 00DA571C: __NMSG_WRITE.LIBCMT ref: 00DA573A
                                      • Part of subcall function 00DA571C: RtlAllocateHeap.NTDLL(01020000,00000000,00000001), ref: 00DA575F
                                    • std::exception::exception.LIBCMT ref: 00DA0DEC
                                    • __CxxThrowException@8.LIBCMT ref: 00DA0E01
                                      • Part of subcall function 00DA859B: RaiseException.KERNEL32(?,?,00000000,00E39E78,?,00000001,?,?,?,00DA0E06,00000000,00E39E78,00D89E8C,00000001), ref: 00DA85F0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                    • String ID: bad allocation
                                    • API String ID: 3902256705-2104205924
                                    • Opcode ID: b2fedeac6d583d40c4663aeb2eab18796f7c32469f37ab63c16fe293cfa97cc5
                                    • Instruction ID: 2b0f46f4b9810aa3b98950254a717b6e098e7843e2692f5247b476d658336550
                                    • Opcode Fuzzy Hash: b2fedeac6d583d40c4663aeb2eab18796f7c32469f37ab63c16fe293cfa97cc5
                                    • Instruction Fuzzy Hash: 5CF0A43290031966CF10BAA4EC069DE7BACDF07311F140429FD04A6691DFB1DA90D2F1
                                    Function 01062908 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateProcessW.KERNELBASE(?,00000000), ref: 0106294D
                                    • ExitProcess.KERNEL32(00000000), ref: 0106296C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1422627131.0000000001061000.00000040.00000020.00020000.00000000.sdmp, Offset: 01061000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_1061000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Process$CreateExit
                                    • String ID: D
                                    • API String ID: 126409537-2746444292
                                    • Opcode ID: 9f0fea074abf0f39dd8420fc00d89007b68beb3d91da31db31286a021e466f34
                                    • Instruction ID: 549e9c496d64e450858c5690393c0a77d59033a16677210733295b4c0d7a8bbc
                                    • Opcode Fuzzy Hash: 9f0fea074abf0f39dd8420fc00d89007b68beb3d91da31db31286a021e466f34
                                    • Instruction Fuzzy Hash: 03F0FF7164024DABDB60EFE0CC49FEE777CBF44701F408508FB5A9A184DA7496088B61
                                    Function 00DE98E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetTempPathW.KERNEL32(00000104,?), ref: 00DE98F8
                                    • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00DE990F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Temp$FileNamePath
                                    • String ID: aut
                                    • API String ID: 3285503233-3010740371
                                    • Opcode ID: a839bf46811dfaef139767ad3783e439777752bbc4968449222309f877fee479
                                    • Instruction ID: 4d8b1c4f0906d362542ef7b05c116d28af82b3a7098154878f2ac6e881a9385b
                                    • Opcode Fuzzy Hash: a839bf46811dfaef139767ad3783e439777752bbc4968449222309f877fee479
                                    • Instruction Fuzzy Hash: 35D05B7554030DAFDB609B90DC0EF96773CD704701F4002B1FA94A10A1E97155A88B91
                                    Function 00DFCADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0bc9243ba95d3b8f81896c21d0a122d9c88bdd7184e1b9fbb3c427f79ffe8816
                                    • Instruction ID: 62700e8a28df379bc4c538c3e0046928d8e5c97fead8bdcffca5cc39ed68dad7
                                    • Opcode Fuzzy Hash: 0bc9243ba95d3b8f81896c21d0a122d9c88bdd7184e1b9fbb3c427f79ffe8816
                                    • Instruction Fuzzy Hash: 31F126706083099FC714EF28C580A6ABBE5FF88314F15892EF9999B351D730E945CFA2
                                    Function 00D8434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 00D84370
                                    • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00D84415
                                    • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00D84432
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: IconNotifyShell_$_memset
                                    • String ID:
                                    • API String ID: 1505330794-0
                                    • Opcode ID: 254a47a42e2bdd89aa3e48e7ebf0a737fd8df5b82d84d7887db4e21f20abef56
                                    • Instruction ID: 7df7427aadd05285c4660e54ef3ed0026dffe421d3bc9111d22e11cac1898fc3
                                    • Opcode Fuzzy Hash: 254a47a42e2bdd89aa3e48e7ebf0a737fd8df5b82d84d7887db4e21f20abef56
                                    • Instruction Fuzzy Hash: B83193B1504702CFD721EF65D88469BBBF8FB49308F00092EF59A92251E7B1A948CB66
                                    Function 00DA571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • __FF_MSGBANNER.LIBCMT ref: 00DA5733
                                      • Part of subcall function 00DAA16B: __NMSG_WRITE.LIBCMT ref: 00DAA192
                                      • Part of subcall function 00DAA16B: __NMSG_WRITE.LIBCMT ref: 00DAA19C
                                    • __NMSG_WRITE.LIBCMT ref: 00DA573A
                                      • Part of subcall function 00DAA1C8: GetModuleFileNameW.KERNEL32(00000000,00E433BA,00000104,00000000,00000001,00000000), ref: 00DAA25A
                                      • Part of subcall function 00DAA1C8: ___crtMessageBoxW.LIBCMT ref: 00DAA308
                                      • Part of subcall function 00DA309F: ___crtCorExitProcess.LIBCMT ref: 00DA30A5
                                      • Part of subcall function 00DA309F: ExitProcess.KERNEL32 ref: 00DA30AE
                                      • Part of subcall function 00DA8B28: __getptd_noexit.LIBCMT ref: 00DA8B28
                                    • RtlAllocateHeap.NTDLL(01020000,00000000,00000001), ref: 00DA575F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                    • String ID:
                                    • API String ID: 1372826849-0
                                    • Opcode ID: a23580d79b54015f4da7ad35ad4bd5c28a6b59591d886d19ea30851ab0ddc5b2
                                    • Instruction ID: 25799e3f1b5ef6890aea4f3d9ca5a66f054fd34a3b0d5c88f600a0f5f103a02e
                                    • Opcode Fuzzy Hash: a23580d79b54015f4da7ad35ad4bd5c28a6b59591d886d19ea30851ab0ddc5b2
                                    • Instruction Fuzzy Hash: A801F135200B01EED6113B39FC82A2E7398CB83362F240526FA15BA196EFB0CC418671
                                    Function 00DE98A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00DE9548,?,?,?,?,?,00000004), ref: 00DE98BB
                                    • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00DE9548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00DE98D1
                                    • CloseHandle.KERNEL32(00000000,?,00DE9548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00DE98D8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: File$CloseCreateHandleTime
                                    • String ID:
                                    • API String ID: 3397143404-0
                                    • Opcode ID: d7fc6adc818d9f8bb71ea76e779528a5a060b85110fc638c29a7d6d35a6c1fd7
                                    • Instruction ID: 17263e8d793a9bfc60c4ffb97a0aed13d5b24ec519c80b9f238f0cbbd5b311fe
                                    • Opcode Fuzzy Hash: d7fc6adc818d9f8bb71ea76e779528a5a060b85110fc638c29a7d6d35a6c1fd7
                                    • Instruction Fuzzy Hash: C8E08632141218BBD7312B55EC09FCA7B19AB06B71F144220FB54794E187B2156597D8
                                    Function 00DE8D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 00DE8D1B
                                      • Part of subcall function 00DA2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00DA9A24), ref: 00DA2D69
                                      • Part of subcall function 00DA2D55: GetLastError.KERNEL32(00000000,?,00DA9A24), ref: 00DA2D7B
                                    • _free.LIBCMT ref: 00DE8D2C
                                    • _free.LIBCMT ref: 00DE8D3E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                    • Instruction ID: 4dc6b5276c033cce451359ded3d3fe46a99ca540dc536c1cfb8780717baf365f
                                    • Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                    • Instruction Fuzzy Hash: CAE017A16016414ACF25B6BEAD40AA363EC8F99352B180D1EB40DD7187CEA4F88291B8
                                    Function 00D8A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: CALL
                                    • API String ID: 0-4196123274
                                    • Opcode ID: aa5218a6fe916ac668d6269bffec220167bffa11814fe8c78d2c9ba6c029e4b1
                                    • Instruction ID: f187d3bca3ed6dea5689a449bdd368cccdf1dc2c299f3d1808d3893111df6631
                                    • Opcode Fuzzy Hash: aa5218a6fe916ac668d6269bffec220167bffa11814fe8c78d2c9ba6c029e4b1
                                    • Instruction Fuzzy Hash: 3E224774508301DFDB24EF18C490A6ABBE1FF85314F18895EE89A9B361D731ED45CBA2
                                    Function 00D87A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: _memmove
                                    • String ID:
                                    • API String ID: 4104443479-0
                                    • Opcode ID: 40fbce4a1fea4cfe3bf1a015a5a2827c9472d34ae18aa590b79f6fb0e3b65f37
                                    • Instruction ID: 9e4ea8d53f42e26c86a7464a62d1e12980b02c10e3a1c9423fa0d7ccf64eda09
                                    • Opcode Fuzzy Hash: 40fbce4a1fea4cfe3bf1a015a5a2827c9472d34ae18aa590b79f6fb0e3b65f37
                                    • Instruction Fuzzy Hash: 063188B2604506AFC704EF68C8D1D69F7A9FF493207258629E51DCB791EB30F950CBA0
                                    Function 00D847D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                    Download Yara Rule
                                    APIs
                                    • 7524C8D0.UXTHEME ref: 00D84834
                                      • Part of subcall function 00DA336C: __lock.LIBCMT ref: 00DA3372
                                      • Part of subcall function 00DA336C: RtlDecodePointer.NTDLL(00000001), ref: 00DA337E
                                      • Part of subcall function 00DA336C: RtlEncodePointer.NTDLL(?), ref: 00DA3389
                                      • Part of subcall function 00D848FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00D84915
                                      • Part of subcall function 00D848FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00D8492A
                                      • Part of subcall function 00D83B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00D83B68
                                      • Part of subcall function 00D83B3A: IsDebuggerPresent.KERNEL32 ref: 00D83B7A
                                      • Part of subcall function 00D83B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,00E452F8,00E452E0,?,?), ref: 00D83BEB
                                      • Part of subcall function 00D83B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00D83C6F
                                    • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00D84874
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: InfoParametersSystem$CurrentDirectoryPointer$7524DebuggerDecodeEncodeFullNamePathPresent__lock
                                    • String ID:
                                    • API String ID: 3926889080-0
                                    • Opcode ID: 0f28e845984937cecfce65b26ce7bb200d8503353821fc78918b25234c6a8607
                                    • Instruction ID: 5b5803fc85678b4de250bd449a7b3aec2b556707ed141b3192e1a8263bf011c3
                                    • Opcode Fuzzy Hash: 0f28e845984937cecfce65b26ce7bb200d8503353821fc78918b25234c6a8607
                                    • Instruction Fuzzy Hash: 67116F719183029FCB00EF2AD80591ABFF8EB86750F10451FF045A3271DBB0954ACBA6
                                    Function 00DA55FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: __lock_file_memset
                                    • String ID:
                                    • API String ID: 26237723-0
                                    • Opcode ID: 95d6b0940c2dd69506a72ee891b523cea7139e42f5d426778d8c5a5128723724
                                    • Instruction ID: 7e9379fa3abee7991fc935d5de55cab70fe03c23d43030f7d854963fb0b0df90
                                    • Opcode Fuzzy Hash: 95d6b0940c2dd69506a72ee891b523cea7139e42f5d426778d8c5a5128723724
                                    • Instruction Fuzzy Hash: 8201F771800A08EBCF12AF68AD0659F7B71EF53321F4C4115F8241B191DB318A51EFB1
                                    Function 00DA53A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00DA8B28: __getptd_noexit.LIBCMT ref: 00DA8B28
                                    • __lock_file.LIBCMT ref: 00DA53EB
                                      • Part of subcall function 00DA6C11: __lock.LIBCMT ref: 00DA6C34
                                    • __fclose_nolock.LIBCMT ref: 00DA53F6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                    • String ID:
                                    • API String ID: 2800547568-0
                                    • Opcode ID: a538538bf9e5c5749296eac48398a5862139f058eabbde41096af0073fbfa985
                                    • Instruction ID: f9dc8776c06c3dd69fe18501c1e935470edbdabcce65bfa3b9a290d6b3e64c98
                                    • Opcode Fuzzy Hash: a538538bf9e5c5749296eac48398a5862139f058eabbde41096af0073fbfa985
                                    • Instruction Fuzzy Hash: 32F09632800A04DADF106B65A8057AE7AE0AF83374F248504E864AB1C5CBFC8941AF72
                                    Function 01062978 Relevance: 1.7, APIs: 1, Instructions: 179COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 010621E8: GetFileAttributesW.KERNELBASE(?), ref: 010621F3
                                    • CreateDirectoryW.KERNELBASE(?,00000000), ref: 01062B0A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1422627131.0000000001061000.00000040.00000020.00020000.00000000.sdmp, Offset: 01061000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_1061000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: AttributesCreateDirectoryFile
                                    • String ID:
                                    • API String ID: 3401506121-0
                                    • Opcode ID: 63b643568fb7c6378bbc316698f5a82189380d61675fab9f13b26cf8e4b68fbe
                                    • Instruction ID: 25948f10897dc8fdf43e72df1d8773c3458fa83ea1b8eddd4cc660cc07c7d341
                                    • Opcode Fuzzy Hash: 63b643568fb7c6378bbc316698f5a82189380d61675fab9f13b26cf8e4b68fbe
                                    • Instruction Fuzzy Hash: 0A61D331A1120997EF14DFB4DC54BEE733AFF58300F009568A60CEB290EB7A9A45C7A5
                                    Function 00DA0C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                    • Instruction ID: 5d851cb5506026a0a523ecffa5826e03fbbc3cecb52f05036faf5ce127c79de2
                                    • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                    • Instruction Fuzzy Hash: 7231C470A001059FC718DF58C484A69FBA6FF5A320B6887A5E84ACB355D731EDD1DBE0
                                    Function 00DBFCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: ClearVariant
                                    • String ID:
                                    • API String ID: 1473721057-0
                                    • Opcode ID: 92f121b2d27bc59545c5cf6cdb97a179e12105dcf65f0dcda6904d70d99fb27c
                                    • Instruction ID: 14e7eb26701dad72712b110f8bbe185d8ad99589dee4cba474c1ef6b13b09d9f
                                    • Opcode Fuzzy Hash: 92f121b2d27bc59545c5cf6cdb97a179e12105dcf65f0dcda6904d70d99fb27c
                                    • Instruction Fuzzy Hash: 5441E674504341DFDB24DF18C454B1ABBE1BF49318F0988ADE89A8B762C772E845CF62
                                    Function 00D87B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: _memmove
                                    • String ID:
                                    • API String ID: 4104443479-0
                                    • Opcode ID: c778781f9e171a20cf84dde63585f0a58d59cb89eb065a6447c8123d42bfb001
                                    • Instruction ID: a5a46406bc1253be991b70f2a776ef22009b0f5163d0d21b0a172b60af45c1b7
                                    • Opcode Fuzzy Hash: c778781f9e171a20cf84dde63585f0a58d59cb89eb065a6447c8123d42bfb001
                                    • Instruction Fuzzy Hash: 03212172A04A08EBDB149F26E8416E97FF4FF14350F20842AE887C6190EB30D1E4D765
                                    Function 00D84DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00D84BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00D84BEF
                                      • Part of subcall function 00DA525B: __wfsopen.LIBCMT ref: 00DA5266
                                    • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00E452F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00D84E0F
                                      • Part of subcall function 00D84B6A: FreeLibrary.KERNEL32(00000000), ref: 00D84BA4
                                      • Part of subcall function 00D84C70: _memmove.LIBCMT ref: 00D84CBA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Library$Free$Load__wfsopen_memmove
                                    • String ID:
                                    • API String ID: 1396898556-0
                                    • Opcode ID: 57aca0a2c5a9c8bfbb2812f68a57fe35c9f3d08abf4dcf16204fb552a065f2a9
                                    • Instruction ID: ed80fe5a19ba097822b873a6621e52200c5669e0644c97a139795f509ad098da
                                    • Opcode Fuzzy Hash: 57aca0a2c5a9c8bfbb2812f68a57fe35c9f3d08abf4dcf16204fb552a065f2a9
                                    • Instruction Fuzzy Hash: 4F11A032600706ABCF25FF74C816FAE77A9EF44710F108829F542A7181EA719A159B71
                                    Function 00DBFD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: ClearVariant
                                    • String ID:
                                    • API String ID: 1473721057-0
                                    • Opcode ID: 6fe330ab7782a47d9f0e8c1709a2c0365af3c08dc0c7a35d1286ad583b186435
                                    • Instruction ID: 528e5ff08b5474ba03f1eb1ddc8e0db0e293055009f79eb6fa59e6f95b3f59a6
                                    • Opcode Fuzzy Hash: 6fe330ab7782a47d9f0e8c1709a2c0365af3c08dc0c7a35d1286ad583b186435
                                    • Instruction Fuzzy Hash: A5211574508341DFDB14EF64C444B2ABBE0BF89314F09896CF88A97722D731E855CBA2
                                    Function 00DA072A Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00DA07B0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: LongNamePath
                                    • String ID:
                                    • API String ID: 82841172-0
                                    • Opcode ID: 2a41444fb109ee32b1ad757370b985c8cbf94f402098f2aae76eddeee443c9a0
                                    • Instruction ID: df3d6a6a0e71f52224431c94d6b496ba1018a28973a2502ab3ad7194bc58415d
                                    • Opcode Fuzzy Hash: 2a41444fb109ee32b1ad757370b985c8cbf94f402098f2aae76eddeee443c9a0
                                    • Instruction Fuzzy Hash: A3F08C7244251CAFC7119F95EC05AE8BBA8FF8E360B0501F6EC848B920CA308D58C791
                                    Function 00DA4863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                    Download Yara Rule
                                    APIs
                                    • __lock_file.LIBCMT ref: 00DA48A6
                                      • Part of subcall function 00DA8B28: __getptd_noexit.LIBCMT ref: 00DA8B28
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: __getptd_noexit__lock_file
                                    • String ID:
                                    • API String ID: 2597487223-0
                                    • Opcode ID: 0d738b5587ed9281bc56db1747b90a3fbc7ba4e78109bddde9029dff2331165c
                                    • Instruction ID: bb0a3886fe8d373186e825d737278a7946f91dc3406c67d0593d1114528c21c9
                                    • Opcode Fuzzy Hash: 0d738b5587ed9281bc56db1747b90a3fbc7ba4e78109bddde9029dff2331165c
                                    • Instruction Fuzzy Hash: E8F0AF31901649EBDF11AFB49C067AE3AA0EF42325F198514B824AB192DBFCC951EF71
                                    Function 00D84E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                    Download Yara Rule
                                    APIs
                                    • FreeLibrary.KERNEL32(?,?,00E452F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00D84E7E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: FreeLibrary
                                    • String ID:
                                    • API String ID: 3664257935-0
                                    • Opcode ID: 4c54fc6975bfe155a63c2a6dcf9660dbb0738650d310647395b62c3847f83e94
                                    • Instruction ID: fd53670434dca8bd7f87b091036e34983a6ea48e3e9aa3ac8a2cb5cb10af0b31
                                    • Opcode Fuzzy Hash: 4c54fc6975bfe155a63c2a6dcf9660dbb0738650d310647395b62c3847f83e94
                                    • Instruction Fuzzy Hash: 51F039B1505712CFCB35AF65E494826BBE1BF553393248A3EF2D682620C7329884DF60
                                    Function 00DA0791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00DA07B0
                                      • Part of subcall function 00D87BCC: _memmove.LIBCMT ref: 00D87C06
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: LongNamePath_memmove
                                    • String ID:
                                    • API String ID: 2514874351-0
                                    • Opcode ID: a02b6a23f1a2106d2fff4e12e6c6b2511e2b7eb4f5afacd7ce2898dba3641ba1
                                    • Instruction ID: 681a1e41b9f71a2e5bcf8cf1acd5d80ffd7db161f6525d1d57d29255094f95ce
                                    • Opcode Fuzzy Hash: a02b6a23f1a2106d2fff4e12e6c6b2511e2b7eb4f5afacd7ce2898dba3641ba1
                                    • Instruction Fuzzy Hash: 52E0CD369041285BC730E6999C05FEA77DDDFC87A0F0441B5FC0CD7215D961AC9086F0
                                    Function 00DE8E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: __fread_nolock
                                    • String ID:
                                    • API String ID: 2638373210-0
                                    • Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                                    • Instruction ID: 0cdf38058135cc4e4e97e5e94d06f8dbc489c96db9dd357d31e90f2ce1d0123b
                                    • Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                                    • Instruction Fuzzy Hash: 21E0D8B0504B405FD7389E24D800BE373E1EB06304F04081DF6AAC3241EF637841D769
                                    Function 010621E8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFileAttributesW.KERNELBASE(?), ref: 010621F3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1422627131.0000000001061000.00000040.00000020.00020000.00000000.sdmp, Offset: 01061000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_1061000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: AttributesFile
                                    • String ID:
                                    • API String ID: 3188754299-0
                                    • Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                    • Instruction ID: 4ba33e480d2eaf36792c3a733118e46ef43ea3f7d11994f10c3e091ac63cd94a
                                    • Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                    • Instruction Fuzzy Hash: 59E08C30945209FBDB54CAA88908EAD73ACAB05320F004694AA5AC3680D5308A20D664
                                    Function 010621B8 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFileAttributesW.KERNELBASE(?), ref: 010621C3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1422627131.0000000001061000.00000040.00000020.00020000.00000000.sdmp, Offset: 01061000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_1061000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: AttributesFile
                                    • String ID:
                                    • API String ID: 3188754299-0
                                    • Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                    • Instruction ID: e7819ca5a089f460faf90a3d64322c3d9fb746757633c8e9952be6f394ed4c73
                                    • Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                    • Instruction Fuzzy Hash: 67D0A73090920CEBCB10CFB89D049DE77ACDB05361F004B54FE15C7280D53199409750
                                    Function 00DA525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: __wfsopen
                                    • String ID:
                                    • API String ID: 197181222-0
                                    • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                    • Instruction ID: 7e80df23379a55b1a6543e648586ae81b2102746a532126e82d53391ef8bc572
                                    • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                    • Instruction Fuzzy Hash: 67B0927644020C77CE012A82FC02B893B199B42764F408020FB0C18162A673A6649AA9
                                    Function 01063C08 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNELBASE(000001F4), ref: 01063C19
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1422627131.0000000001061000.00000040.00000020.00020000.00000000.sdmp, Offset: 01061000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_1061000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Sleep
                                    • String ID:
                                    • API String ID: 3472027048-0
                                    • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                    • Instruction ID: 1251dc35dfb8522b56b207a33492b631925765855954fa57435b08b2d79735d2
                                    • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                    • Instruction Fuzzy Hash: B9E0E67494110DDFDB00DFB4D6496DD7BB4FF04301F104161FD05D2280D6319D508A62

                                    Non-executed Functions

                                    Function 00E0CABC Relevance: 70.6, APIs: 37, Strings: 3, Instructions: 632windowkeyboardnativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00D82612: GetWindowLongW.USER32(?,000000EB), ref: 00D82623
                                    • NtdllDialogWndProc_W.NTDLL(?,0000004E,?,?,?,?,?,?), ref: 00E0CB37
                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00E0CB95
                                    • GetWindowLongW.USER32(?,000000F0), ref: 00E0CBD6
                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00E0CC00
                                    • SendMessageW.USER32 ref: 00E0CC29
                                    • _wcsncpy.LIBCMT ref: 00E0CC95
                                    • GetKeyState.USER32(00000011), ref: 00E0CCB6
                                    • GetKeyState.USER32(00000009), ref: 00E0CCC3
                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00E0CCD9
                                    • GetKeyState.USER32(00000010), ref: 00E0CCE3
                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00E0CD0C
                                    • SendMessageW.USER32 ref: 00E0CD33
                                    • SendMessageW.USER32(?,00001030,?,00E0B348), ref: 00E0CE37
                                    • SetCapture.USER32(?), ref: 00E0CE69
                                    • ClientToScreen.USER32(?,?), ref: 00E0CECE
                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00E0CEF5
                                    • ReleaseCapture.USER32 ref: 00E0CF00
                                    • GetCursorPos.USER32(?), ref: 00E0CF3A
                                    • ScreenToClient.USER32(?,?), ref: 00E0CF47
                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 00E0CFA3
                                    • SendMessageW.USER32 ref: 00E0CFD1
                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 00E0D00E
                                    • SendMessageW.USER32 ref: 00E0D03D
                                    • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00E0D05E
                                    • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00E0D06D
                                    • GetCursorPos.USER32(?), ref: 00E0D08D
                                    • ScreenToClient.USER32(?,?), ref: 00E0D09A
                                    • GetParent.USER32(?), ref: 00E0D0BA
                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 00E0D123
                                    • SendMessageW.USER32 ref: 00E0D154
                                    • ClientToScreen.USER32(?,?), ref: 00E0D1B2
                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00E0D1E2
                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 00E0D20C
                                    • SendMessageW.USER32 ref: 00E0D22F
                                    • ClientToScreen.USER32(?,?), ref: 00E0D281
                                    • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00E0D2B5
                                      • Part of subcall function 00D825DB: GetWindowLongW.USER32(?,000000EB), ref: 00D825EC
                                    • GetWindowLongW.USER32(?,000000F0), ref: 00E0D351
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: MessageSend$ClientScreen$LongWindow$State$CaptureCursorMenuPopupTrack$DialogInvalidateNtdllParentProc_RectRelease_wcsncpy
                                    • String ID: @GUI_DRAGID$F$pb
                                    • API String ID: 302779176-96320988
                                    • Opcode ID: 6026e0df1a76ae246f641e75124e769b1be417ab2073090003e9d0dbee35b1f7
                                    • Instruction ID: 21435dda9824880a4a72f4128a50713380a5a7ea213480ff7a4135edaff2775c
                                    • Opcode Fuzzy Hash: 6026e0df1a76ae246f641e75124e769b1be417ab2073090003e9d0dbee35b1f7
                                    • Instruction Fuzzy Hash: 7E42DE34204240AFD724CF25C884BAABBE5FF49314F241A29F595A72F1C732D895DF92
                                    Function 00D96F9E Relevance: 52.3, APIs: 19, Strings: 8, Instructions: 5018COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: _memmove$_memset
                                    • String ID: ]$DEFINE$P\$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                                    • API String ID: 1357608183-2476006638
                                    • Opcode ID: 152a1944addd26d8f18dc57a48e478af48a0f07494ba15f7ab0f36996b5f5ceb
                                    • Instruction ID: 306f8b35203d84d618e714d663247199462448b7733b985d9e96f72d0203af0d
                                    • Opcode Fuzzy Hash: 152a1944addd26d8f18dc57a48e478af48a0f07494ba15f7ab0f36996b5f5ceb
                                    • Instruction Fuzzy Hash: 4F93A275E04215DBDF24CF98C881BADB7B1FF58710F29816AE945AB381E7709E81CB60
                                    Function 00D848D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetForegroundWindow.USER32(00000000,?), ref: 00D848DF
                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00DBD665
                                    • IsIconic.USER32(?), ref: 00DBD66E
                                    • ShowWindow.USER32(?,00000009), ref: 00DBD67B
                                    • SetForegroundWindow.USER32(?), ref: 00DBD685
                                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00DBD69B
                                    • GetCurrentThreadId.KERNEL32 ref: 00DBD6A2
                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 00DBD6AE
                                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 00DBD6BF
                                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 00DBD6C7
                                    • AttachThreadInput.USER32(00000000,?,00000001), ref: 00DBD6CF
                                    • SetForegroundWindow.USER32(?), ref: 00DBD6D2
                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00DBD6E7
                                    • keybd_event.USER32(00000012,00000000), ref: 00DBD6F2
                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00DBD6FC
                                    • keybd_event.USER32(00000012,00000000), ref: 00DBD701
                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00DBD70A
                                    • keybd_event.USER32(00000012,00000000), ref: 00DBD70F
                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00DBD719
                                    • keybd_event.USER32(00000012,00000000), ref: 00DBD71E
                                    • SetForegroundWindow.USER32(?), ref: 00DBD721
                                    • AttachThreadInput.USER32(?,?,00000000), ref: 00DBD748
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                    • String ID: Shell_TrayWnd
                                    • API String ID: 4125248594-2988720461
                                    • Opcode ID: b198238e1159705afd45699348ed4e96ae496a50825b7b2a3962720461a626a7
                                    • Instruction ID: 84cde9552af22c6ea32350a3ba6064196d7a3403133e7653676d9d3890b48647
                                    • Opcode Fuzzy Hash: b198238e1159705afd45699348ed4e96ae496a50825b7b2a3962720461a626a7
                                    • Instruction Fuzzy Hash: 85319171A40318BEEB306B629C49FBE3F6DEB44B50F104025FA05BA191DAB19C51AAA0
                                    Function 00DD8310 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 224COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00DD87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00DD882B
                                      • Part of subcall function 00DD87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00DD8858
                                      • Part of subcall function 00DD87E1: GetLastError.KERNEL32 ref: 00DD8865
                                    • _memset.LIBCMT ref: 00DD8353
                                    • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00DD83A5
                                    • CloseHandle.KERNEL32(?), ref: 00DD83B6
                                    • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00DD83CD
                                    • GetProcessWindowStation.USER32 ref: 00DD83E6
                                    • SetProcessWindowStation.USER32(00000000), ref: 00DD83F0
                                    • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00DD840A
                                      • Part of subcall function 00DD81CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00DD8309), ref: 00DD81E0
                                      • Part of subcall function 00DD81CB: CloseHandle.KERNEL32(?,?,00DD8309), ref: 00DD81F2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                    • String ID: $default$winsta0
                                    • API String ID: 2063423040-1027155976
                                    • Opcode ID: aedc99422c694ee41ea72209808eca529ac867aad6c6e24344e48ce88e799231
                                    • Instruction ID: 47bb98e0eaff1b37e7e15b62d5028604ae4d376120f5b2abb4b8764ba748f7e7
                                    • Opcode Fuzzy Hash: aedc99422c694ee41ea72209808eca529ac867aad6c6e24344e48ce88e799231
                                    • Instruction Fuzzy Hash: 34815D71900209AFDF12DFA5DC45AEE7B79EF04304F18416AF914B6261DB329E54EB70
                                    Function 00DEC75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,?), ref: 00DEC78D
                                    • FindClose.KERNEL32(00000000), ref: 00DEC7E1
                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00DEC806
                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00DEC81D
                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 00DEC844
                                    • __swprintf.LIBCMT ref: 00DEC890
                                    • __swprintf.LIBCMT ref: 00DEC8D3
                                      • Part of subcall function 00D87DE1: _memmove.LIBCMT ref: 00D87E22
                                    • __swprintf.LIBCMT ref: 00DEC927
                                      • Part of subcall function 00DA3698: __woutput_l.LIBCMT ref: 00DA36F1
                                    • __swprintf.LIBCMT ref: 00DEC975
                                      • Part of subcall function 00DA3698: __flsbuf.LIBCMT ref: 00DA3713
                                      • Part of subcall function 00DA3698: __flsbuf.LIBCMT ref: 00DA372B
                                    • __swprintf.LIBCMT ref: 00DEC9C4
                                    • __swprintf.LIBCMT ref: 00DECA13
                                    • __swprintf.LIBCMT ref: 00DECA62
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                    • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                    • API String ID: 3953360268-2428617273
                                    • Opcode ID: b7e1ade35d03003d9a316eaa73e99fa4228c3c035be1c44e53cbca6d16fe486f
                                    • Instruction ID: 77eed2f1f254b7f71184754295196c8fdde920f0691256712df6cc33a61d4a4d
                                    • Opcode Fuzzy Hash: b7e1ade35d03003d9a316eaa73e99fa4228c3c035be1c44e53cbca6d16fe486f
                                    • Instruction Fuzzy Hash: 43A14AB2408344ABC750FFA5C896DBFB7ECEF94704F440929F58596191EA31DA09CB72
                                    Function 00DEEF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 00DEEFB6
                                    • _wcscmp.LIBCMT ref: 00DEEFCB
                                    • _wcscmp.LIBCMT ref: 00DEEFE2
                                    • GetFileAttributesW.KERNEL32(?), ref: 00DEEFF4
                                    • SetFileAttributesW.KERNEL32(?,?), ref: 00DEF00E
                                    • FindNextFileW.KERNEL32(00000000,?), ref: 00DEF026
                                    • FindClose.KERNEL32(00000000), ref: 00DEF031
                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 00DEF04D
                                    • _wcscmp.LIBCMT ref: 00DEF074
                                    • _wcscmp.LIBCMT ref: 00DEF08B
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00DEF09D
                                    • SetCurrentDirectoryW.KERNEL32(00E38920), ref: 00DEF0BB
                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00DEF0C5
                                    • FindClose.KERNEL32(00000000), ref: 00DEF0D2
                                    • FindClose.KERNEL32(00000000), ref: 00DEF0E4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                    • String ID: *.*
                                    • API String ID: 1803514871-438819550
                                    • Opcode ID: 6a7ae26636ef0d988f608b67936cae0609e3720c02e012ac1d160ee0c99e0d66
                                    • Instruction ID: 3153aaa78ae6663adc559b70405936926f814fab05e9e42d107c8e8c6e56f5e2
                                    • Opcode Fuzzy Hash: 6a7ae26636ef0d988f608b67936cae0609e3720c02e012ac1d160ee0c99e0d66
                                    • Instruction Fuzzy Hash: FB31D3325012586FDB24EFB6DC48BEE77AD9F49360F1401B5F804E20A1DB71DA94CA71
                                    Function 00E00857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E00953
                                    • RegCreateKeyExW.ADVAPI32(?,?,00000000,00E0F910,00000000,?,00000000,?,?), ref: 00E009C1
                                    • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00E00A09
                                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00E00A92
                                    • RegCloseKey.ADVAPI32(?), ref: 00E00DB2
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00E00DBF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Close$ConnectCreateRegistryValue
                                    • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                    • API String ID: 536824911-966354055
                                    • Opcode ID: 7caa656da0bf22796c89a7750ec4910e92da26329abf157b6a7eefedbb1039f0
                                    • Instruction ID: 61a4a8416e9d39b8b908f223b9c27ba614a620d845aa5af015d8f8544d57f868
                                    • Opcode Fuzzy Hash: 7caa656da0bf22796c89a7750ec4910e92da26329abf157b6a7eefedbb1039f0
                                    • Instruction Fuzzy Hash: 1A025C756006019FCB54EF18C895E2AB7E5FF89714F04855DF88AAB3A2CB30ED45CBA1
                                    Function 00E0C5FE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfilenativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00D82612: GetWindowLongW.USER32(?,000000EB), ref: 00D82623
                                    • DragQueryPoint.SHELL32(?,?), ref: 00E0C627
                                      • Part of subcall function 00E0AB37: ClientToScreen.USER32(?,?), ref: 00E0AB60
                                      • Part of subcall function 00E0AB37: GetWindowRect.USER32(?,?), ref: 00E0ABD6
                                      • Part of subcall function 00E0AB37: PtInRect.USER32(?,?,00E0C014), ref: 00E0ABE6
                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 00E0C690
                                    • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00E0C69B
                                    • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00E0C6BE
                                    • _wcscat.LIBCMT ref: 00E0C6EE
                                    • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00E0C705
                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 00E0C71E
                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 00E0C735
                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 00E0C757
                                    • DragFinish.SHELL32(?), ref: 00E0C75E
                                    • NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 00E0C851
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen_wcscat
                                    • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pb
                                    • API String ID: 2166380349-730855631
                                    • Opcode ID: 716ca401a2fa9146c9e5cb1812be97298a01c3bf437e21ca9146d3fdace39baf
                                    • Instruction ID: fe06911d4b378e5def9d146b61a8ed0116f8e3fa5370360919a62d8fa2609a72
                                    • Opcode Fuzzy Hash: 716ca401a2fa9146c9e5cb1812be97298a01c3bf437e21ca9146d3fdace39baf
                                    • Instruction Fuzzy Hash: E5618C71108301AFC711EF64DC85DAFBBE8EF89710F500A2EF595A31A1DB719949CB62
                                    Function 00DEF0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 00DEF113
                                    • _wcscmp.LIBCMT ref: 00DEF128
                                    • _wcscmp.LIBCMT ref: 00DEF13F
                                      • Part of subcall function 00DE4385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00DE43A0
                                    • FindNextFileW.KERNEL32(00000000,?), ref: 00DEF16E
                                    • FindClose.KERNEL32(00000000), ref: 00DEF179
                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 00DEF195
                                    • _wcscmp.LIBCMT ref: 00DEF1BC
                                    • _wcscmp.LIBCMT ref: 00DEF1D3
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00DEF1E5
                                    • SetCurrentDirectoryW.KERNEL32(00E38920), ref: 00DEF203
                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00DEF20D
                                    • FindClose.KERNEL32(00000000), ref: 00DEF21A
                                    • FindClose.KERNEL32(00000000), ref: 00DEF22C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                    • String ID: *.*
                                    • API String ID: 1824444939-438819550
                                    • Opcode ID: c0974dc029cfaeecb56f929d6ad3d9793c7438b40cfe80159074fdd99c8cf808
                                    • Instruction ID: 52f87da2d814fdedd5a14718d7e60526acc4199842e53e9bf27429a8b2a22f6a
                                    • Opcode Fuzzy Hash: c0974dc029cfaeecb56f929d6ad3d9793c7438b40cfe80159074fdd99c8cf808
                                    • Instruction Fuzzy Hash: FF31D23650035D6ADB24BBA6EC49BEE77ADDF85360F140171F904E20A0DB31DE99CA78
                                    Function 00DEA1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00DEA20F
                                    • __swprintf.LIBCMT ref: 00DEA231
                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 00DEA26E
                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00DEA293
                                    • _memset.LIBCMT ref: 00DEA2B2
                                    • _wcsncpy.LIBCMT ref: 00DEA2EE
                                    • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00DEA323
                                    • CloseHandle.KERNEL32(00000000), ref: 00DEA32E
                                    • RemoveDirectoryW.KERNEL32(?), ref: 00DEA337
                                    • CloseHandle.KERNEL32(00000000), ref: 00DEA341
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                    • String ID: :$\$\??\%s
                                    • API String ID: 2733774712-3457252023
                                    • Opcode ID: a4d82be2f844da80fce0700627aa5f7fa61beefcf2ea556b970aba51251c47db
                                    • Instruction ID: e4bcb736af7dce32e57843f8487fe0a4e4e269f316d9e4d7a140ee0c1273df30
                                    • Opcode Fuzzy Hash: a4d82be2f844da80fce0700627aa5f7fa61beefcf2ea556b970aba51251c47db
                                    • Instruction Fuzzy Hash: 7D31287150024AABDB20DFA5DC49FEB37BCEF89700F1440B5F508E2160E77196848B34
                                    Function 00E0C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windownativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00D82612: GetWindowLongW.USER32(?,000000EB), ref: 00D82623
                                    • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00E0C1FC
                                    • GetFocus.USER32 ref: 00E0C20C
                                    • GetDlgCtrlID.USER32(00000000), ref: 00E0C217
                                    • _memset.LIBCMT ref: 00E0C342
                                    • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00E0C36D
                                    • GetMenuItemCount.USER32(?), ref: 00E0C38D
                                    • GetMenuItemID.USER32(?,00000000), ref: 00E0C3A0
                                    • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00E0C3D4
                                    • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00E0C41C
                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00E0C454
                                    • NtdllDialogWndProc_W.NTDLL(?,00000111,?,?,?,?,?,?,?), ref: 00E0C489
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow_memset
                                    • String ID: 0
                                    • API String ID: 3616455698-4108050209
                                    • Opcode ID: a2c2410fdb608be0e469b388a7c89333a14f6830461b8913095f66543dcb10b1
                                    • Instruction ID: 3e9e52392f11e251be36a00fff59b16ea56eb22f8766f40981190e9b770a6dce
                                    • Opcode Fuzzy Hash: a2c2410fdb608be0e469b388a7c89333a14f6830461b8913095f66543dcb10b1
                                    • Instruction Fuzzy Hash: 298192711083019FD720DF54D894A7BBBE4FB88718F205A2EF995B7291C731D989CBA2
                                    Function 00D966E1 Relevance: 18.4, Strings: 14, Instructions: 889COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                                    • API String ID: 0-4052911093
                                    • Opcode ID: 7670a33150eda4e2b0869302f57dedf9ba06746a9c44ff38c3b3c4631352364b
                                    • Instruction ID: 4eddb1274412427d64972d98f68029e61481a5f8d31e4ec96182492477fb3ff0
                                    • Opcode Fuzzy Hash: 7670a33150eda4e2b0869302f57dedf9ba06746a9c44ff38c3b3c4631352364b
                                    • Instruction Fuzzy Hash: E2727F75E002199BDF24DF58D8817AEBBB5FF44710F14816AE849EB381E774DA81CBA0
                                    Function 00DE001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetKeyboardState.USER32(?), ref: 00DE0097
                                    • SetKeyboardState.USER32(?), ref: 00DE0102
                                    • GetAsyncKeyState.USER32(000000A0), ref: 00DE0122
                                    • GetKeyState.USER32(000000A0), ref: 00DE0139
                                    • GetAsyncKeyState.USER32(000000A1), ref: 00DE0168
                                    • GetKeyState.USER32(000000A1), ref: 00DE0179
                                    • GetAsyncKeyState.USER32(00000011), ref: 00DE01A5
                                    • GetKeyState.USER32(00000011), ref: 00DE01B3
                                    • GetAsyncKeyState.USER32(00000012), ref: 00DE01DC
                                    • GetKeyState.USER32(00000012), ref: 00DE01EA
                                    • GetAsyncKeyState.USER32(0000005B), ref: 00DE0213
                                    • GetKeyState.USER32(0000005B), ref: 00DE0221
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: State$Async$Keyboard
                                    • String ID:
                                    • API String ID: 541375521-0
                                    • Opcode ID: 7b31f067bde0204b63bcc6a89cdbefc3c4a179d2150010e3e8ca99cde6b9bdde
                                    • Instruction ID: 584618de48761bf5674a3db10063cc748121d46098c80e49306b72bde32955d9
                                    • Opcode Fuzzy Hash: 7b31f067bde0204b63bcc6a89cdbefc3c4a179d2150010e3e8ca99cde6b9bdde
                                    • Instruction Fuzzy Hash: F051D624A047C829FB35FBA288557EABFB49F01380F0C459AD5C65A5C2DAE49BCCC771
                                    Function 00E003DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00E00E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00DFFDAD,?,?), ref: 00E00E31
                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E004AC
                                      • Part of subcall function 00D89837: __itow.LIBCMT ref: 00D89862
                                      • Part of subcall function 00D89837: __swprintf.LIBCMT ref: 00D898AC
                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00E0054B
                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00E005E3
                                    • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00E00822
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00E0082F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                    • String ID:
                                    • API String ID: 1240663315-0
                                    • Opcode ID: 1928f0fe5859f8c5fcba2efb941a11231e62470fc996c98c940a9f88d9c5e6fe
                                    • Instruction ID: 5344f93ced173e660f53066347bdadfd2a25d6eae4ebe8d41ab6b9e8f6590bc0
                                    • Opcode Fuzzy Hash: 1928f0fe5859f8c5fcba2efb941a11231e62470fc996c98c940a9f88d9c5e6fe
                                    • Instruction Fuzzy Hash: D4E15F71204200AFCB14EF24C895E6ABBE5FF89714F04856DF449DB2A1DB31ED45CBA1
                                    Function 00DF4164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                    • String ID:
                                    • API String ID: 1737998785-0
                                    • Opcode ID: 9f5d1e04c23721c194e1fa4632e7d4c17b000227016971c2a99fa44938c49939
                                    • Instruction ID: 09002f5bf556a094b46b8663eedbe1085816c6e42c9fafec3fd9d860ebed67ad
                                    • Opcode Fuzzy Hash: 9f5d1e04c23721c194e1fa4632e7d4c17b000227016971c2a99fa44938c49939
                                    • Instruction Fuzzy Hash: 2521B1352002149FDB10AF25EC19B7E7BA8EF05710F058026FA86AB271CB31ED51CBA4
                                    Function 00DE37EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00D84750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D84743,?,?,00D837AE,?), ref: 00D84770
                                      • Part of subcall function 00DE4A31: GetFileAttributesW.KERNEL32(?,00DE370B), ref: 00DE4A32
                                    • FindFirstFileW.KERNEL32(?,?), ref: 00DE38A3
                                    • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00DE394B
                                    • MoveFileW.KERNEL32(?,?), ref: 00DE395E
                                    • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00DE397B
                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00DE399D
                                    • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00DE39B9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                    • String ID: \*.*
                                    • API String ID: 4002782344-1173974218
                                    • Opcode ID: 46471b25496a3b0d7de4e1c6cab697dfc35ef4dca54d01049d94ffdb4deed571
                                    • Instruction ID: c5bb393b1a460cbfa8929d0dcd766d01be461972d43565aafe76f18dc6c5c723
                                    • Opcode Fuzzy Hash: 46471b25496a3b0d7de4e1c6cab697dfc35ef4dca54d01049d94ffdb4deed571
                                    • Instruction Fuzzy Hash: F051783580518CAACB11FBA1DE969FDB778EF10310F640169E406B71A2EB21AF09CF70
                                    Function 00DEF3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00D87DE1: _memmove.LIBCMT ref: 00D87E22
                                    • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00DEF440
                                    • Sleep.KERNEL32(0000000A), ref: 00DEF470
                                    • _wcscmp.LIBCMT ref: 00DEF484
                                    • _wcscmp.LIBCMT ref: 00DEF49F
                                    • FindNextFileW.KERNEL32(?,?), ref: 00DEF53D
                                    • FindClose.KERNEL32(00000000), ref: 00DEF553
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                    • String ID: *.*
                                    • API String ID: 713712311-438819550
                                    • Opcode ID: f96c688924ae42d05381545eafe2eba65237dba6e77cdc7e519a34a2d1e6f71e
                                    • Instruction ID: 00926965813d9d10ca04f84acd8bcee7903e0827ec788a98a45f73eccb1afb2e
                                    • Opcode Fuzzy Hash: f96c688924ae42d05381545eafe2eba65237dba6e77cdc7e519a34a2d1e6f71e
                                    • Instruction Fuzzy Hash: F5417C7190024AAFCF15EF65DC49AEEBBB4FF15310F144466E815A3191EB319A94CFB0
                                    Function 00E0D43E Relevance: 12.3, APIs: 8, Instructions: 257windownativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00D82612: GetWindowLongW.USER32(?,000000EB), ref: 00D82623
                                    • GetSystemMetrics.USER32(0000000F), ref: 00E0D47C
                                    • GetSystemMetrics.USER32(0000000F), ref: 00E0D49C
                                    • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00E0D6D7
                                    • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00E0D6F5
                                    • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00E0D716
                                    • ShowWindow.USER32(00000003,00000000), ref: 00E0D735
                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00E0D75A
                                    • NtdllDialogWndProc_W.NTDLL(?,00000005,?,?), ref: 00E0D77D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Window$MessageMetricsSendSystem$DialogInvalidateLongMoveNtdllProc_RectShow
                                    • String ID:
                                    • API String ID: 830902736-0
                                    • Opcode ID: 4095cc1872bb57722dcb7f966a2d5fc845a85a0b44d48abace668b2bb9a9d348
                                    • Instruction ID: 1ccfe30ac7a9fee99b5e658868e74d9f8649145fb210724ee5a8bb2ccb3a3d9a
                                    • Opcode Fuzzy Hash: 4095cc1872bb57722dcb7f966a2d5fc845a85a0b44d48abace668b2bb9a9d348
                                    • Instruction Fuzzy Hash: 90B1AC35604225EFDF14CFA9C9C57AD7BB1FF08705F08906AEC48AB295D731A994CB90
                                    Function 00D95760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: _memmove
                                    • String ID:
                                    • API String ID: 4104443479-0
                                    • Opcode ID: 4b70be994d0a9203346f4ef11597547e5ae443de660772a47f0d0c2983d79dff
                                    • Instruction ID: 4ffec9008e4cd061f342e3f68999cfc777bb169920b4e6a255bf2931941179a9
                                    • Opcode Fuzzy Hash: 4b70be994d0a9203346f4ef11597547e5ae443de660772a47f0d0c2983d79dff
                                    • Instruction Fuzzy Hash: 84128C70A00609EFDF04DFA5D985AAEBBF5FF48310F10456AE846A7254EB36AD14CB70
                                    Function 00DE51BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00DD87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00DD882B
                                      • Part of subcall function 00DD87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00DD8858
                                      • Part of subcall function 00DD87E1: GetLastError.KERNEL32 ref: 00DD8865
                                    • ExitWindowsEx.USER32(?,00000000), ref: 00DE51F9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                    • String ID: $@$SeShutdownPrivilege
                                    • API String ID: 2234035333-194228
                                    • Opcode ID: a9504db560e871f37418239e26aa74a9b86fe4743f81a2786b77ecf96b1ab670
                                    • Instruction ID: b8953883c559914144d999ff0f1d615a368d8386a679fded535e8fd6cc1a5f3c
                                    • Opcode Fuzzy Hash: a9504db560e871f37418239e26aa74a9b86fe4743f81a2786b77ecf96b1ab670
                                    • Instruction Fuzzy Hash: 5C017B357917422FF738326ABC8AFBB7258DB043C8F280421FA43E60D6D9515C0081B8
                                    Function 00DF6283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • socket.WS2_32(00000002,00000001,00000006), ref: 00DF62DC
                                    • WSAGetLastError.WS2_32(00000000), ref: 00DF62EB
                                    • bind.WS2_32(00000000,?,00000010), ref: 00DF6307
                                    • listen.WS2_32(00000000,00000005), ref: 00DF6316
                                    • WSAGetLastError.WS2_32(00000000), ref: 00DF6330
                                    • closesocket.WS2_32(00000000), ref: 00DF6344
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: ErrorLast$bindclosesocketlistensocket
                                    • String ID:
                                    • API String ID: 1279440585-0
                                    • Opcode ID: f30cbe4e1aac31cc5bac762cac26ba6b688220da6704aecfc63c572ebd19b196
                                    • Instruction ID: fe8970122b899ac695afb8b18a2af4f24ea1e290f2cce0021ba01b27e24e43c4
                                    • Opcode Fuzzy Hash: f30cbe4e1aac31cc5bac762cac26ba6b688220da6704aecfc63c572ebd19b196
                                    • Instruction Fuzzy Hash: DF218D31600208AFCB10EF64C885A7EB7F9EF48724F198159EA56A7791C770ED45CB71
                                    Function 00D95520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00DA0DB6: std::exception::exception.LIBCMT ref: 00DA0DEC
                                      • Part of subcall function 00DA0DB6: __CxxThrowException@8.LIBCMT ref: 00DA0E01
                                    • _memmove.LIBCMT ref: 00DD0258
                                    • _memmove.LIBCMT ref: 00DD036D
                                    • _memmove.LIBCMT ref: 00DD0414
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: _memmove$Exception@8Throwstd::exception::exception
                                    • String ID:
                                    • API String ID: 1300846289-0
                                    • Opcode ID: f666e80131802ecc552f6b0be3c3f4bab4db55fbcbefa5f6c5278e48d451355f
                                    • Instruction ID: 4f4704a074262bddfd221b94780705c07d2b31f918b9413526b3014c4570029c
                                    • Opcode Fuzzy Hash: f666e80131802ecc552f6b0be3c3f4bab4db55fbcbefa5f6c5278e48d451355f
                                    • Instruction Fuzzy Hash: 6802BF71A00209DFCF05DF65D981AAEBBB5EF84300F54806AE84ADB355EB31DA54CBB1
                                    Function 00D81287 Relevance: 7.9, APIs: 5, Instructions: 379nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00D82612: GetWindowLongW.USER32(?,000000EB), ref: 00D82623
                                    • NtdllDialogWndProc_W.NTDLL(?,?,?,?,?), ref: 00D819FA
                                    • GetSysColor.USER32(0000000F), ref: 00D81A4E
                                    • SetBkColor.GDI32(?,00000000), ref: 00D81A61
                                      • Part of subcall function 00D81290: NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 00D812D8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: ColorDialogNtdllProc_$LongWindow
                                    • String ID:
                                    • API String ID: 591255283-0
                                    • Opcode ID: 118a81092e4b749be0f3346c46c07ee5d4ed0aed03796c274b07b6f34524e6d0
                                    • Instruction ID: 984e80cf2a7d89797edb0296a6943aa2af6cf45b17ca940cf62cbea19e13a6d9
                                    • Opcode Fuzzy Hash: 118a81092e4b749be0f3346c46c07ee5d4ed0aed03796c274b07b6f34524e6d0
                                    • Instruction Fuzzy Hash: 10A15679102545FFEA2CBB29CC49EBF259CDB46351B28021BF183E21D2CA60DD4B97B1
                                    Function 00DF6747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00DF7D8B: inet_addr.WS2_32(00000000), ref: 00DF7DB6
                                    • socket.WS2_32(00000002,00000002,00000011), ref: 00DF679E
                                    • WSAGetLastError.WS2_32(00000000), ref: 00DF67C7
                                    • bind.WS2_32(00000000,?,00000010), ref: 00DF6800
                                    • WSAGetLastError.WS2_32(00000000), ref: 00DF680D
                                    • closesocket.WS2_32(00000000), ref: 00DF6821
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                    • String ID:
                                    • API String ID: 99427753-0
                                    • Opcode ID: 00b95005a88306b6fba6ac41e7a664b2af51e8f72af32fb50abce62d78561172
                                    • Instruction ID: fb50e51aa4c4fa4b5c6d398df8e24f13db7648c1966981447c4e89bb6cfdfbf6
                                    • Opcode Fuzzy Hash: 00b95005a88306b6fba6ac41e7a664b2af51e8f72af32fb50abce62d78561172
                                    • Instruction Fuzzy Hash: BA41D475A00204AFDB50BF648C96F7EB7A8DF05714F48845DFA56AB3C2CA709D0197B1
                                    Function 00E05376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                    • String ID:
                                    • API String ID: 292994002-0
                                    • Opcode ID: a72fe1bf9925f6560ad38ad42fb892e700d968bdea142fe78e1a5034eec2d8bf
                                    • Instruction ID: 3deb222d0ef0e85e088aa54c56ac6034a160d28a58c4d457c7dcf26e542e1088
                                    • Opcode Fuzzy Hash: a72fe1bf9925f6560ad38ad42fb892e700d968bdea142fe78e1a5034eec2d8bf
                                    • Instruction Fuzzy Hash: 9B11B232300A116FEB316F269C44A6FBB98EF447A5B545029F846E3281CBB5DC818AB4
                                    Function 00DD80A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00DD80C0
                                    • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00DD80CA
                                    • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00DD80D9
                                    • RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 00DD80E0
                                    • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00DD80F6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: HeapInformationToken$AllocateErrorLastProcess
                                    • String ID:
                                    • API String ID: 47921759-0
                                    • Opcode ID: 10528feaa37a024a8c858610dcf69195f94ef77f387f463fd4d0e4207835203b
                                    • Instruction ID: 4db7b2c0d146790b670fa17e2cb3b656d26c04a6582a5dff58860d8659464706
                                    • Opcode Fuzzy Hash: 10528feaa37a024a8c858610dcf69195f94ef77f387f463fd4d0e4207835203b
                                    • Instruction Fuzzy Hash: 77F06231241305AFEB314FA6EC8DE673BACEF49B55B040026F945D6250CB62DC99EA70
                                    Function 00D8E6A0 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: Dd$Dd$Dd$Dd$Variable must be of type 'Object'.
                                    • API String ID: 0-2781164977
                                    • Opcode ID: aa165cc4e5b7f02c23fc5ff305c7003784831d2b377560b46e000b6896a6a5dc
                                    • Instruction ID: 853042517e11d1198ff36e3ebb7009fc6bb3e387e165fd54f1c3e61c484b11d6
                                    • Opcode Fuzzy Hash: aa165cc4e5b7f02c23fc5ff305c7003784831d2b377560b46e000b6896a6a5dc
                                    • Instruction Fuzzy Hash: F0A29D74A00216DFCB24EF58C480AAEB7B2FF59314F288069E955AB351D771ED42CFA1
                                    Function 00DEC397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CoInitialize.OLE32(00000000), ref: 00DEC432
                                    • CoCreateInstance.COMBASE(00E12D6C,00000000,00000001,00E12BDC,?), ref: 00DEC44A
                                      • Part of subcall function 00D87DE1: _memmove.LIBCMT ref: 00D87E22
                                    • CoUninitialize.COMBASE ref: 00DEC6B7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: CreateInitializeInstanceUninitialize_memmove
                                    • String ID: .lnk
                                    • API String ID: 2683427295-24824748
                                    • Opcode ID: 1402bc047b58f230329bbd6034f72a29dc063124f777558d50d2d6e980391e93
                                    • Instruction ID: 38fee1a4b113d3edbf4263673414291df17727a2b4747143e04d71242d9ce774
                                    • Opcode Fuzzy Hash: 1402bc047b58f230329bbd6034f72a29dc063124f777558d50d2d6e980391e93
                                    • Instruction Fuzzy Hash: C2A14971104205AFD700EF54C891EAFB7E8EF88318F44491DF5969B1A2EB71EA49CB72
                                    Function 00D93030 Relevance: 6.6, APIs: 4, Instructions: 587COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: __itow__swprintf
                                    • String ID:
                                    • API String ID: 674341424-0
                                    • Opcode ID: c9d31c71f8fbb1061500f8788adac3cf6d4782aa6d462c1b62c17e3a8389398b
                                    • Instruction ID: b0db562db35950beacd5878b656e851ca08ec68be3b76a0e636871a9114c74d7
                                    • Opcode Fuzzy Hash: c9d31c71f8fbb1061500f8788adac3cf6d4782aa6d462c1b62c17e3a8389398b
                                    • Instruction Fuzzy Hash: 04228A716083019FCB24EF24C891B6EB7E4EF85714F14492DF89A97291DB71EA05CBB2
                                    Function 00DFEE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateToolhelp32Snapshot.KERNEL32 ref: 00DFEE3D
                                    • Process32FirstW.KERNEL32(00000000,?), ref: 00DFEE4B
                                      • Part of subcall function 00D87DE1: _memmove.LIBCMT ref: 00D87E22
                                    • Process32NextW.KERNEL32(00000000,?), ref: 00DFEF0B
                                    • CloseHandle.KERNEL32(00000000,?,?,?), ref: 00DFEF1A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                    • String ID:
                                    • API String ID: 2576544623-0
                                    • Opcode ID: e8617a5460e1171adef31df5a8e99220d3e98bc85e24e65ae04028b04059908a
                                    • Instruction ID: 10cd0746314fb6933ebffd705d0442bca1f6b46fa30e9c7796654fe018903d34
                                    • Opcode Fuzzy Hash: e8617a5460e1171adef31df5a8e99220d3e98bc85e24e65ae04028b04059908a
                                    • Instruction Fuzzy Hash: 5C518B71104305AFD320FF20D882E6BB7E8EF94710F54482DF595962A2EB70E908CBB2
                                    Function 00E0C498 Relevance: 6.1, APIs: 4, Instructions: 83nativewindowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00D82612: GetWindowLongW.USER32(?,000000EB), ref: 00D82623
                                    • GetCursorPos.USER32(?), ref: 00E0C4D2
                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00DBB9AB,?,?,?,?,?), ref: 00E0C4E7
                                    • GetCursorPos.USER32(?), ref: 00E0C534
                                    • NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,?,?,?,?,?,?,?,?,00DBB9AB,?,?,?), ref: 00E0C56E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
                                    • String ID:
                                    • API String ID: 1423138444-0
                                    • Opcode ID: 5a3d6eaa5702164657d6f4007873b58596fd2ed38a21cd3364e0031a3354fb97
                                    • Instruction ID: b7ce4108ab8f2db0b688ce14de1d396636b0a295fe3d01bb9c9a5c110ccea337
                                    • Opcode Fuzzy Hash: 5a3d6eaa5702164657d6f4007873b58596fd2ed38a21cd3364e0031a3354fb97
                                    • Instruction Fuzzy Hash: 8C31A539500058AFCB25CF59CC58EFA7BB5FB09310F544165F905AB2A1C731AD91DBA4
                                    Function 00D81290 Relevance: 6.1, APIs: 4, Instructions: 59nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00D82612: GetWindowLongW.USER32(?,000000EB), ref: 00D82623
                                    • NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 00D812D8
                                    • GetClientRect.USER32(?,?), ref: 00DBB5FB
                                    • GetCursorPos.USER32(?), ref: 00DBB605
                                    • ScreenToClient.USER32(?,?), ref: 00DBB610
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Client$CursorDialogLongNtdllProc_RectScreenWindow
                                    • String ID:
                                    • API String ID: 1010295502-0
                                    • Opcode ID: 3c75d6bafb318eb6e29d20808345ed3fbe18fc373bd18801d7651b5104996de7
                                    • Instruction ID: df278e74c9fb303130eea0165cc59c7f4e5c216e3e7842a09872fbd7f57f7503
                                    • Opcode Fuzzy Hash: 3c75d6bafb318eb6e29d20808345ed3fbe18fc373bd18801d7651b5104996de7
                                    • Instruction Fuzzy Hash: 54112B39900119FFCB10EF95D886AEE77B8FB05310F400466F941E7241D731BA9A8BB9
                                    Function 00DDE616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00DDE628
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: lstrlen
                                    • String ID: ($|
                                    • API String ID: 1659193697-1631851259
                                    • Opcode ID: 55976c9e60fa578c6b981d8477c06f4c3e8b4b57255a78957353f5e55bdda277
                                    • Instruction ID: da7c9b9c77de8b66424f03b4e388683a8a4c611435f68e209e70a6c289d16991
                                    • Opcode Fuzzy Hash: 55976c9e60fa578c6b981d8477c06f4c3e8b4b57255a78957353f5e55bdda277
                                    • Instruction Fuzzy Hash: 9D323675A007059FDB28DF19C481A6AB7F0FF48320B15C46EE89ADB3A1E770E941CB50
                                    Function 00DF22EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00DF180A,00000000), ref: 00DF23E1
                                    • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00DF2418
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Internet$AvailableDataFileQueryRead
                                    • String ID:
                                    • API String ID: 599397726-0
                                    • Opcode ID: e7a8c2864f12f1e560dd5fa911ad06e90ae21d422990ee4df7f8c8e5a0684394
                                    • Instruction ID: 3cc8c4172986f0135d97489a40ef41c269ea316df7364154cbfdc0677e26f927
                                    • Opcode Fuzzy Hash: e7a8c2864f12f1e560dd5fa911ad06e90ae21d422990ee4df7f8c8e5a0684394
                                    • Instruction Fuzzy Hash: CC41C3B1A0420DBFEB20DE95DC85EBBB7ECEB40324F15806EFB45A6140DAB5DE419670
                                    Function 00DEB3FB Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetErrorMode.KERNEL32(00000001), ref: 00DEB40B
                                    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00DEB465
                                    • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00DEB4B2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: ErrorMode$DiskFreeSpace
                                    • String ID:
                                    • API String ID: 1682464887-0
                                    • Opcode ID: e5cd9d4d1265a863f55f2cd02d80d0870f111a2bd295f6f0fe490acc26a856bf
                                    • Instruction ID: b35ab7903442cd0bebcf180d34b993bc5f7336c9c388c35200a38a3943c76d79
                                    • Opcode Fuzzy Hash: e5cd9d4d1265a863f55f2cd02d80d0870f111a2bd295f6f0fe490acc26a856bf
                                    • Instruction Fuzzy Hash: 19213235A00508EFCB00EF96D894AEDFBB8FF49314F1480AAE945AB351DB319955CB61
                                    Function 00DD87E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00DA0DB6: std::exception::exception.LIBCMT ref: 00DA0DEC
                                      • Part of subcall function 00DA0DB6: __CxxThrowException@8.LIBCMT ref: 00DA0E01
                                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00DD882B
                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00DD8858
                                    • GetLastError.KERNEL32 ref: 00DD8865
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                    • String ID:
                                    • API String ID: 1922334811-0
                                    • Opcode ID: 04e3f4afc598ee139ac6bd717989711719abe5c1bfb1edc6b39a5a52ca0c7ae7
                                    • Instruction ID: 1fa2683932f968dfd102c84e232f6fed4c7bd99d0a3e53c7565568a92a097787
                                    • Opcode Fuzzy Hash: 04e3f4afc598ee139ac6bd717989711719abe5c1bfb1edc6b39a5a52ca0c7ae7
                                    • Instruction Fuzzy Hash: 3C1182B2414204AFE728DF54EC85D6BB7FDEB45710B10852EF45597641DB31BC409B70
                                    Function 00DD874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00DD8774
                                    • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00DD878B
                                    • FreeSid.ADVAPI32(?), ref: 00DD879B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: AllocateCheckFreeInitializeMembershipToken
                                    • String ID:
                                    • API String ID: 3429775523-0
                                    • Opcode ID: fd1a6eca82697dd7d5a2dd2542348144b2e2846a6351625aae10c685d77c9ed4
                                    • Instruction ID: aa8cb7e3540cf3af56bd143c28938820ac6cf79296c74040f240685f0c028ab2
                                    • Opcode Fuzzy Hash: fd1a6eca82697dd7d5a2dd2542348144b2e2846a6351625aae10c685d77c9ed4
                                    • Instruction Fuzzy Hash: 2DF04975A1130DBFDF10DFF4DC89AAEBBBCEF08701F1044A9E901E2681E6716A589B50
                                    Function 00DE8889 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
                                    Download Yara Rule
                                    APIs
                                    • __time64.LIBCMT ref: 00DE889B
                                      • Part of subcall function 00DA520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00DE8F6E,00000000,?,?,?,?,00DE911F,00000000,?), ref: 00DA5213
                                      • Part of subcall function 00DA520A: __aulldiv.LIBCMT ref: 00DA5233
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Time$FileSystem__aulldiv__time64
                                    • String ID: 0e
                                    • API String ID: 2893107130-533242481
                                    • Opcode ID: a9755aa16bc97c7af5e271dc638d9265a52079476816cb7a94e3c8b2f58145db
                                    • Instruction ID: 0ff9f0cd16b95d2f2ae4683bf484d3b946a0c7944e988393e41f96c33a451892
                                    • Opcode Fuzzy Hash: a9755aa16bc97c7af5e271dc638d9265a52079476816cb7a94e3c8b2f58145db
                                    • Instruction Fuzzy Hash: D021E7366355108FC329CF26D481A51B3E1EFA6310B288E6CD4F5CB2D0CA34B905DB64
                                    Function 00D816DE Relevance: 3.1, APIs: 2, Instructions: 83nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00D82612: GetWindowLongW.USER32(?,000000EB), ref: 00D82623
                                      • Part of subcall function 00D825DB: GetWindowLongW.USER32(?,000000EB), ref: 00D825EC
                                    • GetParent.USER32(?), ref: 00DBB7BA
                                    • NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,?,?,?,?,?,?,00D819B3,?,?,?,00000006,?), ref: 00DBB834
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: LongWindow$DialogNtdllParentProc_
                                    • String ID:
                                    • API String ID: 314495775-0
                                    • Opcode ID: 33aecff54b3853008cc93acef81253cc00ad3eb5f235d6f206fdf9557ee333d9
                                    • Instruction ID: 36b6f634b7a5e9fba1e04b3a42bb58f3c126d663a483d70a316d90cad1894bae
                                    • Opcode Fuzzy Hash: 33aecff54b3853008cc93acef81253cc00ad3eb5f235d6f206fdf9557ee333d9
                                    • Instruction Fuzzy Hash: 4E21D538200104EFCB24AF28DC89DA93B9AEF4A330F580265F5165B2B2CB719D56DB70
                                    Function 00DEC6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,?), ref: 00DEC6FB
                                    • FindClose.KERNEL32(00000000), ref: 00DEC72B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Find$CloseFileFirst
                                    • String ID:
                                    • API String ID: 2295610775-0
                                    • Opcode ID: 3a79b7916f324c55206d867f230b3ddbeedd7cfd736b4aae670de3bcc86976fc
                                    • Instruction ID: eb0de6ebcc0cb583956aecf4945cf018bd72c0026ca1a0fbaa65b6d7c4214479
                                    • Opcode Fuzzy Hash: 3a79b7916f324c55206d867f230b3ddbeedd7cfd736b4aae670de3bcc86976fc
                                    • Instruction Fuzzy Hash: 051182716002009FDB10EF29D855A2AF7E5EF45324F04851EF9A597291DB30E805CBA1
                                    Function 00E0C57D Relevance: 3.0, APIs: 2, Instructions: 46nativewindowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00D82612: GetWindowLongW.USER32(?,000000EB), ref: 00D82623
                                    • NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,?,?,?,?,?,00DBB93A,?,?,?), ref: 00E0C5F1
                                      • Part of subcall function 00D825DB: GetWindowLongW.USER32(?,000000EB), ref: 00D825EC
                                    • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00E0C5D7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: LongWindow$DialogMessageNtdllProc_Send
                                    • String ID:
                                    • API String ID: 1273190321-0
                                    • Opcode ID: 8fe1e13731e2cb3b5232ea87a5177c655044e66776cf9ed64d8703071e0c3655
                                    • Instruction ID: 0edb37ab095dd8ac394019681bdade5fe0677a160a9768065898005c0cf26ffd
                                    • Opcode Fuzzy Hash: 8fe1e13731e2cb3b5232ea87a5177c655044e66776cf9ed64d8703071e0c3655
                                    • Instruction Fuzzy Hash: FF01D835200214AFCB259F15DC45E6A3BA6FF8D364F140625F9413B6E1CB32AC96DBA0
                                    Function 00E0C93E Relevance: 3.0, APIs: 2, Instructions: 33nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • ClientToScreen.USER32(?,?), ref: 00E0C961
                                    • NtdllDialogWndProc_W.NTDLL(?,00000200,?,?,?,?,?,?,?,00DBBA16,?,?,?,?,?), ref: 00E0C98A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: ClientDialogNtdllProc_Screen
                                    • String ID:
                                    • API String ID: 3420055661-0
                                    • Opcode ID: b37c8eb887688a71c1ee581ca6384b844232f91f1c1bcfa8a5c39169e95bc17f
                                    • Instruction ID: d4533d456498626b07c341449ff96ea5c28b17464e3016fb3053ff8e51c90547
                                    • Opcode Fuzzy Hash: b37c8eb887688a71c1ee581ca6384b844232f91f1c1bcfa8a5c39169e95bc17f
                                    • Instruction Fuzzy Hash: 41F0307240011CFFDF148F46DC099AE7BB9FF48311F10416AF90162161D7726AA5EBA4
                                    Function 00DEA06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00DF9468,?,00E0FB84,?), ref: 00DEA097
                                    • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00DF9468,?,00E0FB84,?), ref: 00DEA0A9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: ErrorFormatLastMessage
                                    • String ID:
                                    • API String ID: 3479602957-0
                                    • Opcode ID: 294ba9278fc12d5f78a2ce2530c92c79563855584171e5ca81d6f5a7df99e1cd
                                    • Instruction ID: c720e273dfd25672fec6ced5ce9b14889791232d872f6bff68c9664210273a4b
                                    • Opcode Fuzzy Hash: 294ba9278fc12d5f78a2ce2530c92c79563855584171e5ca81d6f5a7df99e1cd
                                    • Instruction Fuzzy Hash: 1FF0823510522DABDB21AFA5CC48FEA776CFF08761F004165F919D6191D630AA54CBB1
                                    Function 00E0CA7C Relevance: 3.0, APIs: 2, Instructions: 23nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowLongW.USER32(?,000000EC), ref: 00E0CA84
                                    • NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?,?,00DBB995,?,?,?,?), ref: 00E0CAB2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: DialogLongNtdllProc_Window
                                    • String ID:
                                    • API String ID: 2065330234-0
                                    • Opcode ID: 6922f846f9d003d5300d70f9c08dc45a4ac7b4a229b796acd27696d23fa4aafc
                                    • Instruction ID: 51e9e012dc58d9cf75acb1f092dae54df76c726dd1359546daee5b8ef1fa4456
                                    • Opcode Fuzzy Hash: 6922f846f9d003d5300d70f9c08dc45a4ac7b4a229b796acd27696d23fa4aafc
                                    • Instruction Fuzzy Hash: 61E08670200219BFEB24DF1ADC0AFBA3B68EB04791F508215F957F91E1C77198A0D760
                                    Function 00DD81CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00DD8309), ref: 00DD81E0
                                    • CloseHandle.KERNEL32(?,?,00DD8309), ref: 00DD81F2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: AdjustCloseHandlePrivilegesToken
                                    • String ID:
                                    • API String ID: 81990902-0
                                    • Opcode ID: 44295cdfac27bf93c74aa70456ae159be40a40b4f4c4df25a29a213f574a552d
                                    • Instruction ID: 33d03493475d96a3490249de1831436ed6c5fa09317297d69e5223af7ef5012e
                                    • Opcode Fuzzy Hash: 44295cdfac27bf93c74aa70456ae159be40a40b4f4c4df25a29a213f574a552d
                                    • Instruction Fuzzy Hash: 5BE0E671010610AFEB262B61EC05D777BEDEF04311714882DF45584470DB625DA5EB20
                                    Function 00DAA155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,00E14178,00DA8D57,t of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.,?,?,00000001), ref: 00DAA15A
                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00DAA163
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled
                                    • String ID:
                                    • API String ID: 3192549508-0
                                    • Opcode ID: bc0fb8dde9a5e7f80fff3eadb00b4b72ee8377f77d84ab69f23fa1557b664919
                                    • Instruction ID: f741eb8f8468dcc91212752239689d7a8940dea2e9733200af440c18222824ff
                                    • Opcode Fuzzy Hash: bc0fb8dde9a5e7f80fff3eadb00b4b72ee8377f77d84ab69f23fa1557b664919
                                    • Instruction Fuzzy Hash: 1DB09231058208AFCA102B92EC09B883F68EB45AB2F404020F60D94860CB6754A48A91
                                    Function 00DAF1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b8b31cc27ead25b2bbc1c3420859bbfbf1ad6221cb40fdbebba082219aca56cd
                                    • Instruction ID: fc0dbc69d2289e4e534aad34482659f34dceec1850d8d60ca117f37f779df59e
                                    • Opcode Fuzzy Hash: b8b31cc27ead25b2bbc1c3420859bbfbf1ad6221cb40fdbebba082219aca56cd
                                    • Instruction Fuzzy Hash: DD321472D29F014DD7239A35D83233AA299AFB73C4F15D737F85AB5AA5EB28C4834110
                                    Function 00DB242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 017b3dadd5a3fe463f246dd73105f26a41a1a02d7c2c9b49c11cf5993387f55a
                                    • Instruction ID: 4fc4baea176225318ec0c98c68cdd03b460dbe0ce717d288456d2885a74244e5
                                    • Opcode Fuzzy Hash: 017b3dadd5a3fe463f246dd73105f26a41a1a02d7c2c9b49c11cf5993387f55a
                                    • Instruction Fuzzy Hash: 15B1F031E2AF404DD3239A3A8831336B69CAFBB2D5F55D72BFC2670D22EB2185874141
                                    Function 00E0D78C Relevance: 1.6, APIs: 1, Instructions: 66nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00D82612: GetWindowLongW.USER32(?,000000EB), ref: 00D82623
                                    • NtdllDialogWndProc_W.NTDLL(?,00000112,?,00000000), ref: 00E0D838
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: DialogLongNtdllProc_Window
                                    • String ID:
                                    • API String ID: 2065330234-0
                                    • Opcode ID: 9880e75bed49bc33ac4ca4f00f7fb8f014e9a2f18c1527712f2c4de263380316
                                    • Instruction ID: 50356cea8efe459197d0a3f05c42d173cc1f736b0fe42a6206b0bfeef304d94d
                                    • Opcode Fuzzy Hash: 9880e75bed49bc33ac4ca4f00f7fb8f014e9a2f18c1527712f2c4de263380316
                                    • Instruction Fuzzy Hash: CC115C35208255BFFB295E6CCC06FBA3758D742724F249325F5157A5E3CA609D9093B0
                                    Function 00E0D3B8 Relevance: 1.5, APIs: 1, Instructions: 47nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00D825DB: GetWindowLongW.USER32(?,000000EB), ref: 00D825EC
                                    • NtdllDialogWndProc_W.NTDLL(?,00000115,?,?,?,?,?,?,00DBB952,?,?,?,?,00000000,?), ref: 00E0D432
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: DialogLongNtdllProc_Window
                                    • String ID:
                                    • API String ID: 2065330234-0
                                    • Opcode ID: cff4d702324fef7175aebcee6d0121e0be8af303716def248141b21e6909ecf6
                                    • Instruction ID: ea006b17d31e76d5b0bdb50841472d16f7b169e26b951bb04a8a0b89fec5fea9
                                    • Opcode Fuzzy Hash: cff4d702324fef7175aebcee6d0121e0be8af303716def248141b21e6909ecf6
                                    • Instruction Fuzzy Hash: 27012831604018AFDB14DFA5DC49BFA3B91EF46329F444125F9263B1D2C331BC9297A0
                                    Function 00D8189B Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00D82612: GetWindowLongW.USER32(?,000000EB), ref: 00D82623
                                    • NtdllDialogWndProc_W.NTDLL(?,00000006,00000000,?,?,?,00D81B04,?,?,?,?,?), ref: 00D818E2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: DialogLongNtdllProc_Window
                                    • String ID:
                                    • API String ID: 2065330234-0
                                    • Opcode ID: 17cef91a701e057235889f3e6ebe3fa5d246cb22927798ee8b889e52be6e2c95
                                    • Instruction ID: e6b339455309ff357af82550e62ef994bac092d292ffbaa6a90832a8a561052c
                                    • Opcode Fuzzy Hash: 17cef91a701e057235889f3e6ebe3fa5d246cb22927798ee8b889e52be6e2c95
                                    • Instruction Fuzzy Hash: 77F0E239200215EFCB18EF05D85693637F6FB45310F50412AF8525B2A2DB31DC69DB60
                                    Function 00E0C8BE Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 00E0C8FE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: DialogNtdllProc_
                                    • String ID:
                                    • API String ID: 3239928679-0
                                    • Opcode ID: 05c3f1c11748cf5c41403489e2e655745ec7846e46ccc7d2140770c093c90b01
                                    • Instruction ID: e32710c140715b2f012f6f03d4dc2b0cb053b9cff7685963953242c87c4eeb62
                                    • Opcode Fuzzy Hash: 05c3f1c11748cf5c41403489e2e655745ec7846e46ccc7d2140770c093c90b01
                                    • Instruction Fuzzy Hash: 75F06D36201295BFDB21DF58DC05FC67B95EB09320F148029FA15772E2CB707860D7A0
                                    Function 00DE4C53 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                    Download Yara Rule
                                    APIs
                                    • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00DE4C76
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: mouse_event
                                    • String ID:
                                    • API String ID: 2434400541-0
                                    • Opcode ID: 1a5a03eaf5b84aca5e7633e1589435fd8f6212bee3d0c9c1917334d967204e19
                                    • Instruction ID: 5c8c9ceb3ed6e724de94e2525b2e1ff2afdfa8d7f436f65f338e6a3853722a81
                                    • Opcode Fuzzy Hash: 1a5a03eaf5b84aca5e7633e1589435fd8f6212bee3d0c9c1917334d967204e19
                                    • Instruction Fuzzy Hash: 9FD05EA012228838EC2827228D4BF7A1109E380FB1FE981CAB281D70C0E8D09C40A034
                                    Function 00DD87B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                    Download Yara Rule
                                    APIs
                                    • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00DD8389), ref: 00DD87D1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: LogonUser
                                    • String ID:
                                    • API String ID: 1244722697-0
                                    • Opcode ID: 96a93d5a7da91f56113a4bc6cfb58948bdc8fd92eebdd9d120c4542cd7d0d9d0
                                    • Instruction ID: 29b3f27ab5d9f5703af56198b3eee58a73b2acfbe3b5009880d5f98f5fa79e45
                                    • Opcode Fuzzy Hash: 96a93d5a7da91f56113a4bc6cfb58948bdc8fd92eebdd9d120c4542cd7d0d9d0
                                    • Instruction Fuzzy Hash: 6DD05E3226050EAFEF018EA4DC01EAF3B69EB04B01F408111FE15D50A1C776D835AB60
                                    Function 00E0C909 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,?,00DBB9BC,?,?,?,?,?,?), ref: 00E0C934
                                      • Part of subcall function 00E0B635: _memset.LIBCMT ref: 00E0B644
                                      • Part of subcall function 00E0B635: _memset.LIBCMT ref: 00E0B653
                                      • Part of subcall function 00E0B635: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00E46F20,00E46F64), ref: 00E0B682
                                      • Part of subcall function 00E0B635: CloseHandle.KERNEL32 ref: 00E0B694
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: _memset$CloseCreateDialogHandleNtdllProc_Process
                                    • String ID:
                                    • API String ID: 2364484715-0
                                    • Opcode ID: 9ffaa98726f01211c772439eb2834ffe1dd7dc0fbe523059de53903c10548e20
                                    • Instruction ID: 0e4df5b6b1a899830651abb8393fc5d4a0a27f4a52b4b54ae48cc8396ea72aa3
                                    • Opcode Fuzzy Hash: 9ffaa98726f01211c772439eb2834ffe1dd7dc0fbe523059de53903c10548e20
                                    • Instruction Fuzzy Hash: 72E01236100208EFCB01AF48EC10E8537A1FB1C304F418020FA06272B2CB32A8A1EF50
                                    Function 00D8167D Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00D82612: GetWindowLongW.USER32(?,000000EB), ref: 00D82623
                                    • NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,?,?,00D81AEE,?,?,?), ref: 00D816AB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: DialogLongNtdllProc_Window
                                    • String ID:
                                    • API String ID: 2065330234-0
                                    • Opcode ID: e631e9b94cda08ea0e736bbe8cac6357ad34581d8124288b6e0e389b55a78a8a
                                    • Instruction ID: 14ec063162e42128cbe9be187480f007619d7149daa8e9bb735d1433c2b41b74
                                    • Opcode Fuzzy Hash: e631e9b94cda08ea0e736bbe8cac6357ad34581d8124288b6e0e389b55a78a8a
                                    • Instruction Fuzzy Hash: 59E0EC35100208FFCF15AF91DC16E643B2AFB49314F508429FA452A2A2CA33A922DB60
                                    Function 00E0C88F Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtdllDialogWndProc_W.NTDLL ref: 00E0C8B4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: DialogNtdllProc_
                                    • String ID:
                                    • API String ID: 3239928679-0
                                    • Opcode ID: 086a4d6aac989b4bde8253998434e96a89090a3f53bcdced9a1b643e650e66dd
                                    • Instruction ID: 2841ec1621f37f173163d9071711cae06c3c80e25594c4bd37b5dc3af468eff4
                                    • Opcode Fuzzy Hash: 086a4d6aac989b4bde8253998434e96a89090a3f53bcdced9a1b643e650e66dd
                                    • Instruction Fuzzy Hash: 3DE0E239200249EFCB01DF88E844D863BA5AB1D300F004064FA0557262CB72A874EBA1
                                    Function 00E0C860 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtdllDialogWndProc_W.NTDLL ref: 00E0C885
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: DialogNtdllProc_
                                    • String ID:
                                    • API String ID: 3239928679-0
                                    • Opcode ID: b1659774d40ea29af2d19daaa357e3c0b828a2d0b4cfbd76c93a02881af2f647
                                    • Instruction ID: 7453cda9af72f38f3dceb43d3bcf3c48cac8020a97028c1d1ba6b9c4b8ec2d48
                                    • Opcode Fuzzy Hash: b1659774d40ea29af2d19daaa357e3c0b828a2d0b4cfbd76c93a02881af2f647
                                    • Instruction Fuzzy Hash: EFE0E239200249EFCB01DF88EC84E863BA5AB1D300F004064FA0567262CB71A830EB61
                                    Function 00D816B5 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00D82612: GetWindowLongW.USER32(?,000000EB), ref: 00D82623
                                      • Part of subcall function 00D8201B: DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00D820D3
                                      • Part of subcall function 00D8201B: KillTimer.USER32(-00000001,?,?,?,?,00D816CB,00000000,?,?,00D81AE2,?,?), ref: 00D8216E
                                    • NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,00000000,?,?,00D81AE2,?,?), ref: 00D816D4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Window$DestroyDialogKillLongNtdllProc_Timer
                                    • String ID:
                                    • API String ID: 2797419724-0
                                    • Opcode ID: 9992f68b6925d4977722167da0d638e3114017c59c73400007f9e0109659b9c0
                                    • Instruction ID: 708e34dc61c4b15234b157d2ce93d06d50cf82a05d05da1bbbf05ed1da51b75e
                                    • Opcode Fuzzy Hash: 9992f68b6925d4977722167da0d638e3114017c59c73400007f9e0109659b9c0
                                    • Instruction Fuzzy Hash: 6CD01271140308BBDA207B51EC1BF593A1DDB54750F408021FA04791D3DA726860A678
                                    Function 00DAA124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00DAA12A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled
                                    • String ID:
                                    • API String ID: 3192549508-0
                                    • Opcode ID: f85f29cbf90ea9de5783b21d663ba9ae1c0e1121f8c005d3cffcd19905945fb5
                                    • Instruction ID: 5148423939c4e63fcea8c96dc6a8a2ce33f5af1cfaf2d015011c81df992b794b
                                    • Opcode Fuzzy Hash: f85f29cbf90ea9de5783b21d663ba9ae1c0e1121f8c005d3cffcd19905945fb5
                                    • Instruction Fuzzy Hash: AEA0113000820CABCA002B82EC08888BFACEB002A0B008020F80C808228B33A8A08A80
                                    Function 00D98808 Relevance: .6, Instructions: 590COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2a52f4174c4af1064d1f303582bebf898c5ce5d9d7236f2fbb9eae4ac03574e5
                                    • Instruction ID: edbe96edbf750f7fd5f3c5be323958bd4595f434055da3c28f1dfe757f7aefe3
                                    • Opcode Fuzzy Hash: 2a52f4174c4af1064d1f303582bebf898c5ce5d9d7236f2fbb9eae4ac03574e5
                                    • Instruction Fuzzy Hash: F4223430604606DBCF388A68D49477CBBA1FF02704F2C806BD9969B696DB31DD91EB71
                                    Function 00DA21C5 Relevance: .3, Instructions: 345COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                    • Instruction ID: 22fdd3ee7c03445242db866f9c157e8e2d26b585883632eff61a64a358f0785f
                                    • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                    • Instruction Fuzzy Hash: 6EC17F362051A30ADF2D863E847413EBAA16FA37B171E076DD8B3DB1D4EE24C965D630
                                    Function 00DA25FA Relevance: .3, Instructions: 341COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                    • Instruction ID: 068e22e88207144966d1769cc8339a684150480daf31be6316474953a0796f0e
                                    • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                    • Instruction Fuzzy Hash: FFC16D362091A30ADF6D463E847413EBAA15FA37B171E076DE4B2DB1D4EE24CA25D630
                                    Function 00DA1978 Relevance: .3, Instructions: 323COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                    • Instruction ID: b4bc37168b00a3a9474fc2dff2d3ab9583aa1bc97929f9d200fa68c292722fa9
                                    • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                    • Instruction Fuzzy Hash: 62C17D3A2091A30ADF2D463A847413EFAA15FA37B1B1E176DD4B3DB1C4EE20C925D630
                                    Function 00DF7806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DeleteObject.GDI32(00000000), ref: 00DF785B
                                    • DeleteObject.GDI32(00000000), ref: 00DF786D
                                    • DestroyWindow.USER32 ref: 00DF787B
                                    • GetDesktopWindow.USER32 ref: 00DF7895
                                    • GetWindowRect.USER32(00000000), ref: 00DF789C
                                    • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00DF79DD
                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00DF79ED
                                    • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DF7A35
                                    • GetClientRect.USER32(00000000,?), ref: 00DF7A41
                                    • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00DF7A7B
                                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DF7A9D
                                    • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DF7AB0
                                    • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DF7ABB
                                    • GlobalLock.KERNEL32(00000000), ref: 00DF7AC4
                                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DF7AD3
                                    • GlobalUnlock.KERNEL32(00000000), ref: 00DF7ADC
                                    • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DF7AE3
                                    • GlobalFree.KERNEL32(00000000), ref: 00DF7AEE
                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,88C00000), ref: 00DF7B00
                                    • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00E12CAC,00000000), ref: 00DF7B16
                                    • GlobalFree.KERNEL32(00000000), ref: 00DF7B26
                                    • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00DF7B4C
                                    • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00DF7B6B
                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DF7B8D
                                    • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DF7D7A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                    • String ID: $AutoIt v3$DISPLAY$static
                                    • API String ID: 2211948467-2373415609
                                    • Opcode ID: b52b0d81a26b5b5ac99fd47b2b4da911f4b8ce7bb2b550ac88a24a9872277b98
                                    • Instruction ID: c0b5b2f28432968fb00237c1025b78ed564217c7ab262ff0ca5795b4f6e413b1
                                    • Opcode Fuzzy Hash: b52b0d81a26b5b5ac99fd47b2b4da911f4b8ce7bb2b550ac88a24a9872277b98
                                    • Instruction Fuzzy Hash: C8027C71900109EFDB14DFA9DC89EAEBBB9FF49310F048159F905AB2A1CB71AD45CB60
                                    Function 00E0356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CharUpperBuffW.USER32(?,?,00E0F910), ref: 00E03627
                                    • IsWindowVisible.USER32(?), ref: 00E0364B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: BuffCharUpperVisibleWindow
                                    • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                    • API String ID: 4105515805-45149045
                                    • Opcode ID: 6df4a610c799e996c193009a60c828123de56bf51a7c73deaa9370ac891d0d44
                                    • Instruction ID: a91bb900869adba1c2470ebd64f8eb36873c64a1d6688671934459f0e3dbe735
                                    • Opcode Fuzzy Hash: 6df4a610c799e996c193009a60c828123de56bf51a7c73deaa9370ac891d0d44
                                    • Instruction Fuzzy Hash: F5D153702043019BCB04EF20C456A6EBBA5EF95354F185459F8866B3E3DB71DE8ACB71
                                    Function 00E0A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetTextColor.GDI32(?,00000000), ref: 00E0A630
                                    • GetSysColorBrush.USER32(0000000F), ref: 00E0A661
                                    • GetSysColor.USER32(0000000F), ref: 00E0A66D
                                    • SetBkColor.GDI32(?,000000FF), ref: 00E0A687
                                    • SelectObject.GDI32(?,00000000), ref: 00E0A696
                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 00E0A6C1
                                    • GetSysColor.USER32(00000010), ref: 00E0A6C9
                                    • CreateSolidBrush.GDI32(00000000), ref: 00E0A6D0
                                    • FrameRect.USER32(?,?,00000000), ref: 00E0A6DF
                                    • DeleteObject.GDI32(00000000), ref: 00E0A6E6
                                    • InflateRect.USER32(?,000000FE,000000FE), ref: 00E0A731
                                    • FillRect.USER32(?,?,00000000), ref: 00E0A763
                                    • GetWindowLongW.USER32(?,000000F0), ref: 00E0A78E
                                      • Part of subcall function 00E0A8CA: GetSysColor.USER32(00000012), ref: 00E0A903
                                      • Part of subcall function 00E0A8CA: SetTextColor.GDI32(?,?), ref: 00E0A907
                                      • Part of subcall function 00E0A8CA: GetSysColorBrush.USER32(0000000F), ref: 00E0A91D
                                      • Part of subcall function 00E0A8CA: GetSysColor.USER32(0000000F), ref: 00E0A928
                                      • Part of subcall function 00E0A8CA: GetSysColor.USER32(00000011), ref: 00E0A945
                                      • Part of subcall function 00E0A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00E0A953
                                      • Part of subcall function 00E0A8CA: SelectObject.GDI32(?,00000000), ref: 00E0A964
                                      • Part of subcall function 00E0A8CA: SetBkColor.GDI32(?,00000000), ref: 00E0A96D
                                      • Part of subcall function 00E0A8CA: SelectObject.GDI32(?,?), ref: 00E0A97A
                                      • Part of subcall function 00E0A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 00E0A999
                                      • Part of subcall function 00E0A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00E0A9B0
                                      • Part of subcall function 00E0A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 00E0A9C5
                                      • Part of subcall function 00E0A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00E0A9ED
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                    • String ID:
                                    • API String ID: 3521893082-0
                                    • Opcode ID: 1f97e0a65de821d4c3fff7f5eb0070a3d2001dc11d4e448959100dd5dab26b6c
                                    • Instruction ID: 96e1e8ea8fb38d8acf9b89c1bbba4dc82b2e5258f460b6f1ccb3827d04424761
                                    • Opcode Fuzzy Hash: 1f97e0a65de821d4c3fff7f5eb0070a3d2001dc11d4e448959100dd5dab26b6c
                                    • Instruction Fuzzy Hash: 0691AE72008305EFCB209F65DC08A5B7BB9FF89321F145B29F562A61E1C732D898CB52
                                    Function 00DF74AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DestroyWindow.USER32(00000000), ref: 00DF74DE
                                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00DF759D
                                    • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00DF75DB
                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00DF75ED
                                    • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00DF7633
                                    • GetClientRect.USER32(00000000,?), ref: 00DF763F
                                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00DF7683
                                    • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00DF7692
                                    • GetStockObject.GDI32(00000011), ref: 00DF76A2
                                    • SelectObject.GDI32(00000000,00000000), ref: 00DF76A6
                                    • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00DF76B6
                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00DF76BF
                                    • DeleteDC.GDI32(00000000), ref: 00DF76C8
                                    • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00DF76F4
                                    • SendMessageW.USER32(00000030,00000000,00000001), ref: 00DF770B
                                    • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00DF7746
                                    • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00DF775A
                                    • SendMessageW.USER32(00000404,00000001,00000000), ref: 00DF776B
                                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00DF779B
                                    • GetStockObject.GDI32(00000011), ref: 00DF77A6
                                    • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00DF77B1
                                    • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00DF77BB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                    • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                    • API String ID: 2910397461-517079104
                                    • Opcode ID: db7c1928d454737ef22bfdbdfff0ff573f13070c0a4bd49235add494bc22a7e0
                                    • Instruction ID: f68606d2064813bc11bfbb26906b4da36688932ad5d2eb01481fca22a3dbcfef
                                    • Opcode Fuzzy Hash: db7c1928d454737ef22bfdbdfff0ff573f13070c0a4bd49235add494bc22a7e0
                                    • Instruction Fuzzy Hash: F0A1A071A00609BFEB10DBA5DC4AFAEBBB9EB05710F048115FA14B72E1C7B0AD55CB64
                                    Function 00DEAD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetErrorMode.KERNEL32(00000001), ref: 00DEAD1E
                                    • GetDriveTypeW.KERNEL32(?,00E0FAC0,?,\\.\,00E0F910), ref: 00DEADFB
                                    • SetErrorMode.KERNEL32(00000000,00E0FAC0,?,\\.\,00E0F910), ref: 00DEAF59
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: ErrorMode$DriveType
                                    • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                    • API String ID: 2907320926-4222207086
                                    • Opcode ID: 44557cece5560e278a916d4fd88cc2dac1dafa32d1a845d75e63c3556a921953
                                    • Instruction ID: d7279f5801462bcb9e5f94170efee3db6710a7d8998fd0ff2fe39daf009a5f75
                                    • Opcode Fuzzy Hash: 44557cece5560e278a916d4fd88cc2dac1dafa32d1a845d75e63c3556a921953
                                    • Instruction Fuzzy Hash: A451AEB4648347ABCB10FB1ACA96CBDBBA0EF48700B244156F446B7290DA71FD41DB72
                                    Function 00D868DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: __wcsnicmp
                                    • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                    • API String ID: 1038674560-86951937
                                    • Opcode ID: fa6359d4b5f656c2a04abcbb243ed95bf0f600a4cfdaed9019b4f603ea6f2003
                                    • Instruction ID: d5bdbca35de1c07f1fdf164651f0bf2588ae65e72ce36c4d060c1a5fa77b8d72
                                    • Opcode Fuzzy Hash: fa6359d4b5f656c2a04abcbb243ed95bf0f600a4cfdaed9019b4f603ea6f2003
                                    • Instruction Fuzzy Hash: 1D81F3B0600305BBCB21BB65EC42FEE37A9EF15710F080024F946AB1D6EB60DA51DBB1
                                    Function 00D82C18 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 486windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DestroyWindow.USER32(?,?,?), ref: 00D82CA2
                                    • DeleteObject.GDI32(00000000), ref: 00D82CE8
                                    • DeleteObject.GDI32(00000000), ref: 00D82CF3
                                    • DestroyCursor.USER32(00000000), ref: 00D82CFE
                                    • DestroyWindow.USER32(00000000,?,?,?), ref: 00D82D09
                                    • SendMessageW.USER32(?,00001308,?,00000000), ref: 00DBC43B
                                    • 6FAA0200.COMCTL32(?,000000FF,?), ref: 00DBC474
                                    • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00DBC89D
                                      • Part of subcall function 00D81B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00D82036,?,00000000,?,?,?,?,00D816CB,00000000,?), ref: 00D81B9A
                                    • SendMessageW.USER32(?,00001053), ref: 00DBC8DA
                                    • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00DBC8F1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: DestroyMessageSendWindow$DeleteObject$A0200CursorInvalidateMoveRect
                                    • String ID: 0
                                    • API String ID: 377055139-4108050209
                                    • Opcode ID: fd91802cfa188741bf2effe75760d201ad0ee25e6bf7b844913be165b548937b
                                    • Instruction ID: e5d84fcd4b87ba5b7ef3dfdbf0ed0d769293e1f3602c896ce1557f2ddd8ffd29
                                    • Opcode Fuzzy Hash: fd91802cfa188741bf2effe75760d201ad0ee25e6bf7b844913be165b548937b
                                    • Instruction Fuzzy Hash: 86127A30614201EFDB25DF24C884BB9BBE5FF44300F585569E896DB662CB31E896CBB1
                                    Function 00E09A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00E09AD2
                                    • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00E09B8B
                                    • SendMessageW.USER32(?,00001102,00000002,?), ref: 00E09BA7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: MessageSend$Window
                                    • String ID: 0
                                    • API String ID: 2326795674-4108050209
                                    • Opcode ID: 0cda06d83053abb0c9e3480311f4e29418de9a43e70407d9824f568e0f7a5305
                                    • Instruction ID: 12a9a55b72c94277d2f7344017b4fc36fb7d2be6318ad169faa60c4c50355dca
                                    • Opcode Fuzzy Hash: 0cda06d83053abb0c9e3480311f4e29418de9a43e70407d9824f568e0f7a5305
                                    • Instruction Fuzzy Hash: 3602BE70204201AFD725CF25C848BAABBE5FF49318F04952DF595E62E3C735D895CB52
                                    Function 00E0A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSysColor.USER32(00000012), ref: 00E0A903
                                    • SetTextColor.GDI32(?,?), ref: 00E0A907
                                    • GetSysColorBrush.USER32(0000000F), ref: 00E0A91D
                                    • GetSysColor.USER32(0000000F), ref: 00E0A928
                                    • CreateSolidBrush.GDI32(?), ref: 00E0A92D
                                    • GetSysColor.USER32(00000011), ref: 00E0A945
                                    • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00E0A953
                                    • SelectObject.GDI32(?,00000000), ref: 00E0A964
                                    • SetBkColor.GDI32(?,00000000), ref: 00E0A96D
                                    • SelectObject.GDI32(?,?), ref: 00E0A97A
                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 00E0A999
                                    • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00E0A9B0
                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 00E0A9C5
                                    • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00E0A9ED
                                    • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00E0AA14
                                    • InflateRect.USER32(?,000000FD,000000FD), ref: 00E0AA32
                                    • DrawFocusRect.USER32(?,?), ref: 00E0AA3D
                                    • GetSysColor.USER32(00000011), ref: 00E0AA4B
                                    • SetTextColor.GDI32(?,00000000), ref: 00E0AA53
                                    • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00E0AA67
                                    • SelectObject.GDI32(?,00E0A5FA), ref: 00E0AA7E
                                    • DeleteObject.GDI32(?), ref: 00E0AA89
                                    • SelectObject.GDI32(?,?), ref: 00E0AA8F
                                    • DeleteObject.GDI32(?), ref: 00E0AA94
                                    • SetTextColor.GDI32(?,?), ref: 00E0AA9A
                                    • SetBkColor.GDI32(?,?), ref: 00E0AAA4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                    • String ID:
                                    • API String ID: 1996641542-0
                                    • Opcode ID: 8c7d56b2926a01d8ad309bb3a12b88321e4bbd32d74686f9f7d1f64e6f5c7a64
                                    • Instruction ID: 2e9191b16087d1802623e3d9a0974602495882bee9723761fd4d9dc84c61ed4e
                                    • Opcode Fuzzy Hash: 8c7d56b2926a01d8ad309bb3a12b88321e4bbd32d74686f9f7d1f64e6f5c7a64
                                    • Instruction Fuzzy Hash: 5D514B71901208EFDF209FA5DC48EAE7BB9EB48320F154225F911BB2A1D7729994DF90
                                    Function 00E089D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00E08AC1
                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00E08AD2
                                    • CharNextW.USER32(0000014E), ref: 00E08B01
                                    • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00E08B42
                                    • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00E08B58
                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00E08B69
                                    • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00E08B86
                                    • SetWindowTextW.USER32(?,0000014E), ref: 00E08BD8
                                    • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00E08BEE
                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 00E08C1F
                                    • _memset.LIBCMT ref: 00E08C44
                                    • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00E08C8D
                                    • _memset.LIBCMT ref: 00E08CEC
                                    • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00E08D16
                                    • SendMessageW.USER32(?,00001074,?,00000001), ref: 00E08D6E
                                    • SendMessageW.USER32(?,0000133D,?,?), ref: 00E08E1B
                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00E08E3D
                                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00E08E87
                                    • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00E08EB4
                                    • DrawMenuBar.USER32(?), ref: 00E08EC3
                                    • SetWindowTextW.USER32(?,0000014E), ref: 00E08EEB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                    • String ID: 0
                                    • API String ID: 1073566785-4108050209
                                    • Opcode ID: cb17c0fcf36dde772b0cc4495a07c46fbb4a949da61733c91e0b6f7b77252c95
                                    • Instruction ID: d1bcf9e0a59acc58b3feff0f58642752e9e5629b2ae17e000f49ed9f15a08d4f
                                    • Opcode Fuzzy Hash: cb17c0fcf36dde772b0cc4495a07c46fbb4a949da61733c91e0b6f7b77252c95
                                    • Instruction Fuzzy Hash: 49E19E70A00209AFDF209FA1CD84AEE7BB9EF09714F009156F995BA2D1DB7189C5CF60
                                    Function 00E0488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCursorPos.USER32(?), ref: 00E049CA
                                    • GetDesktopWindow.USER32 ref: 00E049DF
                                    • GetWindowRect.USER32(00000000), ref: 00E049E6
                                    • GetWindowLongW.USER32(?,000000F0), ref: 00E04A48
                                    • DestroyWindow.USER32(?), ref: 00E04A74
                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00E04A9D
                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00E04ABB
                                    • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00E04AE1
                                    • SendMessageW.USER32(?,00000421,?,?), ref: 00E04AF6
                                    • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00E04B09
                                    • IsWindowVisible.USER32(?), ref: 00E04B29
                                    • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00E04B44
                                    • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00E04B58
                                    • GetWindowRect.USER32(?,?), ref: 00E04B70
                                    • MonitorFromPoint.USER32(?,?,00000002), ref: 00E04B96
                                    • GetMonitorInfoW.USER32(00000000,?), ref: 00E04BB0
                                    • CopyRect.USER32(?,?), ref: 00E04BC7
                                    • SendMessageW.USER32(?,00000412,00000000), ref: 00E04C32
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                    • String ID: ($0$tooltips_class32
                                    • API String ID: 698492251-4156429822
                                    • Opcode ID: 57f2bff3fc48b280aeb10a98c055a51ec625c837451f655945401fbcde341cba
                                    • Instruction ID: fc808b4b6d8a2c26736a184f73244c83086da93a84f13a5a99961c864ef3d903
                                    • Opcode Fuzzy Hash: 57f2bff3fc48b280aeb10a98c055a51ec625c837451f655945401fbcde341cba
                                    • Instruction Fuzzy Hash: 30B18AB1604341AFDB04DF65C984B6ABBE4EB84704F00891CF599AB2E1D771EC85CBA5
                                    Function 00D827D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00D828BC
                                    • GetSystemMetrics.USER32(00000007), ref: 00D828C4
                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00D828EF
                                    • GetSystemMetrics.USER32(00000008), ref: 00D828F7
                                    • GetSystemMetrics.USER32(00000004), ref: 00D8291C
                                    • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00D82939
                                    • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00D82949
                                    • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00D8297C
                                    • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00D82990
                                    • GetClientRect.USER32(00000000,000000FF), ref: 00D829AE
                                    • GetStockObject.GDI32(00000011), ref: 00D829CA
                                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 00D829D5
                                      • Part of subcall function 00D82344: GetCursorPos.USER32(?), ref: 00D82357
                                      • Part of subcall function 00D82344: ScreenToClient.USER32(00E457B0,?), ref: 00D82374
                                      • Part of subcall function 00D82344: GetAsyncKeyState.USER32(00000001), ref: 00D82399
                                      • Part of subcall function 00D82344: GetAsyncKeyState.USER32(00000002), ref: 00D823A7
                                    • SetTimer.USER32(00000000,00000000,00000028,00D81256), ref: 00D829FC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                    • String ID: AutoIt v3 GUI
                                    • API String ID: 1458621304-248962490
                                    • Opcode ID: a888ec29973b476b13744a94095dc2506fcaa21ae4ee00286b64e18cdf1838ea
                                    • Instruction ID: 81655e4dca4eea2da45a20e5d1a3172945736c1cf0d2d0e0917966f2433ba82f
                                    • Opcode Fuzzy Hash: a888ec29973b476b13744a94095dc2506fcaa21ae4ee00286b64e18cdf1838ea
                                    • Instruction Fuzzy Hash: D2B16F75A0020AEFDB14EFA9DC45BAE7BB4FB08711F104129FA16A7290DB74E855CB60
                                    Function 00DE449A Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 179COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: _wcscat$A1560_wcscmp_wcscpy_wcsncpy_wcsstr
                                    • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                    • API String ID: 3483108802-1459072770
                                    • Opcode ID: e10584e76baf421b550fe9d96e41c2ebb242406c2e52861aefaad4c4fb389451
                                    • Instruction ID: d9860be3e2838b40137aafc27c1ca0d656a01f31fb42eca7377c9c033622ae53
                                    • Opcode Fuzzy Hash: e10584e76baf421b550fe9d96e41c2ebb242406c2e52861aefaad4c4fb389451
                                    • Instruction Fuzzy Hash: 0D41D572A003007BDB11BB768C47EBF7BACDF46710F08046AF905F6182EA75DA1196B9
                                    Function 00DDA439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetClassNameW.USER32(?,?,00000100), ref: 00DDA47A
                                    • __swprintf.LIBCMT ref: 00DDA51B
                                    • _wcscmp.LIBCMT ref: 00DDA52E
                                    • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00DDA583
                                    • _wcscmp.LIBCMT ref: 00DDA5BF
                                    • GetClassNameW.USER32(?,?,00000400), ref: 00DDA5F6
                                    • GetDlgCtrlID.USER32(?), ref: 00DDA648
                                    • GetWindowRect.USER32(?,?), ref: 00DDA67E
                                    • GetParent.USER32(?), ref: 00DDA69C
                                    • ScreenToClient.USER32(00000000), ref: 00DDA6A3
                                    • GetClassNameW.USER32(?,?,00000100), ref: 00DDA71D
                                    • _wcscmp.LIBCMT ref: 00DDA731
                                    • GetWindowTextW.USER32(?,?,00000400), ref: 00DDA757
                                    • _wcscmp.LIBCMT ref: 00DDA76B
                                      • Part of subcall function 00DA362C: _iswctype.LIBCMT ref: 00DA3634
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                    • String ID: %s%u
                                    • API String ID: 3744389584-679674701
                                    • Opcode ID: 3690338b465634583497433c7e5217b9aa09ef80a5d3533dc7487cbd9d8d9d01
                                    • Instruction ID: 5ec9d480ee2ae6a8a01fee690d7fabd1a71dcae91a03d33a743e46a6a21460ff
                                    • Opcode Fuzzy Hash: 3690338b465634583497433c7e5217b9aa09ef80a5d3533dc7487cbd9d8d9d01
                                    • Instruction Fuzzy Hash: 06A19171204606BFD715DF68C884BAAB7E8FF44314F18852AF999D2290DB30E955CBB2
                                    Function 00DDAED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetClassNameW.USER32(00000008,?,00000400), ref: 00DDAF18
                                    • _wcscmp.LIBCMT ref: 00DDAF29
                                    • GetWindowTextW.USER32(00000001,?,00000400), ref: 00DDAF51
                                    • CharUpperBuffW.USER32(?,00000000), ref: 00DDAF6E
                                    • _wcscmp.LIBCMT ref: 00DDAF8C
                                    • _wcsstr.LIBCMT ref: 00DDAF9D
                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 00DDAFD5
                                    • _wcscmp.LIBCMT ref: 00DDAFE5
                                    • GetWindowTextW.USER32(00000002,?,00000400), ref: 00DDB00C
                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 00DDB055
                                    • _wcscmp.LIBCMT ref: 00DDB065
                                    • GetClassNameW.USER32(00000010,?,00000400), ref: 00DDB08D
                                    • GetWindowRect.USER32(00000004,?), ref: 00DDB0F6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                    • String ID: @$ThumbnailClass
                                    • API String ID: 1788623398-1539354611
                                    • Opcode ID: ee3b8a4b22fb1e27e620c8730b063595d0751d9d20f99303f7ad40fe926d76e0
                                    • Instruction ID: 87ced33684505f307075eeb869755874d62ac56b12a5d1d2c0eb0ad3bea5d1b1
                                    • Opcode Fuzzy Hash: ee3b8a4b22fb1e27e620c8730b063595d0751d9d20f99303f7ad40fe926d76e0
                                    • Instruction Fuzzy Hash: D0818D71108305DBDB15DF24C885BAA77E8EF44328F08856BFD859A295DB30D989CBB2
                                    Function 00DDABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: __wcsnicmp
                                    • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                    • API String ID: 1038674560-1810252412
                                    • Opcode ID: 322458c70ba783746089e6712dbab786d32841c0256bc083e0fdb749d7066eec
                                    • Instruction ID: d881db82a946c3049560ab756a0e90f80ac374c2f880fe3eb8baabe039177b78
                                    • Opcode Fuzzy Hash: 322458c70ba783746089e6712dbab786d32841c0256bc083e0fdb749d7066eec
                                    • Instruction Fuzzy Hash: C231D475A48309A7DB20FA58DD47EAE7BA5EF10720F20441AF481711D1FF51AF04D672
                                    Function 00DF4FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadCursorW.USER32(00000000,00007F8A), ref: 00DF5013
                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00DF501E
                                    • LoadCursorW.USER32(00000000,00007F03), ref: 00DF5029
                                    • LoadCursorW.USER32(00000000,00007F8B), ref: 00DF5034
                                    • LoadCursorW.USER32(00000000,00007F01), ref: 00DF503F
                                    • LoadCursorW.USER32(00000000,00007F81), ref: 00DF504A
                                    • LoadCursorW.USER32(00000000,00007F88), ref: 00DF5055
                                    • LoadCursorW.USER32(00000000,00007F80), ref: 00DF5060
                                    • LoadCursorW.USER32(00000000,00007F86), ref: 00DF506B
                                    • LoadCursorW.USER32(00000000,00007F83), ref: 00DF5076
                                    • LoadCursorW.USER32(00000000,00007F85), ref: 00DF5081
                                    • LoadCursorW.USER32(00000000,00007F82), ref: 00DF508C
                                    • LoadCursorW.USER32(00000000,00007F84), ref: 00DF5097
                                    • LoadCursorW.USER32(00000000,00007F04), ref: 00DF50A2
                                    • LoadCursorW.USER32(00000000,00007F02), ref: 00DF50AD
                                    • LoadCursorW.USER32(00000000,00007F89), ref: 00DF50B8
                                    • GetCursorInfo.USER32(?), ref: 00DF50C8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Cursor$Load$Info
                                    • String ID:
                                    • API String ID: 2577412497-0
                                    • Opcode ID: 80565d3a6f4ce078992d93ac6726a33f9fe2e105463a8fde60b83788d848b7f7
                                    • Instruction ID: 29a52e684d0ddd81285d85da44c2c9536069c0d90d07e4539927d385cae37e76
                                    • Opcode Fuzzy Hash: 80565d3a6f4ce078992d93ac6726a33f9fe2e105463a8fde60b83788d848b7f7
                                    • Instruction Fuzzy Hash: F43116B1D0831D6ADF109FB69C8996EBFE8FF04750F54452AE64DE7280DA78A5008FA1
                                    Function 00E0A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 00E0A259
                                    • DestroyWindow.USER32(?,?), ref: 00E0A2D3
                                      • Part of subcall function 00D87BCC: _memmove.LIBCMT ref: 00D87C06
                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00E0A34D
                                    • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00E0A36F
                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00E0A382
                                    • DestroyWindow.USER32(00000000), ref: 00E0A3A4
                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00D80000,00000000), ref: 00E0A3DB
                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00E0A3F4
                                    • GetDesktopWindow.USER32 ref: 00E0A40D
                                    • GetWindowRect.USER32(00000000), ref: 00E0A414
                                    • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00E0A42C
                                    • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00E0A444
                                      • Part of subcall function 00D825DB: GetWindowLongW.USER32(?,000000EB), ref: 00D825EC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                    • String ID: 0$tooltips_class32
                                    • API String ID: 1297703922-3619404913
                                    • Opcode ID: 50b3d8b5e465c9932ee310e178cec750905e848769c30f3eb4c59e2653f7aeb0
                                    • Instruction ID: a647716501756398fe068ae74a31367d1c719cfbb364ee8fc02c2bc3ab7fd1dc
                                    • Opcode Fuzzy Hash: 50b3d8b5e465c9932ee310e178cec750905e848769c30f3eb4c59e2653f7aeb0
                                    • Instruction Fuzzy Hash: E171D375140304AFD725CF18CC49F6A77E6FB89304F08452DF985A72A1CB75E986CB62
                                    Function 00E04392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CharUpperBuffW.USER32(?,?), ref: 00E04424
                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00E0446F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: BuffCharMessageSendUpper
                                    • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                    • API String ID: 3974292440-4258414348
                                    • Opcode ID: 318ab59ca69a1d2029f3f4ae5dabbda6036c494eaab3e0da7596d2eed7ee79f8
                                    • Instruction ID: c2054c6a01747b0f2907fcd2ccf04c9beb9a05fd29803ddb74dd536b0ec6c0ea
                                    • Opcode Fuzzy Hash: 318ab59ca69a1d2029f3f4ae5dabbda6036c494eaab3e0da7596d2eed7ee79f8
                                    • Instruction Fuzzy Hash: 55917FB02047019FCB04EF10C961A6EB7E1EF95354F085869F9966B3E2DB31ED49CBA1
                                    Function 00E0B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00E0B8B4
                                    • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00E091C2), ref: 00E0B910
                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00E0B949
                                    • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00E0B98C
                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00E0B9C3
                                    • FreeLibrary.KERNEL32(?), ref: 00E0B9CF
                                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00E0B9DF
                                    • DestroyCursor.USER32(?), ref: 00E0B9EE
                                    • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00E0BA0B
                                    • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00E0BA17
                                      • Part of subcall function 00DA2EFD: __wcsicmp_l.LIBCMT ref: 00DA2F86
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Load$Image$LibraryMessageSend$CursorDestroyExtractFreeIcon__wcsicmp_l
                                    • String ID: .dll$.exe$.icl
                                    • API String ID: 3907162815-1154884017
                                    • Opcode ID: 14a0b0c7c1926546d0d6c059e92e5e038672424bb36a0092ce65395c1861acc5
                                    • Instruction ID: 2eabdc9785b507ccc0ed3acd5bd5abd57a8d8c3c5fcd4fb11583d2f5d40c4a7c
                                    • Opcode Fuzzy Hash: 14a0b0c7c1926546d0d6c059e92e5e038672424bb36a0092ce65395c1861acc5
                                    • Instruction Fuzzy Hash: 4F61DC71900209BEEB28DF65CC81FBA7BA8FB08714F108116F915E61D1DB75AAD0DBB0
                                    Function 00DEA352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00D89837: __itow.LIBCMT ref: 00D89862
                                      • Part of subcall function 00D89837: __swprintf.LIBCMT ref: 00D898AC
                                    • CharLowerBuffW.USER32(?,?), ref: 00DEA3CB
                                    • GetDriveTypeW.KERNEL32 ref: 00DEA418
                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00DEA460
                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00DEA497
                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00DEA4C5
                                      • Part of subcall function 00D87BCC: _memmove.LIBCMT ref: 00D87C06
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                    • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                    • API String ID: 2698844021-4113822522
                                    • Opcode ID: 1dbb996adb6650241fffff5a455b9f4dbedab7c5c4b3dbebf5f20b8d8871b237
                                    • Instruction ID: 5a6731831bfffb431d23f1ea06303913d5c7ea436c06501110bba07f1e72924b
                                    • Opcode Fuzzy Hash: 1dbb996adb6650241fffff5a455b9f4dbedab7c5c4b3dbebf5f20b8d8871b237
                                    • Instruction Fuzzy Hash: 17518C751043059FC700FF15C99186AB7F8EF84718F14886DF89A672A1DB31EE0ACBA2
                                    Function 00DDF8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,00DBE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 00DDF8DF
                                    • LoadStringW.USER32(00000000,?,00DBE029,00000001), ref: 00DDF8E8
                                      • Part of subcall function 00D87DE1: _memmove.LIBCMT ref: 00D87E22
                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,00DBE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 00DDF90A
                                    • LoadStringW.USER32(00000000,?,00DBE029,00000001), ref: 00DDF90D
                                    • __swprintf.LIBCMT ref: 00DDF95D
                                    • __swprintf.LIBCMT ref: 00DDF96E
                                    • _wprintf.LIBCMT ref: 00DDFA17
                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00DDFA2E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                    • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                    • API String ID: 984253442-2268648507
                                    • Opcode ID: 0a893c60d6ddc8c0f9daf542b5439dbd876362242a6391d416c84a8ab25241b3
                                    • Instruction ID: 59dfb988be89d0f2fa8903bc292f67fb376b3190cf7c7f3978703140f361474d
                                    • Opcode Fuzzy Hash: 0a893c60d6ddc8c0f9daf542b5439dbd876362242a6391d416c84a8ab25241b3
                                    • Instruction Fuzzy Hash: 65414F72904209AACF14FBE0DD96DEEB778EF14310F600065F506761A2EA35AF49CB71
                                    Function 00E0BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00E09207,?,?), ref: 00E0BA56
                                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00E09207,?,?,00000000,?), ref: 00E0BA6D
                                    • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00E09207,?,?,00000000,?), ref: 00E0BA78
                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,00E09207,?,?,00000000,?), ref: 00E0BA85
                                    • GlobalLock.KERNEL32(00000000), ref: 00E0BA8E
                                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00E09207,?,?,00000000,?), ref: 00E0BA9D
                                    • GlobalUnlock.KERNEL32(00000000), ref: 00E0BAA6
                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,00E09207,?,?,00000000,?), ref: 00E0BAAD
                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00E0BABE
                                    • OleLoadPicture.OLEAUT32(?,00000000,00000000,00E12CAC,?), ref: 00E0BAD7
                                    • GlobalFree.KERNEL32(00000000), ref: 00E0BAE7
                                    • GetObjectW.GDI32(00000000,00000018,?), ref: 00E0BB0B
                                    • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00E0BB36
                                    • DeleteObject.GDI32(00000000), ref: 00E0BB5E
                                    • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00E0BB74
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                    • String ID:
                                    • API String ID: 3840717409-0
                                    • Opcode ID: 86118a39c25af8a6f55f693cfb7d42970f95f630c0767c536333633e00f0f804
                                    • Instruction ID: 20cb92a625490507abbbcd4bd3c10639760b0af748680396721dfd2c12c81d00
                                    • Opcode Fuzzy Hash: 86118a39c25af8a6f55f693cfb7d42970f95f630c0767c536333633e00f0f804
                                    • Instruction Fuzzy Hash: 53412975600205EFDB21DF66DC88EABBBB8FB89715F104068F909E72A0D7319D95CB60
                                    Function 00DED899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                    Download Yara Rule
                                    APIs
                                    • __wsplitpath.LIBCMT ref: 00DEDA10
                                    • _wcscat.LIBCMT ref: 00DEDA28
                                    • _wcscat.LIBCMT ref: 00DEDA3A
                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00DEDA4F
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00DEDA63
                                    • GetFileAttributesW.KERNEL32(?), ref: 00DEDA7B
                                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 00DEDA95
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00DEDAA7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                    • String ID: *.*
                                    • API String ID: 34673085-438819550
                                    • Opcode ID: 5dc0ba6b0e51d3eab10a9a8cb5107987eed28e5cd5e8ae4b66a1a03ffbf9f179
                                    • Instruction ID: 50c2ac490cf132e44569c2d2a841fe2fbde83ad7b1f4a172294a5e1db27efdc4
                                    • Opcode Fuzzy Hash: 5dc0ba6b0e51d3eab10a9a8cb5107987eed28e5cd5e8ae4b66a1a03ffbf9f179
                                    • Instruction Fuzzy Hash: 088171715043819FCB24FF66CC4496AB7E5EF89714F18482AF889DB252EA30D945CF72
                                    Function 00DF731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetDC.USER32(00000000), ref: 00DF738F
                                    • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00DF739B
                                    • CreateCompatibleDC.GDI32(?), ref: 00DF73A7
                                    • SelectObject.GDI32(00000000,?), ref: 00DF73B4
                                    • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00DF7408
                                    • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00DF7444
                                    • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00DF7468
                                    • SelectObject.GDI32(00000006,?), ref: 00DF7470
                                    • DeleteObject.GDI32(?), ref: 00DF7479
                                    • DeleteDC.GDI32(00000006), ref: 00DF7480
                                    • ReleaseDC.USER32(00000000,?), ref: 00DF748B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                    • String ID: (
                                    • API String ID: 2598888154-3887548279
                                    • Opcode ID: b78624ac99d49b5478179fcdb0d744e910f245c3864f466d036f8bec84b227c2
                                    • Instruction ID: 9de81f8de27a40ff12fa1caebcd44aeadc69c8f32d8b6cb8abc6f7d79d510e8c
                                    • Opcode Fuzzy Hash: b78624ac99d49b5478179fcdb0d744e910f245c3864f466d036f8bec84b227c2
                                    • Instruction Fuzzy Hash: 86514C71904209EFCB24CFA9CC84EAEBBB9EF48310F14842DFA59A7211C771A9448B60
                                    Function 00D86A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00DA0957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00D86B0C,?,00008000), ref: 00DA0973
                                      • Part of subcall function 00D84750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D84743,?,?,00D837AE,?), ref: 00D84770
                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00D86BAD
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00D86CFA
                                      • Part of subcall function 00D8586D: _wcscpy.LIBCMT ref: 00D858A5
                                      • Part of subcall function 00DA363D: _iswctype.LIBCMT ref: 00DA3645
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                    • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                    • API String ID: 537147316-1018226102
                                    • Opcode ID: 48419f195d01f14d130458a0ddd87b6f1763635ca3564c1a34513a332c6b4fbd
                                    • Instruction ID: 839a66d0b1b94232eef56c6ca735cf4132d688751735a2d073d4a99538ac5dbe
                                    • Opcode Fuzzy Hash: 48419f195d01f14d130458a0ddd87b6f1763635ca3564c1a34513a332c6b4fbd
                                    • Instruction Fuzzy Hash: CB0258711083419FCB24EF24C891AAFBBE5EF99314F14491DF49A972A2DB30D949CB72
                                    Function 00DE2D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 00DE2D50
                                    • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00DE2DDD
                                    • GetMenuItemCount.USER32(00E45890), ref: 00DE2E66
                                    • DeleteMenu.USER32(00E45890,00000005,00000000,000000F5,?,?), ref: 00DE2EF6
                                    • DeleteMenu.USER32(00E45890,00000004,00000000), ref: 00DE2EFE
                                    • DeleteMenu.USER32(00E45890,00000006,00000000), ref: 00DE2F06
                                    • DeleteMenu.USER32(00E45890,00000003,00000000), ref: 00DE2F0E
                                    • GetMenuItemCount.USER32(00E45890), ref: 00DE2F16
                                    • SetMenuItemInfoW.USER32(00E45890,00000004,00000000,00000030), ref: 00DE2F4C
                                    • GetCursorPos.USER32(?), ref: 00DE2F56
                                    • SetForegroundWindow.USER32(00000000), ref: 00DE2F5F
                                    • TrackPopupMenuEx.USER32(00E45890,00000000,?,00000000,00000000,00000000), ref: 00DE2F72
                                    • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00DE2F7E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                    • String ID:
                                    • API String ID: 3993528054-0
                                    • Opcode ID: 4390ed24c906506fe07098f37fd8e59a59629e6f41723705daf2bd361458e41f
                                    • Instruction ID: f1e2934789bd3672a1582fc9b114d4fbad28c5bc48c1ddba6c4188485b77cbdd
                                    • Opcode Fuzzy Hash: 4390ed24c906506fe07098f37fd8e59a59629e6f41723705daf2bd361458e41f
                                    • Instruction Fuzzy Hash: 7171DF71640295BEEB21AB56DC85FBABF68FF04724F140216F615A61E1C7B19C60CBB0
                                    Function 00DD77DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00D87BCC: _memmove.LIBCMT ref: 00D87C06
                                    • _memset.LIBCMT ref: 00DD786B
                                    • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00DD78A0
                                    • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00DD78BC
                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00DD78D8
                                    • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00DD7902
                                    • CLSIDFromString.COMBASE(?,?), ref: 00DD792A
                                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00DD7935
                                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00DD793A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                    • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                    • API String ID: 1411258926-22481851
                                    • Opcode ID: 06562969c44e3d818427a4c6dc313ed5f7878ef46c84fa274c17c15c3aabe372
                                    • Instruction ID: 76300f708ad830602f3a88e4b0d4466ae397e453ce28326f67a0db17bff0fb2a
                                    • Opcode Fuzzy Hash: 06562969c44e3d818427a4c6dc313ed5f7878ef46c84fa274c17c15c3aabe372
                                    • Instruction Fuzzy Hash: F1410876C14229ABCF21EBA4DC95DEDB778FF04310F44416AE905B3261EA319D19CBB0
                                    Function 00E00E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                    Download Yara Rule
                                    APIs
                                    • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00DFFDAD,?,?), ref: 00E00E31
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: BuffCharUpper
                                    • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                    • API String ID: 3964851224-909552448
                                    • Opcode ID: bc106c58f6289260cce4e73c0517d435cdb859f0a8e731b24cd019b819c277cc
                                    • Instruction ID: 77e061a8de08013d8b7b5d11d190d57c7b59dfe211a339ea9ae45f7aeb21fb11
                                    • Opcode Fuzzy Hash: bc106c58f6289260cce4e73c0517d435cdb859f0a8e731b24cd019b819c277cc
                                    • Instruction Fuzzy Hash: 83414A3120025A8BCF20EF10D896AEE3B64FF52354F181464FD652B2D2DB759D9ADBB0
                                    Function 00DDF7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00DBE2A0,00000010,?,Bad directive syntax error,00E0F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00DDF7C2
                                    • LoadStringW.USER32(00000000,?,00DBE2A0,00000010), ref: 00DDF7C9
                                      • Part of subcall function 00D87DE1: _memmove.LIBCMT ref: 00D87E22
                                    • _wprintf.LIBCMT ref: 00DDF7FC
                                    • __swprintf.LIBCMT ref: 00DDF81E
                                    • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00DDF88D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                                    • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                    • API String ID: 1506413516-4153970271
                                    • Opcode ID: fa92e357c25368c68b92c51daa9a1386e699feecc1834d77b466b7db4461d9d5
                                    • Instruction ID: 74c1768ec35eb04fd5f0d2c66cc9111fd01bfa4e92b64bac39bc29d831745e93
                                    • Opcode Fuzzy Hash: fa92e357c25368c68b92c51daa9a1386e699feecc1834d77b466b7db4461d9d5
                                    • Instruction Fuzzy Hash: 0F215C7290021AEBCF11EF90CC0AEEE7B39FF18300F040466F515661A2EA729668DB71
                                    Function 00DE52C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00D87BCC: _memmove.LIBCMT ref: 00D87C06
                                      • Part of subcall function 00D87924: _memmove.LIBCMT ref: 00D879AD
                                    • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00DE5330
                                    • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00DE5346
                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00DE5357
                                    • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00DE5369
                                    • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00DE537A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: SendString$_memmove
                                    • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                    • API String ID: 2279737902-1007645807
                                    • Opcode ID: 5fc2763a0b3833c63199faf24bed356a8303f62a3031fc47bdce9d0b99eb84a5
                                    • Instruction ID: 849706b2109214949a2988b9c8361ed892cd5f651ccf3b00b0112ab94da9dc4b
                                    • Opcode Fuzzy Hash: 5fc2763a0b3833c63199faf24bed356a8303f62a3031fc47bdce9d0b99eb84a5
                                    • Instruction Fuzzy Hash: CF11C430A5036979D720B762DC4ADFFBFBCEBD1B84F14042AB411A20D1EEA05D04CAB0
                                    Function 00DE46B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                    • String ID: 0.0.0.0
                                    • API String ID: 208665112-3771769585
                                    • Opcode ID: af0a80a92f1213e0cd41f4d67c535140be0fcddfaf9d830832947c448e5a92c6
                                    • Instruction ID: c29b3c624f6f1d12376096156698fb4f442bb8004f257e49fb7c5af08a0a23ed
                                    • Opcode Fuzzy Hash: af0a80a92f1213e0cd41f4d67c535140be0fcddfaf9d830832947c448e5a92c6
                                    • Instruction Fuzzy Hash: E211E7315001146FCB24BB769C4AEEA77BCEF46721F0441B6F445A6091EFB18AC586F1
                                    Function 00DE4F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • timeGetTime.WINMM ref: 00DE4F7A
                                      • Part of subcall function 00DA049F: timeGetTime.WINMM(?,76C1B400,00D90E7B), ref: 00DA04A3
                                    • Sleep.KERNEL32(0000000A), ref: 00DE4FA6
                                    • EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00DE4FCA
                                    • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00DE4FEC
                                    • SetActiveWindow.USER32 ref: 00DE500B
                                    • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00DE5019
                                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 00DE5038
                                    • Sleep.KERNEL32(000000FA), ref: 00DE5043
                                    • IsWindow.USER32 ref: 00DE504F
                                    • EndDialog.USER32(00000000), ref: 00DE5060
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                    • String ID: BUTTON
                                    • API String ID: 1194449130-3405671355
                                    • Opcode ID: f55ccd4bc9d8aacbee0a36bd3daf99266c3e5a50698d8490857be44d5d39ea23
                                    • Instruction ID: e13fe56c085071e83ef31126b2cdb73b882f00431e7638b2b5d4a62362867a11
                                    • Opcode Fuzzy Hash: f55ccd4bc9d8aacbee0a36bd3daf99266c3e5a50698d8490857be44d5d39ea23
                                    • Instruction Fuzzy Hash: 7D21DA74500740AFE7206F33FC89B653B7AEF06785F081424F101A25B5CB729D598772
                                    Function 00DED58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00D89837: __itow.LIBCMT ref: 00D89862
                                      • Part of subcall function 00D89837: __swprintf.LIBCMT ref: 00D898AC
                                    • CoInitialize.OLE32(00000000), ref: 00DED5EA
                                    • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00DED67D
                                    • SHGetDesktopFolder.SHELL32(?), ref: 00DED691
                                    • CoCreateInstance.COMBASE(00E12D7C,00000000,00000001,00E38C1C,?), ref: 00DED6DD
                                    • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00DED74C
                                    • CoTaskMemFree.COMBASE(?), ref: 00DED7A4
                                    • _memset.LIBCMT ref: 00DED7E1
                                    • SHBrowseForFolderW.SHELL32(?), ref: 00DED81D
                                    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00DED840
                                    • CoTaskMemFree.COMBASE(00000000), ref: 00DED847
                                    • CoTaskMemFree.COMBASE(00000000), ref: 00DED87E
                                    • CoUninitialize.COMBASE ref: 00DED880
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                    • String ID:
                                    • API String ID: 1246142700-0
                                    • Opcode ID: 888755aebb715cd8eba9fe6d97fb709dc39339539212744790540cb48fae5aa5
                                    • Instruction ID: 006728cd63aa98e1181610f976e78ec7b0e6f989ff2d918e387dee90048e3ecd
                                    • Opcode Fuzzy Hash: 888755aebb715cd8eba9fe6d97fb709dc39339539212744790540cb48fae5aa5
                                    • Instruction Fuzzy Hash: D9B1FB75A00109AFDB14EFA5C884DAEBBF9FF48314B148469F919EB261DB30ED45CB60
                                    Function 00DDC267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetDlgItem.USER32(?,00000001), ref: 00DDC283
                                    • GetWindowRect.USER32(00000000,?), ref: 00DDC295
                                    • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00DDC2F3
                                    • GetDlgItem.USER32(?,00000002), ref: 00DDC2FE
                                    • GetWindowRect.USER32(00000000,?), ref: 00DDC310
                                    • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00DDC364
                                    • GetDlgItem.USER32(?,000003E9), ref: 00DDC372
                                    • GetWindowRect.USER32(00000000,?), ref: 00DDC383
                                    • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00DDC3C6
                                    • GetDlgItem.USER32(?,000003EA), ref: 00DDC3D4
                                    • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00DDC3F1
                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00DDC3FE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Window$ItemMoveRect$Invalidate
                                    • String ID:
                                    • API String ID: 3096461208-0
                                    • Opcode ID: 86554bcb8ddb1b393f2cc695f0c7c162be115a855f6d669f40edc051caeb515a
                                    • Instruction ID: 3f3e2e29f8ca8433cafd96a772dad2349798860f8d4049b2f472be5be99149d0
                                    • Opcode Fuzzy Hash: 86554bcb8ddb1b393f2cc695f0c7c162be115a855f6d669f40edc051caeb515a
                                    • Instruction Fuzzy Hash: 47516171B10205AFDB18CFA9DD89AAEBBBAFB88310F18812DF515E7290D7719D44CB50
                                    Function 00D821A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00D825DB: GetWindowLongW.USER32(?,000000EB), ref: 00D825EC
                                    • GetSysColor.USER32(0000000F), ref: 00D821D3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: ColorLongWindow
                                    • String ID:
                                    • API String ID: 259745315-0
                                    • Opcode ID: 6cc151f00715d7bad4c2ff75d88f4597afecebdc94d025e914e3c28c0e7fa857
                                    • Instruction ID: d23f642353e1ab3492522903c47a15769a567041a1aa09642bec34f7176b7f4e
                                    • Opcode Fuzzy Hash: 6cc151f00715d7bad4c2ff75d88f4597afecebdc94d025e914e3c28c0e7fa857
                                    • Instruction Fuzzy Hash: A241B231000140EFDB25AF29EC88BB93B65EB06331F584365FE659A1E2C7728C82DB75
                                    Function 00DEA8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                    Download Yara Rule
                                    APIs
                                    • CharLowerBuffW.USER32(?,?,00E0F910), ref: 00DEA90B
                                    • GetDriveTypeW.KERNEL32(00000061,00E389A0,00000061), ref: 00DEA9D5
                                    • _wcscpy.LIBCMT ref: 00DEA9FF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: BuffCharDriveLowerType_wcscpy
                                    • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                    • API String ID: 2820617543-1000479233
                                    • Opcode ID: 750e5ad0dbe865a190e9555467ffa589129437382f18263dd83407f97852bc06
                                    • Instruction ID: 85beccdee411592beedc76d0b49a725cba64490ab4b5812166971818e964f453
                                    • Opcode Fuzzy Hash: 750e5ad0dbe865a190e9555467ffa589129437382f18263dd83407f97852bc06
                                    • Instruction Fuzzy Hash: B1518E311083429BC310FF19C992A6EBBA5EF85304F59482DF595572A2DB31E909CB73
                                    Function 00D89837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: __i64tow__itow__swprintf
                                    • String ID: %.15g$0x%p$False$True
                                    • API String ID: 421087845-2263619337
                                    • Opcode ID: deb9380dbfc748098deac05e6377b86eb7e8c197f25312373ae53b2d838890f8
                                    • Instruction ID: 6fc9f88b97d6b9a9205af094230ea5d6ebe5c7f7e00ee881ddd4ee33ea38b20b
                                    • Opcode Fuzzy Hash: deb9380dbfc748098deac05e6377b86eb7e8c197f25312373ae53b2d838890f8
                                    • Instruction Fuzzy Hash: CA41B671500205EEDB24EF74DC56EBAB7F9EF46310F28446EE58AD6291EA31D9418B30
                                    Function 00E07152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 00E0716A
                                    • CreateMenu.USER32 ref: 00E07185
                                    • SetMenu.USER32(?,00000000), ref: 00E07194
                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E07221
                                    • IsMenu.USER32(?), ref: 00E07237
                                    • CreatePopupMenu.USER32 ref: 00E07241
                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00E0726E
                                    • DrawMenuBar.USER32 ref: 00E07276
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                    • String ID: 0$F
                                    • API String ID: 176399719-3044882817
                                    • Opcode ID: 9cb33e34923ed9cfb3dd71eb6aae0fc031008096fad44e5287c6a606941237be
                                    • Instruction ID: 93341b638638904d48e7d3b93ed83ed5318f79cd4e36502bfa7732bbfc804244
                                    • Opcode Fuzzy Hash: 9cb33e34923ed9cfb3dd71eb6aae0fc031008096fad44e5287c6a606941237be
                                    • Instruction Fuzzy Hash: AD415BB5A01205EFDB20DFA5D844E9A7BB5FF49314F140029F985A73A1D732AD64CFA0
                                    Function 00E074BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00E0755E
                                    • CreateCompatibleDC.GDI32(00000000), ref: 00E07565
                                    • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00E07578
                                    • SelectObject.GDI32(00000000,00000000), ref: 00E07580
                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 00E0758B
                                    • DeleteDC.GDI32(00000000), ref: 00E07594
                                    • GetWindowLongW.USER32(?,000000EC), ref: 00E0759E
                                    • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00E075B2
                                    • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00E075BE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                    • String ID: static
                                    • API String ID: 2559357485-2160076837
                                    • Opcode ID: 0354899080b1c501a56425c00ac0c0a1de0c5f02534941cbb2c6c02831035955
                                    • Instruction ID: 9e83fcfdae5727911ac07f71e114e00fe16a93987e866dda01818c9f2adf6376
                                    • Opcode Fuzzy Hash: 0354899080b1c501a56425c00ac0c0a1de0c5f02534941cbb2c6c02831035955
                                    • Instruction Fuzzy Hash: 06318A32504214AFDF219FA5DC08FDA3BA9FF09724F100224FA55B20E0C732E8A5DBA4
                                    Function 00DA6E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 00DA6E3E
                                      • Part of subcall function 00DA8B28: __getptd_noexit.LIBCMT ref: 00DA8B28
                                    • __gmtime64_s.LIBCMT ref: 00DA6ED7
                                    • __gmtime64_s.LIBCMT ref: 00DA6F0D
                                    • __gmtime64_s.LIBCMT ref: 00DA6F2A
                                    • __allrem.LIBCMT ref: 00DA6F80
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DA6F9C
                                    • __allrem.LIBCMT ref: 00DA6FB3
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DA6FD1
                                    • __allrem.LIBCMT ref: 00DA6FE8
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DA7006
                                    • __invoke_watson.LIBCMT ref: 00DA7077
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                    • String ID:
                                    • API String ID: 384356119-0
                                    • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                    • Instruction ID: f44ec906f74cd02f7dc6f2ea33b42629e8ede94538397c7b7a5a7ff6e9e5e187
                                    • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                    • Instruction Fuzzy Hash: 3A71D576A00B16EBD714EF78DC41B9AB7B8EF06724F188229F515D6281E770DA008BF1
                                    Function 00DE2527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 00DE2542
                                    • GetMenuItemInfoW.USER32(00E45890,000000FF,00000000,00000030), ref: 00DE25A3
                                    • SetMenuItemInfoW.USER32(00E45890,00000004,00000000,00000030), ref: 00DE25D9
                                    • Sleep.KERNEL32(000001F4), ref: 00DE25EB
                                    • GetMenuItemCount.USER32(?), ref: 00DE262F
                                    • GetMenuItemID.USER32(?,00000000), ref: 00DE264B
                                    • GetMenuItemID.USER32(?,-00000001), ref: 00DE2675
                                    • GetMenuItemID.USER32(?,?), ref: 00DE26BA
                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00DE2700
                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00DE2714
                                    • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00DE2735
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                    • String ID:
                                    • API String ID: 4176008265-0
                                    • Opcode ID: 17b19152b90adbbb67c4b4e505da821bd29a1af7dda901ba75a2509a20ca0564
                                    • Instruction ID: cc49adc7b2f2fc99388ab6bb8a2432ff4e7b42dc1b65ca9804b212222ad83351
                                    • Opcode Fuzzy Hash: 17b19152b90adbbb67c4b4e505da821bd29a1af7dda901ba75a2509a20ca0564
                                    • Instruction Fuzzy Hash: 40619170900289AFDB21EFA6DD84DBE7BBCFB01304F180569E881A7261D771AD55DB31
                                    Function 00E06F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00E06FA5
                                    • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00E06FA8
                                    • GetWindowLongW.USER32(?,000000F0), ref: 00E06FCC
                                    • _memset.LIBCMT ref: 00E06FDD
                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00E06FEF
                                    • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00E07067
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: MessageSend$LongWindow_memset
                                    • String ID:
                                    • API String ID: 830647256-0
                                    • Opcode ID: 7f7fc21d4edcd1dc9082e821823adbbbf94762179776ddfd10a95c7ed8b8545f
                                    • Instruction ID: ee76251b45103dec46d17b18bbceb50deed9513d62cb6459e86642de2fe8196e
                                    • Opcode Fuzzy Hash: 7f7fc21d4edcd1dc9082e821823adbbbf94762179776ddfd10a95c7ed8b8545f
                                    • Instruction Fuzzy Hash: 38616C75900208AFDB11DFA4CC81EEE77F8EB09714F140169FA14AB2E2C771AD95DBA0
                                    Function 00DD6B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00DD6BBF
                                    • SafeArrayAllocData.OLEAUT32(?), ref: 00DD6C18
                                    • VariantInit.OLEAUT32(?), ref: 00DD6C2A
                                    • SafeArrayAccessData.OLEAUT32(?,?), ref: 00DD6C4A
                                    • VariantCopy.OLEAUT32(?,?), ref: 00DD6C9D
                                    • SafeArrayUnaccessData.OLEAUT32(?), ref: 00DD6CB1
                                    • VariantClear.OLEAUT32(?), ref: 00DD6CC6
                                    • SafeArrayDestroyData.OLEAUT32(?), ref: 00DD6CD3
                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00DD6CDC
                                    • VariantClear.OLEAUT32(?), ref: 00DD6CEE
                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00DD6CF9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                    • String ID:
                                    • API String ID: 2706829360-0
                                    • Opcode ID: 594b84d42fcc2006d7aa1e5219b8575848d34b5601df57263b4ce04071f3c659
                                    • Instruction ID: 6bfeabd1d1231ba6753f576bfd86a4fac36cdd4654f28d2152bf84ab8d611730
                                    • Opcode Fuzzy Hash: 594b84d42fcc2006d7aa1e5219b8575848d34b5601df57263b4ce04071f3c659
                                    • Instruction Fuzzy Hash: C4414071A002199FCF10DF69D8849AEBBB9EF08354F04806AE955A7361CB31E949CFA0
                                    Function 00DF83BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00D89837: __itow.LIBCMT ref: 00D89862
                                      • Part of subcall function 00D89837: __swprintf.LIBCMT ref: 00D898AC
                                    • CoInitialize.OLE32 ref: 00DF8403
                                    • CoUninitialize.COMBASE ref: 00DF840E
                                    • CoCreateInstance.COMBASE(?,00000000,00000017,00E12BEC,?), ref: 00DF846E
                                    • IIDFromString.COMBASE(?,?), ref: 00DF84E1
                                    • VariantInit.OLEAUT32(?), ref: 00DF857B
                                    • VariantClear.OLEAUT32(?), ref: 00DF85DC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                    • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                    • API String ID: 834269672-1287834457
                                    • Opcode ID: bdc13638ce99d0ba0db2c81a25663118771a29129ebf953c97c68c405475278b
                                    • Instruction ID: f8f3ad3ef2078adedccfe276bba7f243dff68c1d09499bb49b18d0843c44286e
                                    • Opcode Fuzzy Hash: bdc13638ce99d0ba0db2c81a25663118771a29129ebf953c97c68c405475278b
                                    • Instruction Fuzzy Hash: 8C618C70608316AFC710DF14D848B6ABBE9EF45754F058819FA859B291CB70ED48DBB3
                                    Function 00DF5732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WSAStartup.WS2_32(00000101,?), ref: 00DF5793
                                    • inet_addr.WS2_32(?), ref: 00DF57D8
                                    • gethostbyname.WS2_32(?), ref: 00DF57E4
                                    • IcmpCreateFile.IPHLPAPI ref: 00DF57F2
                                    • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00DF5862
                                    • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00DF5878
                                    • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00DF58ED
                                    • WSACleanup.WS2_32 ref: 00DF58F3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                    • String ID: Ping
                                    • API String ID: 1028309954-2246546115
                                    • Opcode ID: c7cd549f5e26934c69d47407ad99627cccfe02704af595197f75c5095184c71b
                                    • Instruction ID: 82b9c57f472b0e2a1e62ff4b6958dd8bc362ffa04cd13c9f91d69f9704622f61
                                    • Opcode Fuzzy Hash: c7cd549f5e26934c69d47407ad99627cccfe02704af595197f75c5095184c71b
                                    • Instruction Fuzzy Hash: DD5192316007009FDB10AF25EC45B2AB7E4EF48750F098529F696E72A5DB30E844CB62
                                    Function 00DEB4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetErrorMode.KERNEL32(00000001), ref: 00DEB4D0
                                    • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00DEB546
                                    • GetLastError.KERNEL32 ref: 00DEB550
                                    • SetErrorMode.KERNEL32(00000000,READY), ref: 00DEB5BD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Error$Mode$DiskFreeLastSpace
                                    • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                    • API String ID: 4194297153-14809454
                                    • Opcode ID: e1746882256ddfcd9da6661c7b7df579b1b40b9984a20f5dc5e33d587b760a27
                                    • Instruction ID: a72bb7ecad6018e5adac17a906901936ca16da94815b6fe6415e96a6d50899e5
                                    • Opcode Fuzzy Hash: e1746882256ddfcd9da6661c7b7df579b1b40b9984a20f5dc5e33d587b760a27
                                    • Instruction Fuzzy Hash: B2318035A00245DFCB10FB69C889ABEBBB4EF09320F144126F505A7291DB71EA45CBB1
                                    Function 00DD8F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00D87DE1: _memmove.LIBCMT ref: 00D87E22
                                      • Part of subcall function 00DDAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00DDAABC
                                    • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00DD9014
                                    • GetDlgCtrlID.USER32 ref: 00DD901F
                                    • GetParent.USER32 ref: 00DD903B
                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 00DD903E
                                    • GetDlgCtrlID.USER32(?), ref: 00DD9047
                                    • GetParent.USER32(?), ref: 00DD9063
                                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 00DD9066
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: MessageSend$CtrlParent$ClassName_memmove
                                    • String ID: ComboBox$ListBox
                                    • API String ID: 1536045017-1403004172
                                    • Opcode ID: 498432fbe3c1143b021d7a1103a70b396e3f87496a11baab4e32844f8356f8cc
                                    • Instruction ID: adf0079ddad41b2e32890099bed04fd2f4159528264e5217e39568d5ec3f80ce
                                    • Opcode Fuzzy Hash: 498432fbe3c1143b021d7a1103a70b396e3f87496a11baab4e32844f8356f8cc
                                    • Instruction Fuzzy Hash: 5E210674A00108BFDF14ABA0DC95EFEBB74EF45310F104216F961A72A1DB368859DB30
                                    Function 00DD907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00D87DE1: _memmove.LIBCMT ref: 00D87E22
                                      • Part of subcall function 00DDAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00DDAABC
                                    • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00DD90FD
                                    • GetDlgCtrlID.USER32 ref: 00DD9108
                                    • GetParent.USER32 ref: 00DD9124
                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 00DD9127
                                    • GetDlgCtrlID.USER32(?), ref: 00DD9130
                                    • GetParent.USER32(?), ref: 00DD914C
                                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 00DD914F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: MessageSend$CtrlParent$ClassName_memmove
                                    • String ID: ComboBox$ListBox
                                    • API String ID: 1536045017-1403004172
                                    • Opcode ID: 8e0aaa87215b1f7429dae4f51ad84f5f3fe0422954be7b9d313ff85dbe6177b1
                                    • Instruction ID: 1cce83009637b4345d246ae04dcce0895ca6e489d9c39faf08f5690c32084501
                                    • Opcode Fuzzy Hash: 8e0aaa87215b1f7429dae4f51ad84f5f3fe0422954be7b9d313ff85dbe6177b1
                                    • Instruction Fuzzy Hash: E421F574A00208BFDF10ABA5DC89EFEBB74EF48300F104116F951A72A1DB769869DB30
                                    Function 00DD9163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetParent.USER32 ref: 00DD916F
                                    • GetClassNameW.USER32(00000000,?,00000100), ref: 00DD9184
                                    • _wcscmp.LIBCMT ref: 00DD9196
                                    • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00DD9211
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: ClassMessageNameParentSend_wcscmp
                                    • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                    • API String ID: 1704125052-3381328864
                                    • Opcode ID: 90f0a448f5051f847bc36e9c662a020931314d1f52d93ad462db91133860d9df
                                    • Instruction ID: 00be86b5364f2e246a91f8c2b22f77dcb20f5d12e621781fb57f2915e5d1b8c6
                                    • Opcode Fuzzy Hash: 90f0a448f5051f847bc36e9c662a020931314d1f52d93ad462db91133860d9df
                                    • Instruction Fuzzy Hash: 9A11207628830779FA212629DC1AEB77F9CDB15730F200117F900F55D1FE53A99195B4
                                    Function 00DF88AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VariantInit.OLEAUT32(?), ref: 00DF88D7
                                    • CoInitialize.OLE32(00000000), ref: 00DF8904
                                    • CoUninitialize.COMBASE ref: 00DF890E
                                    • GetRunningObjectTable.OLE32(00000000,?), ref: 00DF8A0E
                                    • SetErrorMode.KERNEL32(00000001,00000029), ref: 00DF8B3B
                                    • CoGetInstanceFromFile.COMBASE(00000000,?,00000000,00000015,00000002,?,00000001,00E12C0C), ref: 00DF8B6F
                                    • CoGetObject.OLE32(?,00000000,00E12C0C,?), ref: 00DF8B92
                                    • SetErrorMode.KERNEL32(00000000), ref: 00DF8BA5
                                    • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00DF8C25
                                    • VariantClear.OLEAUT32(?), ref: 00DF8C35
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                    • String ID:
                                    • API String ID: 2395222682-0
                                    • Opcode ID: 44334a3795236d7b97643500fe249dc71e4ecc08a6f39b810dd961f6ebfde401
                                    • Instruction ID: 2edd802283c7093cc7457dc82083acfefd5d7a2dfc15a20c6492adef12a5a667
                                    • Opcode Fuzzy Hash: 44334a3795236d7b97643500fe249dc71e4ecc08a6f39b810dd961f6ebfde401
                                    • Instruction Fuzzy Hash: 98C149B1604309AFC700DF64C88492BB7E9FF89748F04895DFA899B251DB71ED45CB62
                                    Function 00DE7990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON
                                    Download Yara Rule
                                    APIs
                                    • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00DE7A6C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: ArraySafeVartype
                                    • String ID:
                                    • API String ID: 1725837607-0
                                    • Opcode ID: 7ab559a729cfb9b5331d12eb97cfcefe32f704487cc92138e0b196f1a565393c
                                    • Instruction ID: 4f7da838094cdaaa5fb26ee034132d1071daebd4f1103fa03724623c381d684a
                                    • Opcode Fuzzy Hash: 7ab559a729cfb9b5331d12eb97cfcefe32f704487cc92138e0b196f1a565393c
                                    • Instruction Fuzzy Hash: 31B1917190424A9FDB50EFA6C884BBEB7B8FF09321F244469EA51E7241D734E941CBB0
                                    Function 00DE11CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentThreadId.KERNEL32 ref: 00DE11F0
                                    • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00DE0268,?,00000001), ref: 00DE1204
                                    • GetWindowThreadProcessId.USER32(00000000), ref: 00DE120B
                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00DE0268,?,00000001), ref: 00DE121A
                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 00DE122C
                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00DE0268,?,00000001), ref: 00DE1245
                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00DE0268,?,00000001), ref: 00DE1257
                                    • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00DE0268,?,00000001), ref: 00DE129C
                                    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00DE0268,?,00000001), ref: 00DE12B1
                                    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00DE0268,?,00000001), ref: 00DE12BC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                    • String ID:
                                    • API String ID: 2156557900-0
                                    • Opcode ID: 3c4fbe8c03ddbeeefe1e5ce125a1ba3c588a7d4b43f801c5156d72a3d7e492cd
                                    • Instruction ID: 30bf88a247a752b1d334289f86cd42c52fca36fcb5dd11e5a54dd4104a615526
                                    • Opcode Fuzzy Hash: 3c4fbe8c03ddbeeefe1e5ce125a1ba3c588a7d4b43f801c5156d72a3d7e492cd
                                    • Instruction Fuzzy Hash: B131DD7D700304BFDF20AF53EC89FA937A9AB56315F144125FA00E61A0D7719D888BA5
                                    Function 00D8FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                    Download Yara Rule
                                    APIs
                                    • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00D8FAA6
                                    • OleUninitialize.OLE32(?,00000000), ref: 00D8FB45
                                    • UnregisterHotKey.USER32(?), ref: 00D8FC9C
                                    • DestroyWindow.USER32(?), ref: 00DC45D6
                                    • FreeLibrary.KERNEL32(?), ref: 00DC463B
                                    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00DC4668
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                    • String ID: close all
                                    • API String ID: 469580280-3243417748
                                    • Opcode ID: 3aeaaa165a2d9b4ea467162cf84b80567a5d3c67e473ecf15b11fba2cae79290
                                    • Instruction ID: 7dae67815a1fe6d0f0a979fee8768b29ff7fc933c82a60ae790068f4d3cd6785
                                    • Opcode Fuzzy Hash: 3aeaaa165a2d9b4ea467162cf84b80567a5d3c67e473ecf15b11fba2cae79290
                                    • Instruction Fuzzy Hash: 50A126347012128FCB29EF15C9A5B69F7A4EF05710F5442ADE80AAB265DB30ED56CFB0
                                    Function 00DDA068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                    Download Yara Rule
                                    APIs
                                    • EnumChildWindows.USER32(?,00DDA439), ref: 00DDA377
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: ChildEnumWindows
                                    • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                    • API String ID: 3555792229-1603158881
                                    • Opcode ID: 15ef0ef0ac765e6bd2607b79f67b07d5e28e7bdd0c4f89953dbbe3128048ce4d
                                    • Instruction ID: fdacf4dce10e5df117c1fb62c85f8857f27ae792790bda01a4a45e5eecdafa40
                                    • Opcode Fuzzy Hash: 15ef0ef0ac765e6bd2607b79f67b07d5e28e7bdd0c4f89953dbbe3128048ce4d
                                    • Instruction Fuzzy Hash: 5091B530900605ABCB18EFA8C446BEDFFB5FF45300F58D11AE499A7241DB31A999DBB1
                                    Function 00D82E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SetWindowLongW.USER32(?,000000EB), ref: 00D82EAE
                                      • Part of subcall function 00D81DB3: GetClientRect.USER32(?,?), ref: 00D81DDC
                                      • Part of subcall function 00D81DB3: GetWindowRect.USER32(?,?), ref: 00D81E1D
                                      • Part of subcall function 00D81DB3: ScreenToClient.USER32(?,?), ref: 00D81E45
                                    • GetDC.USER32 ref: 00DBCD32
                                    • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00DBCD45
                                    • SelectObject.GDI32(00000000,00000000), ref: 00DBCD53
                                    • SelectObject.GDI32(00000000,00000000), ref: 00DBCD68
                                    • ReleaseDC.USER32(?,00000000), ref: 00DBCD70
                                    • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00DBCDFB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                    • String ID: U
                                    • API String ID: 4009187628-3372436214
                                    • Opcode ID: 82956e00c43a513fef2107ab5f3d6037af3a388d781beda9a53896b8b2b46695
                                    • Instruction ID: 0a097f142c6816f0a97238bb870e5decc48e832f19a06b35370e0c02d24d3a47
                                    • Opcode Fuzzy Hash: 82956e00c43a513fef2107ab5f3d6037af3a388d781beda9a53896b8b2b46695
                                    • Instruction Fuzzy Hash: A571BD35500205DFCF219F64C884AFA7BB5FF49320F18526AFD966A2A6C731C895DB70
                                    Function 00DF1A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00DF1A50
                                    • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00DF1A7C
                                    • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00DF1ABE
                                    • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00DF1AD3
                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00DF1AE0
                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00DF1B10
                                    • InternetCloseHandle.WININET(00000000), ref: 00DF1B57
                                      • Part of subcall function 00DF2483: GetLastError.KERNEL32(?,?,00DF1817,00000000,00000000,00000001), ref: 00DF2498
                                      • Part of subcall function 00DF2483: SetEvent.KERNEL32(?,?,00DF1817,00000000,00000000,00000001), ref: 00DF24AD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                    • String ID:
                                    • API String ID: 2603140658-3916222277
                                    • Opcode ID: 4dda2753eb004db435e83afe71e456129928aba4bc4c9a7cf98c2e4f38305289
                                    • Instruction ID: 7da0e98b55460a3756ae013919516cdc27dc5badf08dc48ebebd91674bd46a90
                                    • Opcode Fuzzy Hash: 4dda2753eb004db435e83afe71e456129928aba4bc4c9a7cf98c2e4f38305289
                                    • Instruction Fuzzy Hash: 38418EB5501218FFEB118F50CC85FBA7BACEF09354F098126FA05AA141E7B19E558BB1
                                    Function 00DF8C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00E0F910), ref: 00DF8D28
                                    • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00E0F910), ref: 00DF8D5C
                                    • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00DF8ED6
                                    • SysFreeString.OLEAUT32(?), ref: 00DF8F00
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                    • String ID:
                                    • API String ID: 560350794-0
                                    • Opcode ID: 2b1c005b0485ce56d329a0045b3619b5c518abfe66e129195934587e61711549
                                    • Instruction ID: b132ad860ce28e8a8e190ae2b7d485c8788d1cda0644b7f3e1ffaa4750cf0ddb
                                    • Opcode Fuzzy Hash: 2b1c005b0485ce56d329a0045b3619b5c518abfe66e129195934587e61711549
                                    • Instruction Fuzzy Hash: A4F13771A00209AFCB14DF94C884EBEB7B9FF49314F158498FA05AB251DB31AE45DB61
                                    Function 00DFF694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 00DFF6B5
                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00DFF848
                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00DFF86C
                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00DFF8AC
                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00DFF8CE
                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00DFFA4A
                                    • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00DFFA7C
                                    • CloseHandle.KERNEL32(?), ref: 00DFFAAB
                                    • CloseHandle.KERNEL32(?), ref: 00DFFB22
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                    • String ID:
                                    • API String ID: 4090791747-0
                                    • Opcode ID: 1f1203b43a1c4a3419ef117eee1097f9339421c258f5c583289b436686baab50
                                    • Instruction ID: 199a22aec9ed1971934faa4c03f7fc391948e47a48864f7c8e846f7774db338e
                                    • Opcode Fuzzy Hash: 1f1203b43a1c4a3419ef117eee1097f9339421c258f5c583289b436686baab50
                                    • Instruction Fuzzy Hash: B4E19F312043059FCB14EF24C891A7ABBE1EF85354F19896DF9999B2A1CB31EC45CB72
                                    Function 00D8201B Relevance: 13.7, APIs: 9, Instructions: 170timeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00D81B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00D82036,?,00000000,?,?,?,?,00D816CB,00000000,?), ref: 00D81B9A
                                    • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00D820D3
                                    • KillTimer.USER32(-00000001,?,?,?,?,00D816CB,00000000,?,?,00D81AE2,?,?), ref: 00D8216E
                                    • DestroyAcceleratorTable.USER32(00000000), ref: 00DBBCA6
                                    • DeleteObject.GDI32(00000000), ref: 00DBBD1C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                    • String ID:
                                    • API String ID: 2402799130-0
                                    • Opcode ID: ae3cc124f95d4ce4570876dc1eafcbb7745d53aac6870ce71be62ce2c1c3e7d4
                                    • Instruction ID: 2128827fa822b8c123b7a43eae430f2f38914217e0cdb9b88d054daba5f8dbb1
                                    • Opcode Fuzzy Hash: ae3cc124f95d4ce4570876dc1eafcbb7745d53aac6870ce71be62ce2c1c3e7d4
                                    • Instruction Fuzzy Hash: D161AF35100B10DFCB39AF15D948B39B7F1FB45312F18442AE4836A971CBB5A899CBA0
                                    Function 00DE4CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00DE466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00DE3697,?), ref: 00DE468B
                                      • Part of subcall function 00DE466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00DE3697,?), ref: 00DE46A4
                                      • Part of subcall function 00DE4A31: GetFileAttributesW.KERNEL32(?,00DE370B), ref: 00DE4A32
                                    • lstrcmpiW.KERNEL32(?,?), ref: 00DE4D40
                                    • _wcscmp.LIBCMT ref: 00DE4D5A
                                    • MoveFileW.KERNEL32(?,?), ref: 00DE4D75
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                    • String ID:
                                    • API String ID: 793581249-0
                                    • Opcode ID: 25f19008e6fd06ae7b2bd2c5191ecdf98eff2a21eb50bf7b60f2a3fe801fddce
                                    • Instruction ID: 9003bedced532d7358cb863db627e57021cfc793869405e57217f9c0c7f2d98c
                                    • Opcode Fuzzy Hash: 25f19008e6fd06ae7b2bd2c5191ecdf98eff2a21eb50bf7b60f2a3fe801fddce
                                    • Instruction Fuzzy Hash: 48515FB20083859BC665EB65DC819DBB3ECEF85750F04092EF289D3151EE34E688CB76
                                    Function 00E08645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                    Download Yara Rule
                                    APIs
                                    • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00E086FF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: InvalidateRect
                                    • String ID:
                                    • API String ID: 634782764-0
                                    • Opcode ID: ce180be39abe898bb30da24c7e66bfe46d26c9e65dc191276a9556a4ce3dbeb4
                                    • Instruction ID: 8316be9d07635811651999d42a65782b68f10e794b4147cb1b3c5dbc1efc6944
                                    • Opcode Fuzzy Hash: ce180be39abe898bb30da24c7e66bfe46d26c9e65dc191276a9556a4ce3dbeb4
                                    • Instruction Fuzzy Hash: D351B230500245BFDB249F29DD89FAD7BA4EB05728F646122F990F61E1CF72A9D0CB60
                                    Function 00D82B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00DBC2F7
                                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00DBC319
                                    • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00DBC331
                                    • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00DBC34F
                                    • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00DBC370
                                    • DestroyCursor.USER32(00000000), ref: 00DBC37F
                                    • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00DBC39C
                                    • DestroyCursor.USER32(?), ref: 00DBC3AB
                                      • Part of subcall function 00E0A4AF: DeleteObject.GDI32(00000000), ref: 00E0A4E8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: CursorDestroyExtractIconImageLoadMessageSend$DeleteObject
                                    • String ID:
                                    • API String ID: 2975913752-0
                                    • Opcode ID: f3db9aa9f5ce52d6228e12a3186466f76a116b79ff58178d043478e0cce75574
                                    • Instruction ID: a8204e5b8a559d549ddc4a4c40b1eed898ef75310aaaa31ba3a2b9ebc180b91b
                                    • Opcode Fuzzy Hash: f3db9aa9f5ce52d6228e12a3186466f76a116b79ff58178d043478e0cce75574
                                    • Instruction Fuzzy Hash: FB516574A10209EFDB24EF65CC45BBA3BE5FB58320F144528F942A72A0DB71EC90DB60
                                    Function 00DD966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00DDA82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00DDA84C
                                      • Part of subcall function 00DDA82C: GetCurrentThreadId.KERNEL32 ref: 00DDA853
                                      • Part of subcall function 00DDA82C: AttachThreadInput.USER32(00000000,?,00DD9683,?,00000001), ref: 00DDA85A
                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00DD968E
                                    • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00DD96AB
                                    • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00DD96AE
                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00DD96B7
                                    • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00DD96D5
                                    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00DD96D8
                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00DD96E1
                                    • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00DD96F8
                                    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00DD96FB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                    • String ID:
                                    • API String ID: 2014098862-0
                                    • Opcode ID: 2afd6898cfbe8408e8c7b7ab600a19fd76767d6875b7ca93238553276165e481
                                    • Instruction ID: c8134e23d79bef265766f77d83cfeab857950623b1487bddc785fa812cda2287
                                    • Opcode Fuzzy Hash: 2afd6898cfbe8408e8c7b7ab600a19fd76767d6875b7ca93238553276165e481
                                    • Instruction Fuzzy Hash: B511E1B1910218BEF6206F65DC89F6A7F2DEB4C750F100426F644AB1A1C9F35CA1DAF4
                                    Function 00DD8921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00DD853C,00000B00,?,?), ref: 00DD892A
                                    • RtlAllocateHeap.NTDLL(00000000,?,00DD853C), ref: 00DD8931
                                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00DD853C,00000B00,?,?), ref: 00DD8946
                                    • GetCurrentProcess.KERNEL32(?,00000000,?,00DD853C,00000B00,?,?), ref: 00DD894E
                                    • DuplicateHandle.KERNEL32(00000000,?,00DD853C,00000B00,?,?), ref: 00DD8951
                                    • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00DD853C,00000B00,?,?), ref: 00DD8961
                                    • GetCurrentProcess.KERNEL32(00DD853C,00000000,?,00DD853C,00000B00,?,?), ref: 00DD8969
                                    • DuplicateHandle.KERNEL32(00000000,?,00DD853C,00000B00,?,?), ref: 00DD896C
                                    • CreateThread.KERNEL32(00000000,00000000,00DD8992,00000000,00000000,00000000), ref: 00DD8986
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Process$Current$DuplicateHandleHeap$AllocateCreateThread
                                    • String ID:
                                    • API String ID: 1422014791-0
                                    • Opcode ID: 6229aedf26e54666bcc40ed481775a45b4055db7d580199ee7134b36a0be2d4c
                                    • Instruction ID: 20eb5555c8d2a787a968f7fd963f41edb3ef0497b3a83f43cf24c5c3bb1e72f3
                                    • Opcode Fuzzy Hash: 6229aedf26e54666bcc40ed481775a45b4055db7d580199ee7134b36a0be2d4c
                                    • Instruction Fuzzy Hash: 8601AC75641304FFE620ABA5DC49F673B6CEB89711F404421FA05DB5A2CA71D8548A20
                                    Function 00DF9113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Variant$ClearInit$_memset
                                    • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                    • API String ID: 2862541840-625585964
                                    • Opcode ID: a60f3a7c6701b083cf3f7fae178e662e6f57fc6a7642f14ff2813a6657b4eebd
                                    • Instruction ID: ddb03d3af89324d47f9c8d719c051b8781a23f2a3406a265b6a4dd152c5b9a72
                                    • Opcode Fuzzy Hash: a60f3a7c6701b083cf3f7fae178e662e6f57fc6a7642f14ff2813a6657b4eebd
                                    • Instruction Fuzzy Hash: 3991AC70E00219ABDF20DFA5CC58FAEBBB8EF85710F158159FA15AB280D7709945CBB0
                                    Function 00DF975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00DD710A: CLSIDFromProgID.COMBASE ref: 00DD7127
                                      • Part of subcall function 00DD710A: ProgIDFromCLSID.COMBASE(?,00000000), ref: 00DD7142
                                      • Part of subcall function 00DD710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00DD7044,80070057,?,?), ref: 00DD7150
                                      • Part of subcall function 00DD710A: CoTaskMemFree.COMBASE(00000000), ref: 00DD7160
                                    • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 00DF9806
                                    • _memset.LIBCMT ref: 00DF9813
                                    • _memset.LIBCMT ref: 00DF9956
                                    • CoCreateInstanceEx.COMBASE(?,00000000,00000015,?,00000001,00000000), ref: 00DF9982
                                    • CoTaskMemFree.COMBASE(?), ref: 00DF998D
                                    Strings
                                    • NULL Pointer assignment, xrefs: 00DF99DB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                    • String ID: NULL Pointer assignment
                                    • API String ID: 1300414916-2785691316
                                    • Opcode ID: 20d0f62214fe2fc0db289a89397548c94b2cbf902a95b26b15d66069361f35eb
                                    • Instruction ID: 56c8abe5fbf0b1f70719c9d87effa9f52bfc08bfa71e3467fb1a054dc72d7167
                                    • Opcode Fuzzy Hash: 20d0f62214fe2fc0db289a89397548c94b2cbf902a95b26b15d66069361f35eb
                                    • Instruction Fuzzy Hash: 81911771D0021DABDB10EFA5DC55AEEBBB9EF08310F20815AE519A7251DB719A44CFB0
                                    Function 00E06D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00E06E24
                                    • SendMessageW.USER32(?,00001036,00000000,?), ref: 00E06E38
                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00E06E52
                                    • _wcscat.LIBCMT ref: 00E06EAD
                                    • SendMessageW.USER32(?,00001057,00000000,?), ref: 00E06EC4
                                    • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00E06EF2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: MessageSend$Window_wcscat
                                    • String ID: SysListView32
                                    • API String ID: 307300125-78025650
                                    • Opcode ID: c69ed898f38d3c3f5451064c263c198463faec743259671c57954025228eba77
                                    • Instruction ID: ef8a8060f90bbf7005e43e513a8649b47036a9b354ea61d451f319dec546beb1
                                    • Opcode Fuzzy Hash: c69ed898f38d3c3f5451064c263c198463faec743259671c57954025228eba77
                                    • Instruction Fuzzy Hash: CA41CE70A00309AFEB219F64CC85BEAB7F8EF08354F10142AF584B72D2D6729DD58B60
                                    Function 00DFE933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00DE3C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00DE3C7A
                                      • Part of subcall function 00DE3C55: Process32FirstW.KERNEL32(00000000,?), ref: 00DE3C88
                                      • Part of subcall function 00DE3C55: CloseHandle.KERNEL32(00000000), ref: 00DE3D52
                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00DFE9A4
                                    • GetLastError.KERNEL32 ref: 00DFE9B7
                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00DFE9E6
                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 00DFEA63
                                    • GetLastError.KERNEL32(00000000), ref: 00DFEA6E
                                    • CloseHandle.KERNEL32(00000000), ref: 00DFEAA3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                    • String ID: SeDebugPrivilege
                                    • API String ID: 2533919879-2896544425
                                    • Opcode ID: f0b3da82ca70a4b7b0a6022f0087270601cfedbd474a6b7433278a598bd6bd46
                                    • Instruction ID: d87a01d7f8434825a60db8a0152fd4ee0570ecb9a88510ff99e7239184375565
                                    • Opcode Fuzzy Hash: f0b3da82ca70a4b7b0a6022f0087270601cfedbd474a6b7433278a598bd6bd46
                                    • Instruction Fuzzy Hash: 3D418731200205AFDB25EF14CCA5F7EB7A5EF44314F088419FA469B2D2CBB5A848CBB1
                                    Function 00DE2F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadIconW.USER32(00000000,00007F03), ref: 00DE3033
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: IconLoad
                                    • String ID: blank$info$question$stop$warning
                                    • API String ID: 2457776203-404129466
                                    • Opcode ID: ed98114aa8d8c26ed4a6eeba0810ac4162bc260b955b363b5250a53dd07b5b80
                                    • Instruction ID: 32da86930dfa95ab600fefcbfef6fff7ab0020d496274fef7ad94bdce715de4d
                                    • Opcode Fuzzy Hash: ed98114aa8d8c26ed4a6eeba0810ac4162bc260b955b363b5250a53dd07b5b80
                                    • Instruction Fuzzy Hash: A111D8313493C6BED725AE5ADC8AD7B7B9CDF15360F14002AF900A7181DA619F4095B5
                                    Function 00DE42F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00DE4312
                                    • LoadStringW.USER32(00000000), ref: 00DE4319
                                    • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00DE432F
                                    • LoadStringW.USER32(00000000), ref: 00DE4336
                                    • _wprintf.LIBCMT ref: 00DE435C
                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00DE437A
                                    Strings
                                    • %s (%d) : ==> %s: %s %s, xrefs: 00DE4357
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: HandleLoadModuleString$Message_wprintf
                                    • String ID: %s (%d) : ==> %s: %s %s
                                    • API String ID: 3648134473-3128320259
                                    • Opcode ID: 033e39a489f373d87cb5e47a5175e3b247f6529e3cb74ac2e01df320660c87a9
                                    • Instruction ID: 0b80ec550b572330a970b4752a6295db9682c39421d78b9c03a17ceabf8f85d4
                                    • Opcode Fuzzy Hash: 033e39a489f373d87cb5e47a5175e3b247f6529e3cb74ac2e01df320660c87a9
                                    • Instruction Fuzzy Hash: B1012CF2900208BFE761A7A19D89EE7766CEB08310F4005A1F745E2051EA769ED94B70
                                    Function 00D82A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                    Download Yara Rule
                                    APIs
                                    • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00DBC1C7,00000004,00000000,00000000,00000000), ref: 00D82ACF
                                    • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00DBC1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00D82B17
                                    • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00DBC1C7,00000004,00000000,00000000,00000000), ref: 00DBC21A
                                    • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00DBC1C7,00000004,00000000,00000000,00000000), ref: 00DBC286
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: ShowWindow
                                    • String ID:
                                    • API String ID: 1268545403-0
                                    • Opcode ID: 7ba9d0b8c3dad426764c8d5b98c467e37fb8f9277067a58839dd34ddfa0eb221
                                    • Instruction ID: 0d9e041f319a49f0d5692682097ebc9b6c44daef75e2507248b6553f584d2c71
                                    • Opcode Fuzzy Hash: 7ba9d0b8c3dad426764c8d5b98c467e37fb8f9277067a58839dd34ddfa0eb221
                                    • Instruction Fuzzy Hash: 2B41E635214780EEC73DAB29DC88B7A7B96BF45310F1C882DE09796561C671E885D731
                                    Function 00DE70C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InterlockedExchange.KERNEL32(?,000001F5), ref: 00DE70DD
                                      • Part of subcall function 00DA0DB6: std::exception::exception.LIBCMT ref: 00DA0DEC
                                      • Part of subcall function 00DA0DB6: __CxxThrowException@8.LIBCMT ref: 00DA0E01
                                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00DE7114
                                    • RtlEnterCriticalSection.NTDLL(?), ref: 00DE7130
                                    • _memmove.LIBCMT ref: 00DE717E
                                    • _memmove.LIBCMT ref: 00DE719B
                                    • RtlLeaveCriticalSection.NTDLL(?), ref: 00DE71AA
                                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00DE71BF
                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 00DE71DE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                    • String ID:
                                    • API String ID: 256516436-0
                                    • Opcode ID: 1451214810be4d7dd3d1d119887f15fcd14db66062898da9140ae060214e5f67
                                    • Instruction ID: 5c6d9b559d09b0a81151ebffa680af2d4e7159a9bf48596273adabf7d8253ef9
                                    • Opcode Fuzzy Hash: 1451214810be4d7dd3d1d119887f15fcd14db66062898da9140ae060214e5f67
                                    • Instruction Fuzzy Hash: 96316D32900205EFCF10EFA5DC85AAABBB8EF45310F1441A5F904AB256DB71DA54DBB1
                                    Function 00E061D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DeleteObject.GDI32(00000000), ref: 00E061EB
                                    • GetDC.USER32(00000000), ref: 00E061F3
                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00E061FE
                                    • ReleaseDC.USER32(00000000,00000000), ref: 00E0620A
                                    • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00E06246
                                    • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00E06257
                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00E0902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00E06291
                                    • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00E062B1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                    • String ID:
                                    • API String ID: 3864802216-0
                                    • Opcode ID: 20bded38ddd5976ba7cd79ac3ba886ef770e5bc3f91db635f9643fcbc06d353b
                                    • Instruction ID: 5ca411340a0dd996013ee50dc17941fb2db067d4a81ab44e3b28a99115380be6
                                    • Opcode Fuzzy Hash: 20bded38ddd5976ba7cd79ac3ba886ef770e5bc3f91db635f9643fcbc06d353b
                                    • Instruction Fuzzy Hash: F6317172101210BFEB218F51DC4AFEA3BADEF59755F044065FE08AA1A1C6769C91CBB0
                                    Function 00DDBBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: _memcmp
                                    • String ID:
                                    • API String ID: 2931989736-0
                                    • Opcode ID: ffb446ba37e7d926a573118ca006e280d1df4c52f4519984a84e9afef0d531ab
                                    • Instruction ID: 7bed732daaa1d3d384042d646d5bc92e543a4a1cd542a6f72c727ab7889e4b31
                                    • Opcode Fuzzy Hash: ffb446ba37e7d926a573118ca006e280d1df4c52f4519984a84e9afef0d531ab
                                    • Instruction Fuzzy Hash: 0C21BE71601305BBA60466399D42FFBB75CEE153ACF0A4027FE05A6747EBA4DE2182B1
                                    Function 00D81424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8a05e8d5da719a2cc194ddd5a3a523ad8d25519e3ca112c27e5e112f2be5a39a
                                    • Instruction ID: 1b1707d9c07bbeb7f86391fa451add772de45a104ba74d237832f53e66bbda46
                                    • Opcode Fuzzy Hash: 8a05e8d5da719a2cc194ddd5a3a523ad8d25519e3ca112c27e5e112f2be5a39a
                                    • Instruction Fuzzy Hash: 26717C34900109EFCB14DF99CC49EBEBB79FF85320F148159F916AA251C770AA56CBB4
                                    Function 00E0B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • IsWindow.USER32(01033A78), ref: 00E0B3EB
                                    • IsWindowEnabled.USER32(01033A78), ref: 00E0B3F7
                                    • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00E0B4DB
                                    • SendMessageW.USER32(01033A78,000000B0,?,?), ref: 00E0B512
                                    • IsDlgButtonChecked.USER32(?,?), ref: 00E0B54F
                                    • GetWindowLongW.USER32(01033A78,000000EC), ref: 00E0B571
                                    • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00E0B589
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                    • String ID:
                                    • API String ID: 4072528602-0
                                    • Opcode ID: da7c3cde1a96d679dea95161058d215351469adabb1e27a11fce0f7c7fba7142
                                    • Instruction ID: 762a96ab3af90a6668f756fd6896c50bcf460a887beba76d072d3dc7c851d286
                                    • Opcode Fuzzy Hash: da7c3cde1a96d679dea95161058d215351469adabb1e27a11fce0f7c7fba7142
                                    • Instruction Fuzzy Hash: 6C71AE34600204EFDB209F55D894FBA7BB9FF09304F146069EA61B72E2D772AA91CB50
                                    Function 00DFF41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 00DFF448
                                    • _memset.LIBCMT ref: 00DFF511
                                    • ShellExecuteExW.SHELL32(?), ref: 00DFF556
                                      • Part of subcall function 00D89837: __itow.LIBCMT ref: 00D89862
                                      • Part of subcall function 00D89837: __swprintf.LIBCMT ref: 00D898AC
                                      • Part of subcall function 00D9FC86: _wcscpy.LIBCMT ref: 00D9FCA9
                                    • GetProcessId.KERNEL32(00000000), ref: 00DFF5CD
                                    • CloseHandle.KERNEL32(00000000), ref: 00DFF5FC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                    • String ID: @
                                    • API String ID: 3522835683-2766056989
                                    • Opcode ID: 1c8f262daae4d6713d79e71403006096c6e2b3322ef0d240e86839081b2e8633
                                    • Instruction ID: b9d93fab784fd4550fe0a7609e073f08044026ff0253a38c87ec308d21e30196
                                    • Opcode Fuzzy Hash: 1c8f262daae4d6713d79e71403006096c6e2b3322ef0d240e86839081b2e8633
                                    • Instruction Fuzzy Hash: 0A618B75A006199FCF14EF68C8919AEFBF5FF49314F198069E856AB351CB30AD41CBA0
                                    Function 00DE0F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetParent.USER32(?), ref: 00DE0F8C
                                    • GetKeyboardState.USER32(?), ref: 00DE0FA1
                                    • SetKeyboardState.USER32(?), ref: 00DE1002
                                    • PostMessageW.USER32(?,00000101,00000010,?), ref: 00DE1030
                                    • PostMessageW.USER32(?,00000101,00000011,?), ref: 00DE104F
                                    • PostMessageW.USER32(?,00000101,00000012,?), ref: 00DE1095
                                    • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00DE10B8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: MessagePost$KeyboardState$Parent
                                    • String ID:
                                    • API String ID: 87235514-0
                                    • Opcode ID: c5e3d7177bd89a4a21cb8960fe3cab11c70c509a7ae18957ee803149e893b715
                                    • Instruction ID: d732b18c76e789697762fcd2ae97a010e4472255b82ce29580e4d47dc0102f6b
                                    • Opcode Fuzzy Hash: c5e3d7177bd89a4a21cb8960fe3cab11c70c509a7ae18957ee803149e893b715
                                    • Instruction Fuzzy Hash: 5151E3706047D53DFB3662368C15BBABEA95F06304F0C8589E1D5558C2C2E9DCD8D771
                                    Function 00DE0D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetParent.USER32(00000000), ref: 00DE0DA5
                                    • GetKeyboardState.USER32(?), ref: 00DE0DBA
                                    • SetKeyboardState.USER32(?), ref: 00DE0E1B
                                    • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00DE0E47
                                    • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00DE0E64
                                    • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00DE0EA8
                                    • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00DE0EC9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: MessagePost$KeyboardState$Parent
                                    • String ID:
                                    • API String ID: 87235514-0
                                    • Opcode ID: 85cf686b0c0d15bdc5a2ae6bfd3b53c536710db722780cf79c21c85b5f4c8eb7
                                    • Instruction ID: 785277d05cc6c4ba677aec0123f25014b5448d8e9756b3cfaa6fd6c190b8191f
                                    • Opcode Fuzzy Hash: 85cf686b0c0d15bdc5a2ae6bfd3b53c536710db722780cf79c21c85b5f4c8eb7
                                    • Instruction Fuzzy Hash: 7C51E3A06047D53DFB32A3668C45B7ABEA99B06700F0C8999F1D8568C2D3E5ACD8D770
                                    Function 00DE55FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: _wcsncpy$LocalTime
                                    • String ID:
                                    • API String ID: 2945705084-0
                                    • Opcode ID: 5bbda194eb2d7c2bf6692231f7f3e3d05a387600472ca0520c752a7876487268
                                    • Instruction ID: 5232107e0de69ed5d035ba6a0c3690ba64ab9c3b6d22ad98029afccf64bd23be
                                    • Opcode Fuzzy Hash: 5bbda194eb2d7c2bf6692231f7f3e3d05a387600472ca0520c752a7876487268
                                    • Instruction Fuzzy Hash: 7841A165C1165476CB11FBB99C86ACFB3B8DF06310F508966F508E3221EA34E255C7BA
                                    Function 00DE3671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00DE466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00DE3697,?), ref: 00DE468B
                                      • Part of subcall function 00DE466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00DE3697,?), ref: 00DE46A4
                                    • lstrcmpiW.KERNEL32(?,?), ref: 00DE36B7
                                    • _wcscmp.LIBCMT ref: 00DE36D3
                                    • MoveFileW.KERNEL32(?,?), ref: 00DE36EB
                                    • _wcscat.LIBCMT ref: 00DE3733
                                    • SHFileOperationW.SHELL32(?), ref: 00DE379F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                    • String ID: \*.*
                                    • API String ID: 1377345388-1173974218
                                    • Opcode ID: 9aafc2f830507ec08550a9fad2e53870d2a0bb12ce5318659262de314e3d1360
                                    • Instruction ID: 26c01fd873ba2e582bbec4b124a3c4fb3bc746ea500e1e75f07651b9c2cdbe3a
                                    • Opcode Fuzzy Hash: 9aafc2f830507ec08550a9fad2e53870d2a0bb12ce5318659262de314e3d1360
                                    • Instruction Fuzzy Hash: 8F417C71508384AEC752FF65C4459EFB7E8EF89390F44082EB49AC3251EA34D6898B72
                                    Function 00E07291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 00E072AA
                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E07351
                                    • IsMenu.USER32(?), ref: 00E07369
                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00E073B1
                                    • DrawMenuBar.USER32 ref: 00E073C4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Menu$Item$DrawInfoInsert_memset
                                    • String ID: 0
                                    • API String ID: 3866635326-4108050209
                                    • Opcode ID: a88c0325d80f731b6ff6d713ae869db88a1804d5ac3fb196bdbe566be74f24f2
                                    • Instruction ID: f2cf62a052cffac0ce5c0c4082dcfca8e72da56f60fc4b5067d44454c9765450
                                    • Opcode Fuzzy Hash: a88c0325d80f731b6ff6d713ae869db88a1804d5ac3fb196bdbe566be74f24f2
                                    • Instruction Fuzzy Hash: 60416A75A04208EFEB20DF50D884E9ABBF4FB09314F149429FD85A7290C734AD94DF60
                                    Function 00E00FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00E00FD4
                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00E00FFE
                                    • FreeLibrary.KERNEL32(00000000), ref: 00E010B5
                                      • Part of subcall function 00E00FA5: RegCloseKey.ADVAPI32(?), ref: 00E0101B
                                      • Part of subcall function 00E00FA5: FreeLibrary.KERNEL32(?), ref: 00E0106D
                                      • Part of subcall function 00E00FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00E01090
                                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 00E01058
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: EnumFreeLibrary$CloseDeleteOpen
                                    • String ID:
                                    • API String ID: 395352322-0
                                    • Opcode ID: 72717c7d631db44fb791001e1b92bad7cba8f8ae754b171ecd78100553c32d39
                                    • Instruction ID: 1ee21b955eb96962cecdaf29f627f3f6834b558723bb4cf84572527adcf067d2
                                    • Opcode Fuzzy Hash: 72717c7d631db44fb791001e1b92bad7cba8f8ae754b171ecd78100553c32d39
                                    • Instruction Fuzzy Hash: 4E310D71901109BFEB259F91DC89EFFB7BCEF08304F0001A9E541B6191EA759EC99AA0
                                    Function 00E062CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00E062EC
                                    • GetWindowLongW.USER32(01033A78,000000F0), ref: 00E0631F
                                    • GetWindowLongW.USER32(01033A78,000000F0), ref: 00E06354
                                    • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00E06386
                                    • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00E063B0
                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 00E063C1
                                    • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00E063DB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: LongWindow$MessageSend
                                    • String ID:
                                    • API String ID: 2178440468-0
                                    • Opcode ID: 157838212d6ee17a920b74c9db85da4fa0fb05f258312f7569ba0965e453918f
                                    • Instruction ID: 8dbcc75fbdf94816f18228c73b3f127f30b286d9c39c9dfda0845a3d6f340ba3
                                    • Opcode Fuzzy Hash: 157838212d6ee17a920b74c9db85da4fa0fb05f258312f7569ba0965e453918f
                                    • Instruction Fuzzy Hash: E1313235600251AFDB20CF1AEC84F5537E1FB8A718F1811A4F500AF2F2CB76A8A58B90
                                    Function 00DDDAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00DDDB2E
                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00DDDB54
                                    • SysAllocString.OLEAUT32(00000000), ref: 00DDDB57
                                    • SysAllocString.OLEAUT32(?), ref: 00DDDB75
                                    • SysFreeString.OLEAUT32(?), ref: 00DDDB7E
                                    • StringFromGUID2.COMBASE(?,?,00000028), ref: 00DDDBA3
                                    • SysAllocString.OLEAUT32(?), ref: 00DDDBB1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                    • String ID:
                                    • API String ID: 3761583154-0
                                    • Opcode ID: d798c16b4fa45be353a637ed732e28b58ca013894b8ec9993b3c8366e0e126d8
                                    • Instruction ID: ef4a7cb10097cd1c4c6c9a69cec1e4ae0262bbda47a558ecf3d882eb91f61759
                                    • Opcode Fuzzy Hash: d798c16b4fa45be353a637ed732e28b58ca013894b8ec9993b3c8366e0e126d8
                                    • Instruction Fuzzy Hash: A0217F36600219AFDF10DFA9DC88CBB77ADEB09364B068566F954DB250D670EC858770
                                    Function 00DF6173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00DF7D8B: inet_addr.WS2_32(00000000), ref: 00DF7DB6
                                    • socket.WS2_32(00000002,00000001,00000006), ref: 00DF61C6
                                    • WSAGetLastError.WS2_32(00000000), ref: 00DF61D5
                                    • ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 00DF620E
                                    • connect.WSOCK32(00000000,?,00000010), ref: 00DF6217
                                    • WSAGetLastError.WS2_32 ref: 00DF6221
                                    • closesocket.WS2_32(00000000), ref: 00DF624A
                                    • ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 00DF6263
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                    • String ID:
                                    • API String ID: 910771015-0
                                    • Opcode ID: e13f9e6ca60feeefcf8a7d14fe8938e88785f59e39c7fd0b7edde904d4da9020
                                    • Instruction ID: f05d8b706c1971bec5a3b0ab51726cebbe9c2843735178716c2dcd35ca043df6
                                    • Opcode Fuzzy Hash: e13f9e6ca60feeefcf8a7d14fe8938e88785f59e39c7fd0b7edde904d4da9020
                                    • Instruction Fuzzy Hash: 1E31A131600208AFDF10AF64CC85BBE77A8EB45714F098029FA45A7691DB71ED589BB1
                                    Function 00DDF65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: __wcsnicmp
                                    • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                    • API String ID: 1038674560-2734436370
                                    • Opcode ID: 841846fe064883b065ab4e28b1669498b482d9c5919401485cc78fb20be0d5f0
                                    • Instruction ID: c30dc9cee7f5c2cd48c1daf7ea36859b0f2702d6bf9d33a73f9f726823db71ef
                                    • Opcode Fuzzy Hash: 841846fe064883b065ab4e28b1669498b482d9c5919401485cc78fb20be0d5f0
                                    • Instruction Fuzzy Hash: 8021347224421177D621AB34AC02EEB73A9EF5A354F18443BF98786291EB50DE81D3B5
                                    Function 00DDDBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00DDDC09
                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00DDDC2F
                                    • SysAllocString.OLEAUT32(00000000), ref: 00DDDC32
                                    • SysAllocString.OLEAUT32 ref: 00DDDC53
                                    • SysFreeString.OLEAUT32 ref: 00DDDC5C
                                    • StringFromGUID2.COMBASE(?,?,00000028), ref: 00DDDC76
                                    • SysAllocString.OLEAUT32(?), ref: 00DDDC84
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                    • String ID:
                                    • API String ID: 3761583154-0
                                    • Opcode ID: 1759a93d183a83dd9e3d02ec47a684dba6385457689f5d3ef0daee194a531bfb
                                    • Instruction ID: c860b8a58085b98c5c8168351ec6b161276305728b1e3455c89f8a2448e30f6a
                                    • Opcode Fuzzy Hash: 1759a93d183a83dd9e3d02ec47a684dba6385457689f5d3ef0daee194a531bfb
                                    • Instruction Fuzzy Hash: 70215E35604204AFDF20ABADDC88DAA77ADEB0D360B148126F954DB261DAB0DC85C774
                                    Function 00E075CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00D81D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00D81D73
                                      • Part of subcall function 00D81D35: GetStockObject.GDI32(00000011), ref: 00D81D87
                                      • Part of subcall function 00D81D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00D81D91
                                    • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00E07632
                                    • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00E0763F
                                    • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00E0764A
                                    • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00E07659
                                    • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00E07665
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: MessageSend$CreateObjectStockWindow
                                    • String ID: Msctls_Progress32
                                    • API String ID: 1025951953-3636473452
                                    • Opcode ID: 3be7f0a87a7acff441fb830265ed81440a3728adc3f38db0f79aaf22bd6c7e94
                                    • Instruction ID: 12d6a8e8ee0cbe6319ff7a07b94b45e5a2ec7df2245747817131bfea8ac7dbc0
                                    • Opcode Fuzzy Hash: 3be7f0a87a7acff441fb830265ed81440a3728adc3f38db0f79aaf22bd6c7e94
                                    • Instruction Fuzzy Hash: 3C11E6B2100219BFEF108F64CC85EE77F5DEF08798F014114BA45B2090C772AC61DBA4
                                    Function 00DA9AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __init_pointers.LIBCMT ref: 00DA9AE6
                                      • Part of subcall function 00DA3187: RtlEncodePointer.NTDLL(00000000), ref: 00DA318A
                                      • Part of subcall function 00DA3187: __initp_misc_winsig.LIBCMT ref: 00DA31A5
                                      • Part of subcall function 00DA3187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00DA9EA0
                                      • Part of subcall function 00DA3187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00DA9EB4
                                      • Part of subcall function 00DA3187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00DA9EC7
                                      • Part of subcall function 00DA3187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00DA9EDA
                                      • Part of subcall function 00DA3187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00DA9EED
                                      • Part of subcall function 00DA3187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00DA9F00
                                      • Part of subcall function 00DA3187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00DA9F13
                                      • Part of subcall function 00DA3187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00DA9F26
                                      • Part of subcall function 00DA3187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00DA9F39
                                      • Part of subcall function 00DA3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00DA9F4C
                                      • Part of subcall function 00DA3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00DA9F5F
                                      • Part of subcall function 00DA3187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00DA9F72
                                      • Part of subcall function 00DA3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00DA9F85
                                      • Part of subcall function 00DA3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00DA9F98
                                      • Part of subcall function 00DA3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00DA9FAB
                                      • Part of subcall function 00DA3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00DA9FBE
                                    • __mtinitlocks.LIBCMT ref: 00DA9AEB
                                    • __mtterm.LIBCMT ref: 00DA9AF4
                                      • Part of subcall function 00DA9B5C: RtlDeleteCriticalSection.NTDLL(00000000), ref: 00DA9C56
                                      • Part of subcall function 00DA9B5C: _free.LIBCMT ref: 00DA9C5D
                                      • Part of subcall function 00DA9B5C: RtlDeleteCriticalSection.NTDLL(02), ref: 00DA9C7F
                                    • __calloc_crt.LIBCMT ref: 00DA9B19
                                    • __initptd.LIBCMT ref: 00DA9B3B
                                    • GetCurrentThreadId.KERNEL32 ref: 00DA9B42
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                    • String ID:
                                    • API String ID: 3567560977-0
                                    • Opcode ID: 0aa458057763596042009e1babb92dd8587c9566c3461a3fb6a262fa22588de6
                                    • Instruction ID: f90b54eed9186392216a98ce0583bd26488c92014e58d1f460237e869800dc56
                                    • Opcode Fuzzy Hash: 0aa458057763596042009e1babb92dd8587c9566c3461a3fb6a262fa22588de6
                                    • Instruction Fuzzy Hash: E0F0B43250A7115EEB347775BC6778BBA90DF03730F244A1AF461D51D2FF20848145B0
                                    Function 00E0B635 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 00E0B644
                                    • _memset.LIBCMT ref: 00E0B653
                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00E46F20,00E46F64), ref: 00E0B682
                                    • CloseHandle.KERNEL32 ref: 00E0B694
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: _memset$CloseCreateHandleProcess
                                    • String ID: o$do
                                    • API String ID: 3277943733-2180341428
                                    • Opcode ID: 6311a56c5c5bcc704aadd5b0b577630a5aa84e3a5ae836c4539aff9539df9351
                                    • Instruction ID: f2403d183251052fea0d1a5ec0cceb9777c75914401eba32ffe7ceb234109372
                                    • Opcode Fuzzy Hash: 6311a56c5c5bcc704aadd5b0b577630a5aa84e3a5ae836c4539aff9539df9351
                                    • Instruction Fuzzy Hash: 5AF054B56403007EE6102F667C06F7B3A5CEB07755F005020FA48F5592D7764C1987BA
                                    Function 00DA406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00DA3F85), ref: 00DA4085
                                    • GetProcAddress.KERNEL32(00000000), ref: 00DA408C
                                    • RtlEncodePointer.NTDLL(00000000), ref: 00DA4097
                                    • RtlDecodePointer.NTDLL(00DA3F85), ref: 00DA40B2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                    • String ID: RoUninitialize$combase.dll
                                    • API String ID: 3489934621-2819208100
                                    • Opcode ID: 3ac64606a0eea396773b61f4a72c38af3c1baabdc62fb3e125e2237a90457f88
                                    • Instruction ID: d84421b44870da0586b2f2cac4197fa11d46634dbfaa5c09f02b7899c22994a0
                                    • Opcode Fuzzy Hash: 3ac64606a0eea396773b61f4a72c38af3c1baabdc62fb3e125e2237a90457f88
                                    • Instruction Fuzzy Hash: 06E0BF74542300DFDB209F73EC0EB453AA4B705742F155429F101F15A0CFB74699DA14
                                    Function 00DF6B03 Relevance: 9.2, APIs: 6, Instructions: 250networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __WSAFDIsSet.WS2_32(00000000,?), ref: 00DF6C00
                                    • WSAGetLastError.WS2_32(00000000), ref: 00DF6C34
                                    • htons.WS2_32(?), ref: 00DF6CEA
                                    • inet_ntoa.WS2_32(?), ref: 00DF6CA7
                                      • Part of subcall function 00DDA7E9: _strlen.LIBCMT ref: 00DDA7F3
                                      • Part of subcall function 00DDA7E9: _memmove.LIBCMT ref: 00DDA815
                                    • _strlen.LIBCMT ref: 00DF6D44
                                    • _memmove.LIBCMT ref: 00DF6DAD
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                    • String ID:
                                    • API String ID: 3619996494-0
                                    • Opcode ID: 7b894e4437322e1b1be55e5cb373dbef26dca87d6c6c4249c84493fd172e1f05
                                    • Instruction ID: f8cf7d9e2fc894e20dbda90d043b0b2f98d798ca4669f982cb04b720580312db
                                    • Opcode Fuzzy Hash: 7b894e4437322e1b1be55e5cb373dbef26dca87d6c6c4249c84493fd172e1f05
                                    • Instruction Fuzzy Hash: 9281C071204204AFC710FF24DC92E7BB7A8EF84714F588919F6959B292DA71ED05CBB2
                                    Function 00DE64B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: _memmove$__itow__swprintf
                                    • String ID:
                                    • API String ID: 3253778849-0
                                    • Opcode ID: 96805780c0106e568e9343b682c462643b7272fc15666bc796fe2e4b0ac6dc61
                                    • Instruction ID: f95f7cbe4bec90fea8fc7c6d2308738d5c8382ca4af7d1ce4952127aebb13427
                                    • Opcode Fuzzy Hash: 96805780c0106e568e9343b682c462643b7272fc15666bc796fe2e4b0ac6dc61
                                    • Instruction Fuzzy Hash: BA61883050068A9BCF01FF61CC92EFE7BA5EF15348F084569F8996B292DA35E905DB70
                                    Function 00E001E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00D87DE1: _memmove.LIBCMT ref: 00D87E22
                                      • Part of subcall function 00E00E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00DFFDAD,?,?), ref: 00E00E31
                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E002BD
                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00E002FD
                                    • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00E00320
                                    • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00E00349
                                    • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00E0038C
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00E00399
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                    • String ID:
                                    • API String ID: 4046560759-0
                                    • Opcode ID: 0c1b3635c8e25b8c155c0f0a72f28fcee7e1291850de5785b251c94f4f792abe
                                    • Instruction ID: 9f1ad8b7a28f727414ed014787aa16abdd54c917c5b28dfe7a2bcc474f745ef2
                                    • Opcode Fuzzy Hash: 0c1b3635c8e25b8c155c0f0a72f28fcee7e1291850de5785b251c94f4f792abe
                                    • Instruction Fuzzy Hash: C1515A31108200AFCB15EF64D885EAFBBE9FF89314F04492DF495972A2DB31E945CB62
                                    Function 00E05799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetMenu.USER32(?), ref: 00E057FB
                                    • GetMenuItemCount.USER32(00000000), ref: 00E05832
                                    • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00E0585A
                                    • GetMenuItemID.USER32(?,?), ref: 00E058C9
                                    • GetSubMenu.USER32(?,?), ref: 00E058D7
                                    • PostMessageW.USER32(?,00000111,?,00000000), ref: 00E05928
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Menu$Item$CountMessagePostString
                                    • String ID:
                                    • API String ID: 650687236-0
                                    • Opcode ID: ad686765fb424e06cfcd6983a7c9baa0412e8393c3cc1c77dc708fa0c0474efa
                                    • Instruction ID: 811c9b299798ee43284354db00f83582ee60ea140ff947922d2a6122bd3608ea
                                    • Opcode Fuzzy Hash: ad686765fb424e06cfcd6983a7c9baa0412e8393c3cc1c77dc708fa0c0474efa
                                    • Instruction Fuzzy Hash: FD515D36E00615AFCF15EF64C845AAEB7B5EF48320F144069EC51BB391CB31AE818FA0
                                    Function 00DDEEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                    Download Yara Rule
                                    APIs
                                    • VariantInit.OLEAUT32(?), ref: 00DDEF06
                                    • VariantClear.OLEAUT32(00000013), ref: 00DDEF78
                                    • VariantClear.OLEAUT32(00000000), ref: 00DDEFD3
                                    • _memmove.LIBCMT ref: 00DDEFFD
                                    • VariantClear.OLEAUT32(?), ref: 00DDF04A
                                    • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00DDF078
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Variant$Clear$ChangeInitType_memmove
                                    • String ID:
                                    • API String ID: 1101466143-0
                                    • Opcode ID: 5197e5c5b8c3aad7bfb5d1b022a2bda880c8e2c1652e4d4ad9e2ff2c7f843417
                                    • Instruction ID: 9b9d5a4316201aa91d3f7debd3cb6a58afc34041705b7095b1c8428f7fbdb9fc
                                    • Opcode Fuzzy Hash: 5197e5c5b8c3aad7bfb5d1b022a2bda880c8e2c1652e4d4ad9e2ff2c7f843417
                                    • Instruction Fuzzy Hash: 8D5149B5A00209EFDB14DF58C884AAAB7B8FF4C314B15856AED59DB301E335E951CBA0
                                    Function 00DE220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 00DE2258
                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00DE22A3
                                    • IsMenu.USER32(00000000), ref: 00DE22C3
                                    • CreatePopupMenu.USER32 ref: 00DE22F7
                                    • GetMenuItemCount.USER32(000000FF), ref: 00DE2355
                                    • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00DE2386
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                    • String ID:
                                    • API String ID: 3311875123-0
                                    • Opcode ID: 1211ac83dca03ce12355e726bd29117bcedac2f74f3f7ee314ccf3da32439bc5
                                    • Instruction ID: 41dac7c1f868f2185caae771fa16fa511d36eab5b4c92ee957b94cee0c76ffa3
                                    • Opcode Fuzzy Hash: 1211ac83dca03ce12355e726bd29117bcedac2f74f3f7ee314ccf3da32439bc5
                                    • Instruction Fuzzy Hash: B8518C70600289DBDF21EF6AC888BBEBBE9EF05314F18412DE855A7290D3758944CF71
                                    Function 00D81765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00D82612: GetWindowLongW.USER32(?,000000EB), ref: 00D82623
                                    • BeginPaint.USER32(?,?,?,?,?,?), ref: 00D8179A
                                    • GetWindowRect.USER32(?,?), ref: 00D817FE
                                    • ScreenToClient.USER32(?,?), ref: 00D8181B
                                    • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00D8182C
                                    • EndPaint.USER32(?,?), ref: 00D81876
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                    • String ID:
                                    • API String ID: 1827037458-0
                                    • Opcode ID: 97d49a528e0c4ac590e9f8d92fd7b67760c47deb6f722f7a0ab98f929de0205e
                                    • Instruction ID: 832818c6210417b13c0494e9567c13bb1ba9709b5249ff7c744877605bfcbf89
                                    • Opcode Fuzzy Hash: 97d49a528e0c4ac590e9f8d92fd7b67760c47deb6f722f7a0ab98f929de0205e
                                    • Instruction Fuzzy Hash: 1641AE39100600EFC710EF25DC85FAA7BFCEB4A724F040229F595962A2CB31984ADB71
                                    Function 00E0B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • ShowWindow.USER32(00E457B0,00000000,01033A78,?,?,00E457B0,?,00E0B5A8,?,?), ref: 00E0B712
                                    • EnableWindow.USER32(00000000,00000000), ref: 00E0B736
                                    • ShowWindow.USER32(00E457B0,00000000,01033A78,?,?,00E457B0,?,00E0B5A8,?,?), ref: 00E0B796
                                    • ShowWindow.USER32(00000000,00000004,?,00E0B5A8,?,?), ref: 00E0B7A8
                                    • EnableWindow.USER32(00000000,00000001), ref: 00E0B7CC
                                    • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00E0B7EF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Window$Show$Enable$MessageSend
                                    • String ID:
                                    • API String ID: 642888154-0
                                    • Opcode ID: f751277fc9f4bdb14c8c4896f01c99a36bab9ed751617fcb22eef8c0911224fa
                                    • Instruction ID: 914ceef81bb94f68e0160b4fa8e5d37cfe8196ebc76c3130548bed49c89f2efa
                                    • Opcode Fuzzy Hash: f751277fc9f4bdb14c8c4896f01c99a36bab9ed751617fcb22eef8c0911224fa
                                    • Instruction Fuzzy Hash: 56415334600140AFDB26CF24C499B957BE1FF45714F1C52BAE948AF6E2C732A896CB51
                                    Function 00DF709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetForegroundWindow.USER32(?,?,?,?,?,?,00DF4E41,?,?,00000000,00000001), ref: 00DF70AC
                                      • Part of subcall function 00DF39A0: GetWindowRect.USER32(?,?), ref: 00DF39B3
                                    • GetDesktopWindow.USER32 ref: 00DF70D6
                                    • GetWindowRect.USER32(00000000), ref: 00DF70DD
                                    • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00DF710F
                                      • Part of subcall function 00DE5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00DE52BC
                                    • GetCursorPos.USER32(?), ref: 00DF713B
                                    • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00DF7199
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                    • String ID:
                                    • API String ID: 4137160315-0
                                    • Opcode ID: 6ef57e3a1b0707a56cf640fa78c0b3937ce70df2dff7524f8b73a5c1fb4f03b1
                                    • Instruction ID: 9ae4d9b282fb134ad78394848f0323b4b324e1d67e2dfe728cbf8dc0d893c657
                                    • Opcode Fuzzy Hash: 6ef57e3a1b0707a56cf640fa78c0b3937ce70df2dff7524f8b73a5c1fb4f03b1
                                    • Instruction Fuzzy Hash: 7E31F232508309AFD720DF15DC49BABB7AAFF88304F000919F584A7191CA71EA59CBA2
                                    Function 00DEEB23 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 323COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00D89837: __itow.LIBCMT ref: 00D89862
                                      • Part of subcall function 00D89837: __swprintf.LIBCMT ref: 00D898AC
                                      • Part of subcall function 00D9FC86: _wcscpy.LIBCMT ref: 00D9FCA9
                                    • _wcstok.LIBCMT ref: 00DEEC94
                                    • _wcscpy.LIBCMT ref: 00DEED23
                                    • _memset.LIBCMT ref: 00DEED56
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                    • String ID: X
                                    • API String ID: 774024439-3081909835
                                    • Opcode ID: 6707e6f70db5d48600f6bc85dc601234dafaf1233303a5548853c8f0fbad52ec
                                    • Instruction ID: 34a7d54f0d38041116f73bf2cb71901501b1a45d57ae6c9b299690e1932ea04c
                                    • Opcode Fuzzy Hash: 6707e6f70db5d48600f6bc85dc601234dafaf1233303a5548853c8f0fbad52ec
                                    • Instruction Fuzzy Hash: E8C169716083409FC724FF24D895A6AB7E4EF85314F14492DF8999B2A2DB30EC45CBB2
                                    Function 00DD8879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00DD80A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00DD80C0
                                      • Part of subcall function 00DD80A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00DD80CA
                                      • Part of subcall function 00DD80A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00DD80D9
                                      • Part of subcall function 00DD80A9: RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 00DD80E0
                                      • Part of subcall function 00DD80A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00DD80F6
                                    • GetLengthSid.ADVAPI32(?,00000000,00DD842F), ref: 00DD88CA
                                    • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00DD88D6
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00DD88DD
                                    • CopySid.ADVAPI32(00000000,00000000,?), ref: 00DD88F6
                                    • GetProcessHeap.KERNEL32(00000000,00000000,00DD842F), ref: 00DD890A
                                    • HeapFree.KERNEL32(00000000), ref: 00DD8911
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Heap$Process$AllocateInformationToken$CopyErrorFreeLastLength
                                    • String ID:
                                    • API String ID: 169236558-0
                                    • Opcode ID: 8b903bdae827f2562b155883101cb225f0a755edbb76fa819d0819dac5b8f57b
                                    • Instruction ID: fc751daafd65e9bd98dff1322af23e4d220541e106ae151ad953643b3be37716
                                    • Opcode Fuzzy Hash: 8b903bdae827f2562b155883101cb225f0a755edbb76fa819d0819dac5b8f57b
                                    • Instruction Fuzzy Hash: 6E11B175542209FFDB229FA5DC19BBE77B8EB44312F14402AE885A7211CB32AD54EB70
                                    Function 00DDB790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetDC.USER32(00000000), ref: 00DDB7B5
                                    • GetDeviceCaps.GDI32(00000000,00000058), ref: 00DDB7C6
                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00DDB7CD
                                    • ReleaseDC.USER32(00000000,00000000), ref: 00DDB7D5
                                    • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00DDB7EC
                                    • MulDiv.KERNEL32(000009EC,?,?), ref: 00DDB7FE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: CapsDevice$Release
                                    • String ID:
                                    • API String ID: 1035833867-0
                                    • Opcode ID: c7b2d8cb6985b2806413de32a92c7c91a14f4112b65757a98005c9932236f10a
                                    • Instruction ID: c78946b88893c8208ae51192ea264c0eb1b285e1e15ac2e247abdda920d048dd
                                    • Opcode Fuzzy Hash: c7b2d8cb6985b2806413de32a92c7c91a14f4112b65757a98005c9932236f10a
                                    • Instruction Fuzzy Hash: BB018875E00305BFEB209BA69C45A5EBFB8EB48361F0440B6FA08A7391D6319C10CFA0
                                    Function 00DA0162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00DA0193
                                    • MapVirtualKeyW.USER32(00000010,00000000), ref: 00DA019B
                                    • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00DA01A6
                                    • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00DA01B1
                                    • MapVirtualKeyW.USER32(00000011,00000000), ref: 00DA01B9
                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00DA01C1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Virtual
                                    • String ID:
                                    • API String ID: 4278518827-0
                                    • Opcode ID: c2c64d275d58dfd6552ed10d7948c033bc586d2016e8d1022dabff39f472b79b
                                    • Instruction ID: 04b7a8951bbbd8142de8d9736043d199335094bed6074704c3ab305962b0ef8f
                                    • Opcode Fuzzy Hash: c2c64d275d58dfd6552ed10d7948c033bc586d2016e8d1022dabff39f472b79b
                                    • Instruction Fuzzy Hash: 38016CB09017597DE3008F5A8C85B52FFA8FF19354F00411BE15C47941C7F5A868CBE5
                                    Function 00DE53E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00DE53F9
                                    • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00DE540F
                                    • GetWindowThreadProcessId.USER32(?,?), ref: 00DE541E
                                    • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00DE542D
                                    • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00DE5437
                                    • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00DE543E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                    • String ID:
                                    • API String ID: 839392675-0
                                    • Opcode ID: 8a67c17b604d85c6f283822f0b607f8991e8bb7ddddb2f9af46121bcf99fe941
                                    • Instruction ID: d4243f3ccc35db3c99009ef419411f38289434be2d15502c69c6b3181f10485d
                                    • Opcode Fuzzy Hash: 8a67c17b604d85c6f283822f0b607f8991e8bb7ddddb2f9af46121bcf99fe941
                                    • Instruction Fuzzy Hash: CAF06D32241158BFE3305BA3AC0DEAB7A7CEBC6B11F000169FA04E1091DAA21A5586F5
                                    Function 00DE7230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • InterlockedExchange.KERNEL32(?,?), ref: 00DE7243
                                    • RtlEnterCriticalSection.NTDLL(?), ref: 00DE7254
                                    • TerminateThread.KERNEL32(00000000,000001F6,?,00D90EE4,?,?), ref: 00DE7261
                                    • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00D90EE4,?,?), ref: 00DE726E
                                      • Part of subcall function 00DE6C35: CloseHandle.KERNEL32(00000000,?,00DE727B,?,00D90EE4,?,?), ref: 00DE6C3F
                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 00DE7281
                                    • RtlLeaveCriticalSection.NTDLL(?), ref: 00DE7288
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                    • String ID:
                                    • API String ID: 3495660284-0
                                    • Opcode ID: 143e16dacb27e3ca886f0827b455480908ec3b1a792221350db5fe4e71fb41da
                                    • Instruction ID: 48998a87332ac226191e1fbc82b654ceaf2f7f62ab1f743c022a31c4d6d32977
                                    • Opcode Fuzzy Hash: 143e16dacb27e3ca886f0827b455480908ec3b1a792221350db5fe4e71fb41da
                                    • Instruction Fuzzy Hash: 94F0BE36440303EFE7622B25EC4C9DA7729EF04702B100131F203A04B1CB7798A4CB60
                                    Function 00DF85ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                    Download Yara Rule
                                    APIs
                                    • VariantInit.OLEAUT32(?), ref: 00DF8613
                                    • CharUpperBuffW.USER32(?,?), ref: 00DF8722
                                    • VariantClear.OLEAUT32(?), ref: 00DF889A
                                      • Part of subcall function 00DE7562: VariantInit.OLEAUT32(00000000), ref: 00DE75A2
                                      • Part of subcall function 00DE7562: VariantCopy.OLEAUT32(00000000,?), ref: 00DE75AB
                                      • Part of subcall function 00DE7562: VariantClear.OLEAUT32(00000000), ref: 00DE75B7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Variant$ClearInit$BuffCharCopyUpper
                                    • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                    • API String ID: 4237274167-1221869570
                                    • Opcode ID: 7c90f2a8ee0ef11cd7f27a356794651a7e059085f2a862f173f2e2caaedb25bd
                                    • Instruction ID: a21943a46012e009b31c41114beb34c3b347c1abf414a4b2491276a6449c73b5
                                    • Opcode Fuzzy Hash: 7c90f2a8ee0ef11cd7f27a356794651a7e059085f2a862f173f2e2caaedb25bd
                                    • Instruction Fuzzy Hash: 01919D746043059FC710EF24C48496ABBF4EF89754F18892EF99A9B361DB31E905CBB2
                                    Function 00DE2A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00D9FC86: _wcscpy.LIBCMT ref: 00D9FCA9
                                    • _memset.LIBCMT ref: 00DE2B87
                                    • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00DE2BB6
                                    • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00DE2C69
                                    • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00DE2C97
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: ItemMenu$Info$Default_memset_wcscpy
                                    • String ID: 0
                                    • API String ID: 4152858687-4108050209
                                    • Opcode ID: de3acbc428fd028201d93c4829640171a0105cad21429be91b2f62470ec4aeb3
                                    • Instruction ID: 590dacdd623fcfbfae5badb34e835a7c3067bfb7331a56207bea4f72e30c5397
                                    • Opcode Fuzzy Hash: de3acbc428fd028201d93c4829640171a0105cad21429be91b2f62470ec4aeb3
                                    • Instruction Fuzzy Hash: 1951AD715083809BD725AE2AD845A7FBBECEF99310F280A29F895D2191DB70CD44D772
                                    Function 00DDD56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 00DDD5D4
                                    • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00DDD60A
                                    • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00DDD61B
                                    • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00DDD69D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: ErrorMode$AddressCreateInstanceProc
                                    • String ID: DllGetClassObject
                                    • API String ID: 753597075-1075368562
                                    • Opcode ID: a30eae69d50d2fdc820de9bcc074c4372169958a6350963f5a817e95b476c30b
                                    • Instruction ID: c04039b704bbf11c79e6c395fcf5753a03f4f36b243dce4f6e16f0b0ad409111
                                    • Opcode Fuzzy Hash: a30eae69d50d2fdc820de9bcc074c4372169958a6350963f5a817e95b476c30b
                                    • Instruction Fuzzy Hash: F8412CB1600208EFDF15DF65C884A9ABBAAEF44314F1581AAE9099F346D7B1D944CBF0
                                    Function 00DE2753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 00DE27C0
                                    • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00DE27DC
                                    • DeleteMenu.USER32(?,00000007,00000000), ref: 00DE2822
                                    • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00E45890,00000000), ref: 00DE286B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Menu$Delete$InfoItem_memset
                                    • String ID: 0
                                    • API String ID: 1173514356-4108050209
                                    • Opcode ID: 5ab8d309c40eb0450de019d6abc8e0ba4e3d9dd761f834af20b6b02d82a0e3a4
                                    • Instruction ID: 10e5b6569d095e386a7475ea899901b5d74a3b0e589758da2fc302edba0803b7
                                    • Opcode Fuzzy Hash: 5ab8d309c40eb0450de019d6abc8e0ba4e3d9dd761f834af20b6b02d82a0e3a4
                                    • Instruction Fuzzy Hash: A5417F702043819FD724EF26CC84B2ABBE8EF85314F14466DF9A997291D730E905CB72
                                    Function 00DFD7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                    Download Yara Rule
                                    APIs
                                    • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00DFD7C5
                                      • Part of subcall function 00D8784B: _memmove.LIBCMT ref: 00D87899
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: BuffCharLower_memmove
                                    • String ID: cdecl$none$stdcall$winapi
                                    • API String ID: 3425801089-567219261
                                    • Opcode ID: 76afd7e8829ea5064ed608675ddb68469d7c0e47387ace71947bd5d88802c77b
                                    • Instruction ID: a71d20ede139b2cbcb039bafd3d699ed393e4c3205c8bfb564c9dad968940e58
                                    • Opcode Fuzzy Hash: 76afd7e8829ea5064ed608675ddb68469d7c0e47387ace71947bd5d88802c77b
                                    • Instruction Fuzzy Hash: B031BC71A04219ABCF00EF58C8519BEB7B6FF05320F148629E965A76D1DB71AD05CBB0
                                    Function 00DD8E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00D87DE1: _memmove.LIBCMT ref: 00D87E22
                                      • Part of subcall function 00DDAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00DDAABC
                                    • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00DD8F14
                                    • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00DD8F27
                                    • SendMessageW.USER32(?,00000189,?,00000000), ref: 00DD8F57
                                      • Part of subcall function 00D87BCC: _memmove.LIBCMT ref: 00D87C06
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: MessageSend$_memmove$ClassName
                                    • String ID: ComboBox$ListBox
                                    • API String ID: 365058703-1403004172
                                    • Opcode ID: c3584a189648a3d4f7f7f867d5e37bdda9c72d7d39b9cbcd081efd1abbc46451
                                    • Instruction ID: 204c6da204d7779928794ed2ef914464e8b69ba503932a62516716bc2426857f
                                    • Opcode Fuzzy Hash: c3584a189648a3d4f7f7f867d5e37bdda9c72d7d39b9cbcd081efd1abbc46451
                                    • Instruction Fuzzy Hash: C521F275A40104BEDB25ABB0DC45DFEBB79DF45320F14461AF421A72E1DA398849E670
                                    Function 00DF182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00DF184C
                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00DF1872
                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00DF18A2
                                    • InternetCloseHandle.WININET(00000000), ref: 00DF18E9
                                      • Part of subcall function 00DF2483: GetLastError.KERNEL32(?,?,00DF1817,00000000,00000000,00000001), ref: 00DF2498
                                      • Part of subcall function 00DF2483: SetEvent.KERNEL32(?,?,00DF1817,00000000,00000000,00000001), ref: 00DF24AD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                    • String ID:
                                    • API String ID: 3113390036-3916222277
                                    • Opcode ID: cf8b2274ab84b992c2833c30e8d00ac43ea91ea2a159d181d4550711318f2847
                                    • Instruction ID: 8f7887d9553d5326ea575030de3bdc5aa681670f0d75dac70844d94b707232a5
                                    • Opcode Fuzzy Hash: cf8b2274ab84b992c2833c30e8d00ac43ea91ea2a159d181d4550711318f2847
                                    • Instruction Fuzzy Hash: 8521FFB550030CBFEB219F61CC84EBF77EDEB48784F15812AFA05A2240EB618D0497B1
                                    Function 00E063E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00D81D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00D81D73
                                      • Part of subcall function 00D81D35: GetStockObject.GDI32(00000011), ref: 00D81D87
                                      • Part of subcall function 00D81D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00D81D91
                                    • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00E06461
                                    • LoadLibraryW.KERNEL32(?), ref: 00E06468
                                    • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00E0647D
                                    • DestroyWindow.USER32(?), ref: 00E06485
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                    • String ID: SysAnimate32
                                    • API String ID: 4146253029-1011021900
                                    • Opcode ID: 5f5d1c718fc65622041cfdd6adb1e57c6a59272c6050f0b601b7b1f9891d515d
                                    • Instruction ID: 1112f979686406d6030b10b5eb1ddaccb9106a2263ce42780579c49aa0c4875f
                                    • Opcode Fuzzy Hash: 5f5d1c718fc65622041cfdd6adb1e57c6a59272c6050f0b601b7b1f9891d515d
                                    • Instruction Fuzzy Hash: 86218B71200205AFEF204FA4DC84FBA77ADFF59328F106629FA20B20D0D7759CA29760
                                    Function 00DE6D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetStdHandle.KERNEL32(0000000C), ref: 00DE6DBC
                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00DE6DEF
                                    • GetStdHandle.KERNEL32(0000000C), ref: 00DE6E01
                                    • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00DE6E3B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: CreateHandle$FilePipe
                                    • String ID: nul
                                    • API String ID: 4209266947-2873401336
                                    • Opcode ID: 60be8192f9d6a689688ffb4f1be297ca0f49c26f36e7eeb2cf06bf390cf41502
                                    • Instruction ID: 3b45a4d5433262c6db474e681167888d533512e17721b64042d366632712113c
                                    • Opcode Fuzzy Hash: 60be8192f9d6a689688ffb4f1be297ca0f49c26f36e7eeb2cf06bf390cf41502
                                    • Instruction Fuzzy Hash: B6218174600349ABDB20AF2ADC05A9A7BA8EF64760F244A19FDA0D72D0D771D9548B70
                                    Function 00DE6E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetStdHandle.KERNEL32(000000F6), ref: 00DE6E89
                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00DE6EBB
                                    • GetStdHandle.KERNEL32(000000F6), ref: 00DE6ECC
                                    • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00DE6F06
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: CreateHandle$FilePipe
                                    • String ID: nul
                                    • API String ID: 4209266947-2873401336
                                    • Opcode ID: 2594d1d22b89224f5cc4a170c4aa30acb62c03dacef6818ec3559bba6366c5dc
                                    • Instruction ID: aaa4347ac34eca6cdde7a247b92f496d3912c06845d602da210b5d3417457f10
                                    • Opcode Fuzzy Hash: 2594d1d22b89224f5cc4a170c4aa30acb62c03dacef6818ec3559bba6366c5dc
                                    • Instruction Fuzzy Hash: EB21C4755003459FDB20AF6ACC04A9A77A8EF64B60F244A59FCE0E32D0D770D850C730
                                    Function 00DEAC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetErrorMode.KERNEL32(00000001), ref: 00DEAC54
                                    • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00DEACA8
                                    • __swprintf.LIBCMT ref: 00DEACC1
                                    • SetErrorMode.KERNEL32(00000000,00000001,00000000,00E0F910), ref: 00DEACFF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: ErrorMode$InformationVolume__swprintf
                                    • String ID: %lu
                                    • API String ID: 3164766367-685833217
                                    • Opcode ID: 79ae555e8bbd07fce8d72af6d62df5f206d4bd1e654b4adfb00f3fdb8a238f54
                                    • Instruction ID: 2beeec2ef20c019c4b7dbe1d3e28f15a03ffa4699a1ff3cb36225e4396ff93fb
                                    • Opcode Fuzzy Hash: 79ae555e8bbd07fce8d72af6d62df5f206d4bd1e654b4adfb00f3fdb8a238f54
                                    • Instruction Fuzzy Hash: 7421A134A00209AFCB10EF65C945DEEBBB8EF49714B044069F809AB252DA31EA45CB71
                                    Function 00DE1AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                    Download Yara Rule
                                    APIs
                                    • CharUpperBuffW.USER32(?,?), ref: 00DE1B19
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: BuffCharUpper
                                    • String ID: APPEND$EXISTS$KEYS$REMOVE
                                    • API String ID: 3964851224-769500911
                                    • Opcode ID: 1058fe342642b86709a974d5da53c4c64dd89a2c69addf8f6c3809d36e5df5e8
                                    • Instruction ID: 210fce10ba8e9c1afcc5f2cc8281a2556077c0036ac37c208333bcbbcc688697
                                    • Opcode Fuzzy Hash: 1058fe342642b86709a974d5da53c4c64dd89a2c69addf8f6c3809d36e5df5e8
                                    • Instruction Fuzzy Hash: 0011A135A002589FCF00EF54D8528FEBBB4FF66304F584465E81567291EB325D06CB70
                                    Function 00DFEB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00DFEC07
                                    • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00DFEC37
                                    • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00DFED6A
                                    • CloseHandle.KERNEL32(?), ref: 00DFEDEB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                    • String ID:
                                    • API String ID: 2364364464-0
                                    • Opcode ID: b72371cbf1c6e386d1e86cecf0f85affa0a47949a74c8831f7c656c9007e9ecf
                                    • Instruction ID: 0b14d0f310fd5481337475dff93e3b3f9ab29c31c1d3011fed52859c5b0dae36
                                    • Opcode Fuzzy Hash: b72371cbf1c6e386d1e86cecf0f85affa0a47949a74c8831f7c656c9007e9ecf
                                    • Instruction Fuzzy Hash: 0D816171600301AFD760EF28C896F2AF7E5EF44714F58881DF99A9B292D670EC41CB61
                                    Function 00E00037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00D87DE1: _memmove.LIBCMT ref: 00D87E22
                                      • Part of subcall function 00E00E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00DFFDAD,?,?), ref: 00E00E31
                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E000FD
                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00E0013C
                                    • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00E00183
                                    • RegCloseKey.ADVAPI32(?,?), ref: 00E001AF
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00E001BC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                    • String ID:
                                    • API String ID: 3440857362-0
                                    • Opcode ID: 7a03142cbb774233fa4ae5da48e6954f39ae7afd4ea9be4ee0f5ac2706c03322
                                    • Instruction ID: 30733778076351c13b5ad3828fd1ba9d341b760f42fb3affe22ceb25a2c52f35
                                    • Opcode Fuzzy Hash: 7a03142cbb774233fa4ae5da48e6954f39ae7afd4ea9be4ee0f5ac2706c03322
                                    • Instruction Fuzzy Hash: 17516B71208204AFD714EF68CC81FAAB7E9FF84314F44492DF595972A2DB31E984CB62
                                    Function 00DFD8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00D89837: __itow.LIBCMT ref: 00D89862
                                      • Part of subcall function 00D89837: __swprintf.LIBCMT ref: 00D898AC
                                    • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00DFD927
                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00DFD9AA
                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00DFD9C6
                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00DFDA07
                                    • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00DFDA21
                                      • Part of subcall function 00D85A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00DE7896,?,?,00000000), ref: 00D85A2C
                                      • Part of subcall function 00D85A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00DE7896,?,?,00000000,?,?), ref: 00D85A50
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                    • String ID:
                                    • API String ID: 327935632-0
                                    • Opcode ID: bda7fd78ebbddec2db80a2bed52009d526fee36c8c1fa8b697247f2be2cd41a6
                                    • Instruction ID: 1bdda1931cf7be4abefed15e9025d171f028eb1d64312273cc72148dd15129eb
                                    • Opcode Fuzzy Hash: bda7fd78ebbddec2db80a2bed52009d526fee36c8c1fa8b697247f2be2cd41a6
                                    • Instruction Fuzzy Hash: DE511535A00209DFCB00EFA8C4949ADB7F6EF19320B19C165E955AB312D731ED45CFA1
                                    Function 00DEE571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00DEE61F
                                    • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00DEE648
                                    • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00DEE687
                                      • Part of subcall function 00D89837: __itow.LIBCMT ref: 00D89862
                                      • Part of subcall function 00D89837: __swprintf.LIBCMT ref: 00D898AC
                                    • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00DEE6AC
                                    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00DEE6B4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                    • String ID:
                                    • API String ID: 1389676194-0
                                    • Opcode ID: 4f856fe44bb00ed7e4c230f72b7694ed3b971e725f874b26fbc4194a32a8b2fe
                                    • Instruction ID: 4251ae937ded5e9a8164be0c6c2903b6b60ff864f31e4997aa5ac44d6f4c59c3
                                    • Opcode Fuzzy Hash: 4f856fe44bb00ed7e4c230f72b7694ed3b971e725f874b26fbc4194a32a8b2fe
                                    • Instruction Fuzzy Hash: DD511A35A00105DFCB01EF65C991AAEBBF5EF09314B1884A9E849AB361CB31ED51DF70
                                    Function 00E0A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b82cac199ea786a16bc5850216c0c27bf465299e0d0b6d3896a9485e8a2f0765
                                    • Instruction ID: 20e8bfcfec138ef427290cb5590955aa88e8d2b8d50d70f570825df186734847
                                    • Opcode Fuzzy Hash: b82cac199ea786a16bc5850216c0c27bf465299e0d0b6d3896a9485e8a2f0765
                                    • Instruction Fuzzy Hash: 6441DE7590520CAFC720DF68CC48FE9BBA8EB09314F181275F816B72E1CB70AD85DA61
                                    Function 00D82344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCursorPos.USER32(?), ref: 00D82357
                                    • ScreenToClient.USER32(00E457B0,?), ref: 00D82374
                                    • GetAsyncKeyState.USER32(00000001), ref: 00D82399
                                    • GetAsyncKeyState.USER32(00000002), ref: 00D823A7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: AsyncState$ClientCursorScreen
                                    • String ID:
                                    • API String ID: 4210589936-0
                                    • Opcode ID: 96fa0064db1a8d1894b49e60eacedda7f0de1a94b6ff8a0b900e26fb9eaa3674
                                    • Instruction ID: 6611081bdbc937c1fb8841d545883aefe63a87f2114d708b6d4c385df68567fe
                                    • Opcode Fuzzy Hash: 96fa0064db1a8d1894b49e60eacedda7f0de1a94b6ff8a0b900e26fb9eaa3674
                                    • Instruction Fuzzy Hash: B2417F75604109FFCF25AF68CC44AF9BBB4FB05360F24431AF869A22A0C7359D94DBA1
                                    Function 00DD63AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00DD63E7
                                    • TranslateAcceleratorW.USER32(?,?,?), ref: 00DD6433
                                    • TranslateMessage.USER32(?), ref: 00DD645C
                                    • DispatchMessageW.USER32(?), ref: 00DD6466
                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00DD6475
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Message$PeekTranslate$AcceleratorDispatch
                                    • String ID:
                                    • API String ID: 2108273632-0
                                    • Opcode ID: 5c15d73fc86f6c07214198ccd5cb91e624dc57a4d665b2badc0d2feb21e85b37
                                    • Instruction ID: 44df36081d24fd9a9cdc142a80f10996cc7e1b0469914923d514f37e760b70ef
                                    • Opcode Fuzzy Hash: 5c15d73fc86f6c07214198ccd5cb91e624dc57a4d665b2badc0d2feb21e85b37
                                    • Instruction Fuzzy Hash: B931A631944646AFDB64CFB5DC44BB67BACAB02310F180177E425D22A1E765D48DDBF0
                                    Function 00DD8A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowRect.USER32(?,?), ref: 00DD8A30
                                    • PostMessageW.USER32(?,00000201,00000001), ref: 00DD8ADA
                                    • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00DD8AE2
                                    • PostMessageW.USER32(?,00000202,00000000), ref: 00DD8AF0
                                    • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00DD8AF8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: MessagePostSleep$RectWindow
                                    • String ID:
                                    • API String ID: 3382505437-0
                                    • Opcode ID: cf2f43119473df939715e86237c4be1d2f7f2e0ad73e98bb18555c484886bd8d
                                    • Instruction ID: 3ae789e40aca4d578e9c43fe2b85bd68c19db7a103aaaf117c21cb49b76dc404
                                    • Opcode Fuzzy Hash: cf2f43119473df939715e86237c4be1d2f7f2e0ad73e98bb18555c484886bd8d
                                    • Instruction Fuzzy Hash: 2331E271500219EFDF14CF68DD4CA9E3BB5EB04315F14422AF924E72D1C7B19964DBA1
                                    Function 00DDB1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • IsWindowVisible.USER32(?), ref: 00DDB204
                                    • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00DDB221
                                    • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00DDB259
                                    • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00DDB27F
                                    • _wcsstr.LIBCMT ref: 00DDB289
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                    • String ID:
                                    • API String ID: 3902887630-0
                                    • Opcode ID: d4ee29b2ac7e0cd811a7f06afa4ff01691a8d3cef63174a1b6624f1bb4e8e662
                                    • Instruction ID: e7856dd20981df871cffb5ab137312cc0df709793329d415d0ad92b074540a66
                                    • Opcode Fuzzy Hash: d4ee29b2ac7e0cd811a7f06afa4ff01691a8d3cef63174a1b6624f1bb4e8e662
                                    • Instruction Fuzzy Hash: AE21D732604200BBEB255B799C49E7F7F98DF4A760F05413BF805DA261EF62DC4196B4
                                    Function 00E0B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00D82612: GetWindowLongW.USER32(?,000000EB), ref: 00D82623
                                    • GetWindowLongW.USER32(?,000000F0), ref: 00E0B192
                                    • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00E0B1B7
                                    • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00E0B1CF
                                    • GetSystemMetrics.USER32(00000004), ref: 00E0B1F8
                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00DF0E90,00000000), ref: 00E0B216
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Window$Long$MetricsSystem
                                    • String ID:
                                    • API String ID: 2294984445-0
                                    • Opcode ID: 3daaa2964b1353cef38bf104feaab7d7bcb987c077495a8894cd030d4a1f5b53
                                    • Instruction ID: 321c6c091661a7794ee621819accc0c23fa0e32c0a0f23fc7459a786c8f8dedd
                                    • Opcode Fuzzy Hash: 3daaa2964b1353cef38bf104feaab7d7bcb987c077495a8894cd030d4a1f5b53
                                    • Instruction Fuzzy Hash: 6921BF31A20261AFCB209F39DC04A6A3BA4FB05325F105738F972F31E1E73098A08B90
                                    Function 00DD9307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00DD9320
                                      • Part of subcall function 00D87BCC: _memmove.LIBCMT ref: 00D87C06
                                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00DD9352
                                    • __itow.LIBCMT ref: 00DD936A
                                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00DD9392
                                    • __itow.LIBCMT ref: 00DD93A3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: MessageSend$__itow$_memmove
                                    • String ID:
                                    • API String ID: 2983881199-0
                                    • Opcode ID: 20b1e4da77196cdae42bb4f88d4c19e358e5c045140bdd3b53f42cbe50e412e5
                                    • Instruction ID: 2fcabe89f63837f3f1188ffaa052147e24cbd7f64caecb28151ea1ae10126a12
                                    • Opcode Fuzzy Hash: 20b1e4da77196cdae42bb4f88d4c19e358e5c045140bdd3b53f42cbe50e412e5
                                    • Instruction Fuzzy Hash: BF210A317002047BDB20AA659C95EAEBBADEB89710F144026F944E72C0D6B2CD5587B1
                                    Function 00DF5A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                    Download Yara Rule
                                    APIs
                                    • IsWindow.USER32(00000000), ref: 00DF5A6E
                                    • GetForegroundWindow.USER32 ref: 00DF5A85
                                    • GetDC.USER32(00000000), ref: 00DF5AC1
                                    • GetPixel.GDI32(00000000,?,00000003), ref: 00DF5ACD
                                    • ReleaseDC.USER32(00000000,00000003), ref: 00DF5B08
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Window$ForegroundPixelRelease
                                    • String ID:
                                    • API String ID: 4156661090-0
                                    • Opcode ID: 16af86cf329203b01c22556ba840ab9da5402d001a7e3e903535c4fa48411014
                                    • Instruction ID: f4ca5ca9fefc5cd29f0a64ae06128e8ac59afc81be329f18b99cf39682a2a77a
                                    • Opcode Fuzzy Hash: 16af86cf329203b01c22556ba840ab9da5402d001a7e3e903535c4fa48411014
                                    • Instruction Fuzzy Hash: 4021A135A00104AFDB10EF65DC84AAABBE5EF48310F15C079F94997762CA71BC54DBA0
                                    Function 00D812F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                    Download Yara Rule
                                    APIs
                                    • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00D8134D
                                    • SelectObject.GDI32(?,00000000), ref: 00D8135C
                                    • BeginPath.GDI32(?), ref: 00D81373
                                    • SelectObject.GDI32(?,00000000), ref: 00D8139C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: ObjectSelect$BeginCreatePath
                                    • String ID:
                                    • API String ID: 3225163088-0
                                    • Opcode ID: 47bb2416021208d3894a38e47e019a45f7a7541035a11778624fe662e6adaf77
                                    • Instruction ID: 5b3d81bfc50e8b2746ba4c7c202562ecd35e4a0373f4968d230eba363e2e72bc
                                    • Opcode Fuzzy Hash: 47bb2416021208d3894a38e47e019a45f7a7541035a11778624fe662e6adaf77
                                    • Instruction Fuzzy Hash: B821A439800608DFDB14AF56EC057693BE8FB15321F18422AF414B65B1DB71989FCFA0
                                    Function 00DE4A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentThreadId.KERNEL32 ref: 00DE4ABA
                                    • __beginthreadex.LIBCMT ref: 00DE4AD8
                                    • MessageBoxW.USER32(?,?,?,?), ref: 00DE4AED
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00DE4B03
                                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00DE4B0A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                    • String ID:
                                    • API String ID: 3824534824-0
                                    • Opcode ID: 0880ea6a2b44cd8d664c7d95e964364516dd54eaa1c5de9a40c132f966aaaa69
                                    • Instruction ID: b930ae344ac0216e6c24a6008df186217eb5183321e99e906fafdd1448655c08
                                    • Opcode Fuzzy Hash: 0880ea6a2b44cd8d664c7d95e964364516dd54eaa1c5de9a40c132f966aaaa69
                                    • Instruction Fuzzy Hash: FB110876905244BFC7109FAAAC08A9B7FACEB45321F144266F824E3261D6B1C95887B0
                                    Function 00DD8202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00DD821E
                                    • GetLastError.KERNEL32(?,00DD7CE2,?,?,?), ref: 00DD8228
                                    • GetProcessHeap.KERNEL32(00000008,?,?,00DD7CE2,?,?,?), ref: 00DD8237
                                    • RtlAllocateHeap.NTDLL(00000000,?,00DD7CE2), ref: 00DD823E
                                    • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00DD8255
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: HeapObjectSecurityUser$AllocateErrorLastProcess
                                    • String ID:
                                    • API String ID: 883493501-0
                                    • Opcode ID: 836317e45a1cb3801b46f56071202f0cf531b932e391070a3595ac130acbcfa8
                                    • Instruction ID: 9ffcae992f2ce59cc89085a51000c4cc1d744c76ddf9bbbcf485b35c60a97afd
                                    • Opcode Fuzzy Hash: 836317e45a1cb3801b46f56071202f0cf531b932e391070a3595ac130acbcfa8
                                    • Instruction Fuzzy Hash: 53016D71601204BFDB218FA6EC49D6B7FBCEF8A754B50046AF809D2220DA329C54DA70
                                    Function 00DD710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CLSIDFromProgID.COMBASE ref: 00DD7127
                                    • ProgIDFromCLSID.COMBASE(?,00000000), ref: 00DD7142
                                    • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00DD7044,80070057,?,?), ref: 00DD7150
                                    • CoTaskMemFree.COMBASE(00000000), ref: 00DD7160
                                    • CLSIDFromString.COMBASE(?,?), ref: 00DD716C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: From$Prog$FreeStringTasklstrcmpi
                                    • String ID:
                                    • API String ID: 3897988419-0
                                    • Opcode ID: 672df2f1ca05adc268e22cf238caba53adbffdade9e44f5ec16cf9d60802db44
                                    • Instruction ID: 7478235a69991a9e2a6badfa05a9d8863739c3e949edd1d77517e1a177ac7b6a
                                    • Opcode Fuzzy Hash: 672df2f1ca05adc268e22cf238caba53adbffdade9e44f5ec16cf9d60802db44
                                    • Instruction Fuzzy Hash: 49017172601314AFDB214F65DC44AAA7BADEB44751F1451A5FD04E2310EB32DD5097B0
                                    Function 00DE5244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00DE5260
                                    • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00DE526E
                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00DE5276
                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00DE5280
                                    • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00DE52BC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: PerformanceQuery$CounterSleep$Frequency
                                    • String ID:
                                    • API String ID: 2833360925-0
                                    • Opcode ID: 42f91723ac2d60a051c7e7ebf602577061aa858a333609a09b11027b0a73ea59
                                    • Instruction ID: dd31e54b562acbc1872edde303b405b14b4eb1dc8f310436ff9d7c2bf6a319c3
                                    • Opcode Fuzzy Hash: 42f91723ac2d60a051c7e7ebf602577061aa858a333609a09b11027b0a73ea59
                                    • Instruction Fuzzy Hash: 93016931D02A1DDFCF10EFE6E8489EDBBB8FB08315F400056EA41B2245CB3195A48BB9
                                    Function 00DD810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00DD8121
                                    • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00DD812B
                                    • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00DD813A
                                    • RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00DD8141
                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00DD8157
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: HeapInformationToken$AllocateErrorLastProcess
                                    • String ID:
                                    • API String ID: 47921759-0
                                    • Opcode ID: 59ac022b291e54198a6d576f9bff4b4178fe3dab5dda9ad2c7e101607a4eef51
                                    • Instruction ID: 6054f312e1259494e3b5c03e7bc454aa0623fee816031db014a3b0d639399c02
                                    • Opcode Fuzzy Hash: 59ac022b291e54198a6d576f9bff4b4178fe3dab5dda9ad2c7e101607a4eef51
                                    • Instruction Fuzzy Hash: 1EF06271201315AFEB220FA6EC89F673BACFF49754B040026F946D6250CB62DD99EA70
                                    Function 00DDC1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetDlgItem.USER32(?,000003E9), ref: 00DDC1F7
                                    • GetWindowTextW.USER32(00000000,?,00000100), ref: 00DDC20E
                                    • MessageBeep.USER32(00000000), ref: 00DDC226
                                    • KillTimer.USER32(?,0000040A), ref: 00DDC242
                                    • EndDialog.USER32(?,00000001), ref: 00DDC25C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: BeepDialogItemKillMessageTextTimerWindow
                                    • String ID:
                                    • API String ID: 3741023627-0
                                    • Opcode ID: ee1e9f1a102957a68d6112ae87ba6719111d937433da59f24846a83767c0a870
                                    • Instruction ID: 5b220b76864a7deb4d2c0896f20ebae207b5075560243c092ae10911fc2a219c
                                    • Opcode Fuzzy Hash: ee1e9f1a102957a68d6112ae87ba6719111d937433da59f24846a83767c0a870
                                    • Instruction Fuzzy Hash: E901DB30454305ABEB315B51ED4EF967B78FF00705F04026AF582A15E0D7F2A998CBA4
                                    Function 00D813B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                    Download Yara Rule
                                    APIs
                                    • EndPath.GDI32(?), ref: 00D813BF
                                    • StrokeAndFillPath.GDI32(?,?,00DBB888,00000000,?), ref: 00D813DB
                                    • SelectObject.GDI32(?,00000000), ref: 00D813EE
                                    • DeleteObject.GDI32 ref: 00D81401
                                    • StrokePath.GDI32(?), ref: 00D8141C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Path$ObjectStroke$DeleteFillSelect
                                    • String ID:
                                    • API String ID: 2625713937-0
                                    • Opcode ID: 2226c3daf8b53bfb6035de2b4c22ec72fe26af51ed3cc2a4613958d6ce49050f
                                    • Instruction ID: 435a43faccc353b060b15e7d3497aafe9a7222d0e1dfbcfa2963feef9d6ce540
                                    • Opcode Fuzzy Hash: 2226c3daf8b53bfb6035de2b4c22ec72fe26af51ed3cc2a4613958d6ce49050f
                                    • Instruction Fuzzy Hash: 34F0CD39004608DFDB255F1BEC4C7583BA8A746326F088235E469694F2CB3145AEDF60
                                    Function 00DD8992 Relevance: 7.5, APIs: 5, Instructions: 23memorysynchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00DD899D
                                    • CloseHandle.KERNEL32(?), ref: 00DD89B2
                                    • CloseHandle.KERNEL32(?), ref: 00DD89BA
                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 00DD89C3
                                    • HeapFree.KERNEL32(00000000), ref: 00DD89CA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: CloseHandleHeap$FreeObjectProcessSingleWait
                                    • String ID:
                                    • API String ID: 3751786701-0
                                    • Opcode ID: a8dfc1f8932f4f9425a5deca0c24432d1731906f6f5a939481ca8502d6dee4f2
                                    • Instruction ID: 9621adf35bb4edb981ecfea429d954e177b2bb18cfeaa8a25d5d9f6d9fa5459d
                                    • Opcode Fuzzy Hash: a8dfc1f8932f4f9425a5deca0c24432d1731906f6f5a939481ca8502d6dee4f2
                                    • Instruction Fuzzy Hash: 97E0C236004201FFDA115FE2EC0C90ABB79FB89722B108231F219A1871CB3394B8DB90
                                    Function 00D92CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00DA0DB6: std::exception::exception.LIBCMT ref: 00DA0DEC
                                      • Part of subcall function 00DA0DB6: __CxxThrowException@8.LIBCMT ref: 00DA0E01
                                      • Part of subcall function 00D87DE1: _memmove.LIBCMT ref: 00D87E22
                                      • Part of subcall function 00D87A51: _memmove.LIBCMT ref: 00D87AAB
                                    • __swprintf.LIBCMT ref: 00D92ECD
                                    Strings
                                    • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00D92D66
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                    • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                    • API String ID: 1943609520-557222456
                                    • Opcode ID: 8ef8d9668615a3db68150a52952abfb293ce4c18d1e84e2a70996ee1836a7255
                                    • Instruction ID: aa24e121a7e4162ec39d1350d2f0615cd5ddc03322961d2f83f1be4cab1bcc9f
                                    • Opcode Fuzzy Hash: 8ef8d9668615a3db68150a52952abfb293ce4c18d1e84e2a70996ee1836a7255
                                    • Instruction Fuzzy Hash: 62914771108202AFCB14FF24D895D7FB7A9EF95710F14491DF8969B2A1EA20EE44CB72
                                    Function 00DEB93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00D84750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D84743,?,?,00D837AE,?), ref: 00D84770
                                    • CoInitialize.OLE32(00000000), ref: 00DEB9BB
                                    • CoCreateInstance.COMBASE(00E12D6C,00000000,00000001,00E12BDC,?), ref: 00DEB9D4
                                    • CoUninitialize.COMBASE ref: 00DEB9F1
                                      • Part of subcall function 00D89837: __itow.LIBCMT ref: 00D89862
                                      • Part of subcall function 00D89837: __swprintf.LIBCMT ref: 00D898AC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                    • String ID: .lnk
                                    • API String ID: 2126378814-24824748
                                    • Opcode ID: e6096b328362cc0d68507bdc0cecfa59793548d2c688ff798878d304adfbbb1f
                                    • Instruction ID: ba6a78c0f233bcd1c085b05ff3ae1f2bf05ca8b176dd2be8f94aa7f628988c35
                                    • Opcode Fuzzy Hash: e6096b328362cc0d68507bdc0cecfa59793548d2c688ff798878d304adfbbb1f
                                    • Instruction Fuzzy Hash: F3A156756043419FCB00EF15C894D6ABBE5FF89324F188999F8999B3A1CB31EC45CBA1
                                    Function 00DDB2F3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OleSetContainedObject.OLE32(?,00000001), ref: 00DDB4BE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: ContainedObject
                                    • String ID: AutoIt3GUI$Container$%
                                    • API String ID: 3565006973-1286912533
                                    • Opcode ID: 28c3fc4583b07695b09c67f995836b19f266330378b00383e4df98b913c4cae8
                                    • Instruction ID: 8be11f6a3ad1eb2839100c07ca48729a4734f215afa0ea0594101c152fe3c059
                                    • Opcode Fuzzy Hash: 28c3fc4583b07695b09c67f995836b19f266330378b00383e4df98b913c4cae8
                                    • Instruction Fuzzy Hash: C3916870200601EFDB24DF64C884B6ABBE5FF49724F25846EE94ADB391DB70E841CB60
                                    Function 00DA501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                    Download Yara Rule
                                    APIs
                                    • __startOneArgErrorHandling.LIBCMT ref: 00DA50AD
                                      • Part of subcall function 00DB00F0: __87except.LIBCMT ref: 00DB012B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: ErrorHandling__87except__start
                                    • String ID: pow
                                    • API String ID: 2905807303-2276729525
                                    • Opcode ID: 33c48525a8b5413aee5e9f3be6aad440fdb23eaf4361f64e65b2bf15364563e4
                                    • Instruction ID: 4487f0b87c34afacbd9c45a95b3ef3baaaa3b6472f4bb5be1089c2e5b2753082
                                    • Opcode Fuzzy Hash: 33c48525a8b5413aee5e9f3be6aad440fdb23eaf4361f64e65b2bf15364563e4
                                    • Instruction Fuzzy Hash: CF514B31908701CADB15BB28D8053FF7F94DB42740F288959E4D78629DEE34CDD89ABA
                                    Function 00D96192 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: _memset$_memmove
                                    • String ID: ERCP
                                    • API String ID: 2532777613-1384759551
                                    • Opcode ID: 373a5288a3195f92c7178730f735068cc33d351191c1907019ea0e5a1c1ab2fa
                                    • Instruction ID: 840968af9ce03167a57fda29307b4c8668815cce27b3fedbea24965cd440282e
                                    • Opcode Fuzzy Hash: 373a5288a3195f92c7178730f735068cc33d351191c1907019ea0e5a1c1ab2fa
                                    • Instruction Fuzzy Hash: 4251A071A00305DBDF24CF65C945BAABBF4EF44314F28856EE44AD7251E770EA44CB60
                                    Function 00DD97F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00DE14BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00DD9296,?,?,00000034,00000800,?,00000034), ref: 00DE14E6
                                    • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00DD983F
                                      • Part of subcall function 00DE1487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00DD92C5,?,?,00000800,?,00001073,00000000,?,?), ref: 00DE14B1
                                      • Part of subcall function 00DE13DE: GetWindowThreadProcessId.USER32(?,?), ref: 00DE1409
                                      • Part of subcall function 00DE13DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00DD925A,00000034,?,?,00001004,00000000,00000000), ref: 00DE1419
                                      • Part of subcall function 00DE13DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00DD925A,00000034,?,?,00001004,00000000,00000000), ref: 00DE142F
                                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00DD98AC
                                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00DD98F9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                    • String ID: @
                                    • API String ID: 4150878124-2766056989
                                    • Opcode ID: 79785d3acfaeb87cdb447d8c7ee53e4dc931a86c288b9260b3d30e2f934f85b8
                                    • Instruction ID: ab746ef08e1492c223622677bc026ca30b5bf3ab17942fc336e1b81aacd9e6f7
                                    • Opcode Fuzzy Hash: 79785d3acfaeb87cdb447d8c7ee53e4dc931a86c288b9260b3d30e2f934f85b8
                                    • Instruction Fuzzy Hash: 98414176A00218BFDB10EFA5CC55EDEBBB8EB09700F044159F945B7291DA716E45CBB0
                                    Function 00E07946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00E0F910,00000000,?,?,?,?), ref: 00E079DF
                                    • GetWindowLongW.USER32 ref: 00E079FC
                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00E07A0C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Window$Long
                                    • String ID: SysTreeView32
                                    • API String ID: 847901565-1698111956
                                    • Opcode ID: 3d82c5d46e64a014ff53cf03cd205b3102c533cd6fa8ca346f9bf53883d88efd
                                    • Instruction ID: 3320e59b2da09b07bfcb1a108ca54e242a6a734794a14625238b65c0e9ee473c
                                    • Opcode Fuzzy Hash: 3d82c5d46e64a014ff53cf03cd205b3102c533cd6fa8ca346f9bf53883d88efd
                                    • Instruction Fuzzy Hash: C531D031604206AFDB119E38DC45BEB77A9FB49328F209725F8B5B21E0D731ED918B60
                                    Function 00E073D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00E07461
                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00E07475
                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 00E07499
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: MessageSend$Window
                                    • String ID: SysMonthCal32
                                    • API String ID: 2326795674-1439706946
                                    • Opcode ID: 1ed77b5948b2bf7d60ade57598a8db39be1eb2300abbdc7fe809eb6e45accd27
                                    • Instruction ID: 65bdeee51756e8dfd055a8e38e20b3feef0d92d9eb833c0fffe757a087e33c93
                                    • Opcode Fuzzy Hash: 1ed77b5948b2bf7d60ade57598a8db39be1eb2300abbdc7fe809eb6e45accd27
                                    • Instruction Fuzzy Hash: 7E219132500219AFDF218E54CC46FEA3B69EB48724F111214FE557B1D0DAB5BC95DBA0
                                    Function 00E07B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00E07C4A
                                    • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00E07C58
                                    • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00E07C5F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: MessageSend$DestroyWindow
                                    • String ID: msctls_updown32
                                    • API String ID: 4014797782-2298589950
                                    • Opcode ID: f0a88c48b0d2dc8e421e573d9276d99be13666f5c792436b3d7935bfb92c5b5c
                                    • Instruction ID: a7ec6bfc363c7be1c137e4708d9799461e43471f1afe3ed3a83b7df717c137b1
                                    • Opcode Fuzzy Hash: f0a88c48b0d2dc8e421e573d9276d99be13666f5c792436b3d7935bfb92c5b5c
                                    • Instruction Fuzzy Hash: 202181B5604209AFEB10DF18DCC5DA677EDEF4A358B140459F941AB3A1CB32EC918BB0
                                    Function 00E06CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00E06D3B
                                    • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00E06D4B
                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00E06D70
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: MessageSend$MoveWindow
                                    • String ID: Listbox
                                    • API String ID: 3315199576-2633736733
                                    • Opcode ID: 8f4232f30f2734767a561d76cf210a77b01f2689d8ab8d242d5ed99b085c7c23
                                    • Instruction ID: c57e9e486726173d92268bfa0f1ab4e475da87a840ef4f1473849eaa136cf1fd
                                    • Opcode Fuzzy Hash: 8f4232f30f2734767a561d76cf210a77b01f2689d8ab8d242d5ed99b085c7c23
                                    • Instruction Fuzzy Hash: B1219232610118BFEF119F54DC85FAB3BBAEF89764F019124F945BB1E0C6719CA197A0
                                    Function 00DF39E9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84COMMON
                                    Download Yara Rule
                                    APIs
                                    • __snwprintf.LIBCMT ref: 00DF3A66
                                      • Part of subcall function 00D87DE1: _memmove.LIBCMT ref: 00D87E22
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: __snwprintf_memmove
                                    • String ID: , $$AUTOITCALLVARIABLE%d$%
                                    • API String ID: 3506404897-3879706725
                                    • Opcode ID: ba69e9b7eb5a4cb915f59035c0df117e83886724dc2d704e579b3c65aad83fc7
                                    • Instruction ID: ef04f14d7483d7d48c7ac21b63e96785d6cd0331c5ab2b043c4c09f6733e19aa
                                    • Opcode Fuzzy Hash: ba69e9b7eb5a4cb915f59035c0df117e83886724dc2d704e579b3c65aad83fc7
                                    • Instruction Fuzzy Hash: 0E216B71A00219AACF10FF65CC86AAEBBB5EF44700F554455F945AB282DB30EA46CBB1
                                    Function 00E0770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00E07772
                                    • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00E07787
                                    • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00E07794
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID: msctls_trackbar32
                                    • API String ID: 3850602802-1010561917
                                    • Opcode ID: ec4336bd9216b874da1f222d36d5a916db32055263964362edda98e6ff632abc
                                    • Instruction ID: 1545cbc1ad97e8322c391dbed4fc6cb40bab1b53e6d2160a323c043b8d8d1233
                                    • Opcode Fuzzy Hash: ec4336bd9216b874da1f222d36d5a916db32055263964362edda98e6ff632abc
                                    • Instruction Fuzzy Hash: 63112732604209BFEF205F65CC05FD777A9EF88B58F010129FA81B20D0C272E851CB20
                                    Function 00DA6B71 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: __calloc_crt
                                    • String ID: $@B
                                    • API String ID: 3494438863-460053111
                                    • Opcode ID: b488b63e0b4804ef257f481a1b7f4ad8d2f6dd12088dde243c522d9fe6557554
                                    • Instruction ID: a483438dd9f875259a43d1355904a46a23219dc2f3f7d61ef284ac43a5b64dd0
                                    • Opcode Fuzzy Hash: b488b63e0b4804ef257f481a1b7f4ad8d2f6dd12088dde243c522d9fe6557554
                                    • Instruction Fuzzy Hash: F7F04477204A11CFE7648F56BC51B6227A4E747734F580417E500EE1A2EBB0C84686B8
                                    Function 00D84B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00D84AD0), ref: 00D84B45
                                    • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00D84B57
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: GetNativeSystemInfo$kernel32.dll
                                    • API String ID: 2574300362-192647395
                                    • Opcode ID: 403c50735dba43431ff468d14cc0741530b32f0772ac3d858e156b23f737136d
                                    • Instruction ID: fd0f9e6b6c0ef3498ef8f9e759dec5306963f79edbad22d40525fd1621d65f7e
                                    • Opcode Fuzzy Hash: 403c50735dba43431ff468d14cc0741530b32f0772ac3d858e156b23f737136d
                                    • Instruction Fuzzy Hash: A7D01734A10713CFD730AF72E828B0676E4AF053A1B15883AD486E6990E670E8D0CF64
                                    Function 00D84C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00D84BD0,?,00D84DEF,?,00E452F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00D84C11
                                    • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00D84C23
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                    • API String ID: 2574300362-3689287502
                                    • Opcode ID: 5da711a04a1894bb6a6886c30b09f237a43be85599c734a0640ba8b649efe7b2
                                    • Instruction ID: f42d36044d61a796853fc6eeb117a38564c04a4867d98467263b6ee993f203e3
                                    • Opcode Fuzzy Hash: 5da711a04a1894bb6a6886c30b09f237a43be85599c734a0640ba8b649efe7b2
                                    • Instruction Fuzzy Hash: BCD01231511723DFD730AF71D908606BAD9EF09351F198C39D485E6551E6B0D4D0CB60
                                    Function 00D84C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00D84B83,?), ref: 00D84C44
                                    • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00D84C56
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                    • API String ID: 2574300362-1355242751
                                    • Opcode ID: 34d977ff60e033068a850dda6d3d5fb7c1ad8abd2e0eaa0331b2dbe995d1d349
                                    • Instruction ID: c342a59b1f1701c6b9b0225818f61a0ba3230dc6cc39a6b99c120a830decf00e
                                    • Opcode Fuzzy Hash: 34d977ff60e033068a850dda6d3d5fb7c1ad8abd2e0eaa0331b2dbe995d1d349
                                    • Instruction Fuzzy Hash: FDD01771511713DFD730AF32D90861A76E8BF05351B16883AD496E6AA1E670D8D0CB60
                                    Function 00E00DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(advapi32.dll,?,00E01039), ref: 00E00DF5
                                    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00E00E07
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: RegDeleteKeyExW$advapi32.dll
                                    • API String ID: 2574300362-4033151799
                                    • Opcode ID: 732f54348f457a5537880136a2f65dec6cbcb36a79fbd09c8b56e5cd470dc52f
                                    • Instruction ID: e5ac4b0a92f181dc4dbb7f62191a3479fad0094139db5c06f3b98dfb6fec2135
                                    • Opcode Fuzzy Hash: 732f54348f457a5537880136a2f65dec6cbcb36a79fbd09c8b56e5cd470dc52f
                                    • Instruction Fuzzy Hash: 38D01770510722DFDB219F76C8087867AE5AF04356F11AC3ED486F6592E7B1D8E0CA61
                                    Function 00DF90E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00DF8CF4,?,00E0F910), ref: 00DF90EE
                                    • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00DF9100
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: GetModuleHandleExW$kernel32.dll
                                    • API String ID: 2574300362-199464113
                                    • Opcode ID: 8dbb7c297582f8487c1e8924d3ef46b5d1dff970054bfecdd08a858a0de77455
                                    • Instruction ID: 6b6786bf48b4a758638b94da2b382d9e359f0c09f66c02cfead6b08b96bc3d78
                                    • Opcode Fuzzy Hash: 8dbb7c297582f8487c1e8924d3ef46b5d1dff970054bfecdd08a858a0de77455
                                    • Instruction Fuzzy Hash: CBD01234910717CFD7309F31D82C616B6D4AF05351B1AC839D585E69A0E671C4D4CAA0
                                    Function 00DC1714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: LocalTime__swprintf
                                    • String ID: %.3d$WIN_XPe
                                    • API String ID: 2070861257-2409531811
                                    • Opcode ID: 3af1c7d7355a1da7b671969c62f9eba9bb2cb6fcce2b4306a698149e1ab0dd55
                                    • Instruction ID: 2036ff44175708d724b0486207badf4d0ca35f7787cec3ebe165ba6f6ec77c16
                                    • Opcode Fuzzy Hash: 3af1c7d7355a1da7b671969c62f9eba9bb2cb6fcce2b4306a698149e1ab0dd55
                                    • Instruction Fuzzy Hash: 06D0127580512AEAC71197909889DB9777CA70A701F141566F442B3092E271C794EA71
                                    Function 00DD717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2d99d55b8e4bd73c0eee361b82ed7056239c05cd51f5f7671c3b2f755ef3c468
                                    • Instruction ID: 8a59a0a0078005b1ca75cce1b7b4ae941abd2c323aedaca9fcc8d6991c397cfa
                                    • Opcode Fuzzy Hash: 2d99d55b8e4bd73c0eee361b82ed7056239c05cd51f5f7671c3b2f755ef3c468
                                    • Instruction Fuzzy Hash: 83C13C74A04216EFCB14CF94C884AAEBBB5FF48714B1585D9E815EB351E730ED81DBA0
                                    Function 00DFE02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CharLowerBuffW.USER32(?,?), ref: 00DFE0BE
                                    • CharLowerBuffW.USER32(?,?), ref: 00DFE101
                                      • Part of subcall function 00DFD7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00DFD7C5
                                    • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00DFE301
                                    • _memmove.LIBCMT ref: 00DFE314
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: BuffCharLower$AllocVirtual_memmove
                                    • String ID:
                                    • API String ID: 3659485706-0
                                    • Opcode ID: 54e9a899e34b2caff8bc19c9dd9783f2cc612947744aa3db8c021150621cdc91
                                    • Instruction ID: 79672986dbc09864e3eb6d927c4baa16b8866be0eb01feaf01dbf82be16282c1
                                    • Opcode Fuzzy Hash: 54e9a899e34b2caff8bc19c9dd9783f2cc612947744aa3db8c021150621cdc91
                                    • Instruction Fuzzy Hash: 31C18B716083059FC700EF28C48092ABBE4FF89714F09896EF9999B361D731E946CFA1
                                    Function 00DF8093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                    Download Yara Rule
                                    APIs
                                    • CoInitialize.OLE32(00000000), ref: 00DF80C3
                                    • CoUninitialize.COMBASE ref: 00DF80CE
                                      • Part of subcall function 00DDD56C: CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 00DDD5D4
                                    • VariantInit.OLEAUT32(?), ref: 00DF80D9
                                    • VariantClear.OLEAUT32(?), ref: 00DF83AA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                    • String ID:
                                    • API String ID: 780911581-0
                                    • Opcode ID: 35d9bdb8e783386ed1d97642a7f29023ac811373530730f7430fe6ced72cfe6a
                                    • Instruction ID: 94f881467cd102548635b934caac4dca6331c0f4ca3cebf259307d33d59f8e65
                                    • Opcode Fuzzy Hash: 35d9bdb8e783386ed1d97642a7f29023ac811373530730f7430fe6ced72cfe6a
                                    • Instruction Fuzzy Hash: A0A148356047069FCB10EF54C891A2AB7E4FF89724F098449FA969B3A1CB30FD05DB62
                                    Function 00DD7530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                                    Download Yara Rule
                                    APIs
                                    • ProgIDFromCLSID.COMBASE(?,00000000), ref: 00DD76EA
                                    • CoTaskMemFree.COMBASE(00000000), ref: 00DD7702
                                    • CLSIDFromProgID.COMBASE(?,?), ref: 00DD7727
                                    • _memcmp.LIBCMT ref: 00DD7748
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: FromProg$FreeTask_memcmp
                                    • String ID:
                                    • API String ID: 314563124-0
                                    • Opcode ID: fc4a3dec34320621e265975d5c02e9bd321d73c722a5f841259e5205fe2a0a6f
                                    • Instruction ID: fc265e82f71c700f44b280fb328f8c2bf2eac665268aa03c7ec5b0df3165e06f
                                    • Opcode Fuzzy Hash: fc4a3dec34320621e265975d5c02e9bd321d73c722a5f841259e5205fe2a0a6f
                                    • Instruction Fuzzy Hash: B9814C75A00109EFCB04DFA4C984EEEB7B9FF89315F244599F505AB250EB71AE06CB60
                                    Function 00DD687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Variant$AllocClearCopyInitString
                                    • String ID:
                                    • API String ID: 2808897238-0
                                    • Opcode ID: 71aa6a37ffaa52851cbe11d0f832e5dc3ac496533e00c3ae9cd46b3ff0c4405c
                                    • Instruction ID: 2c10a4e0ceaa66319b9e008c65844a7e22105e6174db7e7ccfb0a09a69063c0f
                                    • Opcode Fuzzy Hash: 71aa6a37ffaa52851cbe11d0f832e5dc3ac496533e00c3ae9cd46b3ff0c4405c
                                    • Instruction Fuzzy Hash: A65193746003019ADB24AF65D8A1A3AF3E5EF45310F24E81FE5D6EB791DA70D8848BB1
                                    Function 00DE955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00D84EE5: _fseek.LIBCMT ref: 00D84EFD
                                      • Part of subcall function 00DE9734: _wcscmp.LIBCMT ref: 00DE9824
                                      • Part of subcall function 00DE9734: _wcscmp.LIBCMT ref: 00DE9837
                                    • _free.LIBCMT ref: 00DE96A2
                                    • _free.LIBCMT ref: 00DE96A9
                                    • _free.LIBCMT ref: 00DE9714
                                      • Part of subcall function 00DA2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00DA9A24), ref: 00DA2D69
                                      • Part of subcall function 00DA2D55: GetLastError.KERNEL32(00000000,?,00DA9A24), ref: 00DA2D7B
                                    • _free.LIBCMT ref: 00DE971C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                    • String ID:
                                    • API String ID: 1552873950-0
                                    • Opcode ID: 464ebd311e0b84417835fdca97f39b05a871d491f27d7685db559b23c3b03983
                                    • Instruction ID: 2ec0cc891a54e19980ebb69e1eb19265246abe5d37050753079004c06863d58c
                                    • Opcode Fuzzy Hash: 464ebd311e0b84417835fdca97f39b05a871d491f27d7685db559b23c3b03983
                                    • Instruction Fuzzy Hash: CF514FB1D04259AFDF25EF65DC81AAEBB79EF48300F10449EF609A3251DB715A80CF68
                                    Function 00E097F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowRect.USER32(0103E558,?), ref: 00E09863
                                    • ScreenToClient.USER32(00000002,00000002), ref: 00E09896
                                    • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00E09903
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Window$ClientMoveRectScreen
                                    • String ID:
                                    • API String ID: 3880355969-0
                                    • Opcode ID: b6a218ac15da9750d7738326553c7ab415e509b805abab1afd9976903ed28ee2
                                    • Instruction ID: 6d2dcd1b34020e406f7aa0976c71b41c27210d021b494e578f7731d8dfb759d1
                                    • Opcode Fuzzy Hash: b6a218ac15da9750d7738326553c7ab415e509b805abab1afd9976903ed28ee2
                                    • Instruction Fuzzy Hash: 7D517135A00205EFCF14CF54C880AAE7BB5FF85364F509169F855BB2A2D731AD81CB90
                                    Function 00DD9A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00DD9AD2
                                    • __itow.LIBCMT ref: 00DD9B03
                                      • Part of subcall function 00DD9D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00DD9DBE
                                    • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00DD9B6C
                                    • __itow.LIBCMT ref: 00DD9BC3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: MessageSend$__itow
                                    • String ID:
                                    • API String ID: 3379773720-0
                                    • Opcode ID: 195028b0aaeba7892163911f80b83c5003f4c9aa9e7713038d6d992e9c82c27a
                                    • Instruction ID: 20cce0884f50936f3d9015d63d2ef7b96b3439351df6ea81434b122f981271ca
                                    • Opcode Fuzzy Hash: 195028b0aaeba7892163911f80b83c5003f4c9aa9e7713038d6d992e9c82c27a
                                    • Instruction Fuzzy Hash: CB419074A00208ABDF21EF54D895BEEBFB9EF44724F05006AF905A7391DB719A44CBB1
                                    Function 00DEB7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00DEB89E
                                    • GetLastError.KERNEL32(?,00000000), ref: 00DEB8C4
                                    • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00DEB8E9
                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00DEB915
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: CreateHardLink$DeleteErrorFileLast
                                    • String ID:
                                    • API String ID: 3321077145-0
                                    • Opcode ID: 4946cd376c9fdd7ac5e78a8cfce9d3bccedaaac15bffa824e4f529cc349f4232
                                    • Instruction ID: e64d5627d33776f38b8f0228cc87d67c317433e6bd4b360f7cd757db1095c019
                                    • Opcode Fuzzy Hash: 4946cd376c9fdd7ac5e78a8cfce9d3bccedaaac15bffa824e4f529cc349f4232
                                    • Instruction Fuzzy Hash: 62413A35600651DFCB11EF15C494A6ABBF1EF49724F098099EC8AAB762CB30FD41DBA1
                                    Function 00E08851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                    Download Yara Rule
                                    APIs
                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00E088DE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: InvalidateRect
                                    • String ID:
                                    • API String ID: 634782764-0
                                    • Opcode ID: 72d5c0451204c207d21de1acfeac889ec4dbf45fe5d7d8d147667eab0711bdf2
                                    • Instruction ID: 9b44d657e66191cd1c40abbfab884cb94a440309de066165c3b326720a1d939b
                                    • Opcode Fuzzy Hash: 72d5c0451204c207d21de1acfeac889ec4dbf45fe5d7d8d147667eab0711bdf2
                                    • Instruction Fuzzy Hash: 7831E334600108EFEB28AE58CE45BB877A5EB45314FD45112F9D9F62E1CE31E9D09BA2
                                    Function 00E0AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • ClientToScreen.USER32(?,?), ref: 00E0AB60
                                    • GetWindowRect.USER32(?,?), ref: 00E0ABD6
                                    • PtInRect.USER32(?,?,00E0C014), ref: 00E0ABE6
                                    • MessageBeep.USER32(00000000), ref: 00E0AC57
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Rect$BeepClientMessageScreenWindow
                                    • String ID:
                                    • API String ID: 1352109105-0
                                    • Opcode ID: ada47a7cd5a16a4027c072741d327f109846679954cf8cbf12eb938525006754
                                    • Instruction ID: fe7db7d0f1e26d2e67d5960b25d8fea7b5e5312ae81a083c94ba0b034f0a7945
                                    • Opcode Fuzzy Hash: ada47a7cd5a16a4027c072741d327f109846679954cf8cbf12eb938525006754
                                    • Instruction Fuzzy Hash: B341AF3460021DDFDB25DF59C8C4A99BBF6FB49300F1990B9E414AB2A1C731A885CB92
                                    Function 00DE0AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00DE0B27
                                    • SetKeyboardState.USER32(00000080,?,00000001), ref: 00DE0B43
                                    • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00DE0BA9
                                    • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00DE0BFB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: KeyboardState$InputMessagePostSend
                                    • String ID:
                                    • API String ID: 432972143-0
                                    • Opcode ID: 05be255acf0f858e74eeedf90bb2f071e4c599b64e7aa581073a7b30d325fb09
                                    • Instruction ID: e33d9c8790626b752cef286650778f4362fc3829dc26e2e313b15d4036c6d2b0
                                    • Opcode Fuzzy Hash: 05be255acf0f858e74eeedf90bb2f071e4c599b64e7aa581073a7b30d325fb09
                                    • Instruction Fuzzy Hash: 37312630940288AEEB30AB278C05BFABFA9BB45318F4C425AE485521D1C3F589D4D771
                                    Function 00DE0C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetKeyboardState.USER32(?,76C1C0D0,?,00008000), ref: 00DE0C66
                                    • SetKeyboardState.USER32(00000080,?,00008000), ref: 00DE0C82
                                    • PostMessageW.USER32(00000000,00000101,00000000), ref: 00DE0CE1
                                    • SendInput.USER32(00000001,?,0000001C,76C1C0D0,?,00008000), ref: 00DE0D33
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: KeyboardState$InputMessagePostSend
                                    • String ID:
                                    • API String ID: 432972143-0
                                    • Opcode ID: aa5d785a1f606fec1a5e9eb607c2f826bcc3f13d23c7fc372d972076d7158eac
                                    • Instruction ID: 58cb422839eb186118d16724ebfe6988e673abd2f2ca4ea393c6b4a597de07a8
                                    • Opcode Fuzzy Hash: aa5d785a1f606fec1a5e9eb607c2f826bcc3f13d23c7fc372d972076d7158eac
                                    • Instruction Fuzzy Hash: F13126309006886EFF30AB678C047FEBF6AEB45310F18431AE481625D1C3B999D9C7B2
                                    Function 00DB61C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00DB61FB
                                    • __isleadbyte_l.LIBCMT ref: 00DB6229
                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00DB6257
                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00DB628D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                    • String ID:
                                    • API String ID: 3058430110-0
                                    • Opcode ID: 638535a0b11cee46596ba44801c17b6d6be0f507349ae5f7c0d9da6884744594
                                    • Instruction ID: 4f5195457c23dd6fdd43e0c73c0053e8c1a119cf2d1fb85691c88b33f8e6324d
                                    • Opcode Fuzzy Hash: 638535a0b11cee46596ba44801c17b6d6be0f507349ae5f7c0d9da6884744594
                                    • Instruction Fuzzy Hash: AC31C031600246EFEF218F69CC44BBA7BA9FF42350F194028F86697191E735D950DB60
                                    Function 00E04EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetForegroundWindow.USER32 ref: 00E04F02
                                      • Part of subcall function 00DE3641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00DE365B
                                      • Part of subcall function 00DE3641: GetCurrentThreadId.KERNEL32 ref: 00DE3662
                                      • Part of subcall function 00DE3641: AttachThreadInput.USER32(00000000,?,00DE5005), ref: 00DE3669
                                    • GetCaretPos.USER32(?), ref: 00E04F13
                                    • ClientToScreen.USER32(00000000,?), ref: 00E04F4E
                                    • GetForegroundWindow.USER32 ref: 00E04F54
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                    • String ID:
                                    • API String ID: 2759813231-0
                                    • Opcode ID: c2f837ccfa41a62ace92117f1cc09ae0377e4bcc72a7df491be351d276f29b31
                                    • Instruction ID: 2636992c7f610ec698a1d3d52fa2068062fc5637f5406d107fbc0a4023ca7bdd
                                    • Opcode Fuzzy Hash: c2f837ccfa41a62ace92117f1cc09ae0377e4bcc72a7df491be351d276f29b31
                                    • Instruction Fuzzy Hash: 8E312FB1D00108AFCB10EFB5C8859EFB7F9EF88304F14406AE455E7241DA719E458BB0
                                    Function 00DD8656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00DD810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00DD8121
                                      • Part of subcall function 00DD810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00DD812B
                                      • Part of subcall function 00DD810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00DD813A
                                      • Part of subcall function 00DD810A: RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00DD8141
                                      • Part of subcall function 00DD810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00DD8157
                                    • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00DD86A3
                                    • _memcmp.LIBCMT ref: 00DD86C6
                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00DD86FC
                                    • HeapFree.KERNEL32(00000000), ref: 00DD8703
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Heap$InformationProcessToken$AllocateErrorFreeLastLookupPrivilegeValue_memcmp
                                    • String ID:
                                    • API String ID: 2182266621-0
                                    • Opcode ID: 43872f2bb84195f544c3bc255d9734317817d64b217606ded88a99219630b38d
                                    • Instruction ID: c4e6908ce3a6467a7efe6d4557af88d30d13c78ca3fa1233052b3abbabee938c
                                    • Opcode Fuzzy Hash: 43872f2bb84195f544c3bc255d9734317817d64b217606ded88a99219630b38d
                                    • Instruction Fuzzy Hash: B8217C71E41208EFDB11DFA8C949BEEB7B8EF44314F19405AE444A7241EB31AE49DB60
                                    Function 00DA098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                    Download Yara Rule
                                    APIs
                                    • __setmode.LIBCMT ref: 00DA09AE
                                      • Part of subcall function 00D85A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00DE7896,?,?,00000000), ref: 00D85A2C
                                      • Part of subcall function 00D85A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00DE7896,?,?,00000000,?,?), ref: 00D85A50
                                    • _fprintf.LIBCMT ref: 00DA09E5
                                    • OutputDebugStringW.KERNEL32(?), ref: 00DD5DBB
                                      • Part of subcall function 00DA4AAA: _flsall.LIBCMT ref: 00DA4AC3
                                    • __setmode.LIBCMT ref: 00DA0A1A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                    • String ID:
                                    • API String ID: 521402451-0
                                    • Opcode ID: 549719d8249ea76cbf173da76ff32cb8c4b408c8baef33283eb5654a00c31269
                                    • Instruction ID: 0acb241f677f35e6cb12f29eed694d8daf2e7f28d61cf91647f67832f4584173
                                    • Opcode Fuzzy Hash: 549719d8249ea76cbf173da76ff32cb8c4b408c8baef33283eb5654a00c31269
                                    • Instruction Fuzzy Hash: 861136329042046FDB04B7B4AC879FEBBA9DF87320F280156F105672D2EEA1584697B1
                                    Function 00DF1767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00DF17A3
                                      • Part of subcall function 00DF182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00DF184C
                                      • Part of subcall function 00DF182D: InternetCloseHandle.WININET(00000000), ref: 00DF18E9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Internet$CloseConnectHandleOpen
                                    • String ID:
                                    • API String ID: 1463438336-0
                                    • Opcode ID: 499bf3b34715c286618f681e1c7e35bd728bd7a634a5a8365535eeac8325045e
                                    • Instruction ID: 510aba4b38c25bb4712568fb2282f263654e6224a565d3b07c6757ef8e5e32cd
                                    • Opcode Fuzzy Hash: 499bf3b34715c286618f681e1c7e35bd728bd7a634a5a8365535eeac8325045e
                                    • Instruction Fuzzy Hash: CE21D439200609FFEB129F60CC00FBABBA9FF48750F19802AFB45A6550D771D82197B0
                                    Function 00DE3A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFileAttributesW.KERNEL32(?,00E0FAC0), ref: 00DE3A64
                                    • GetLastError.KERNEL32 ref: 00DE3A73
                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 00DE3A82
                                    • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00E0FAC0), ref: 00DE3ADF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: CreateDirectory$AttributesErrorFileLast
                                    • String ID:
                                    • API String ID: 2267087916-0
                                    • Opcode ID: 1bbdda421bd36b25a7e716dc8a880eeb8579b46e333a63f60c66970fbf55c34e
                                    • Instruction ID: 44cf04752b747b07af27682a65fb3b49eef6a33caa1b47a2f280053764649230
                                    • Opcode Fuzzy Hash: 1bbdda421bd36b25a7e716dc8a880eeb8579b46e333a63f60c66970fbf55c34e
                                    • Instruction Fuzzy Hash: 052194345083419FC310FF29D88587A77E8EF55364F144A29F4D9D72A1D731DA89CBA2
                                    Function 00DB50E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 00DB5101
                                      • Part of subcall function 00DA571C: __FF_MSGBANNER.LIBCMT ref: 00DA5733
                                      • Part of subcall function 00DA571C: __NMSG_WRITE.LIBCMT ref: 00DA573A
                                      • Part of subcall function 00DA571C: RtlAllocateHeap.NTDLL(01020000,00000000,00000001), ref: 00DA575F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: AllocateHeap_free
                                    • String ID:
                                    • API String ID: 614378929-0
                                    • Opcode ID: dc2cbb28b99419076fd9812872857613e89b370b3a8fafe9de90684994928720
                                    • Instruction ID: 72cd961652501aef1111398cdc26c15baefb3fb75ea58189395b04448a202977
                                    • Opcode Fuzzy Hash: dc2cbb28b99419076fd9812872857613e89b370b3a8fafe9de90684994928720
                                    • Instruction Fuzzy Hash: C3110672904B11EECF313F79BC0579D3798DF063E1B244929FA4AA6155DE35C84097B0
                                    Function 00D844A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 00D844CF
                                      • Part of subcall function 00D8407C: _memset.LIBCMT ref: 00D840FC
                                      • Part of subcall function 00D8407C: _wcscpy.LIBCMT ref: 00D84150
                                      • Part of subcall function 00D8407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00D84160
                                    • KillTimer.USER32(?,00000001,?,?), ref: 00D84524
                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00D84533
                                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00DBD4B9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                    • String ID:
                                    • API String ID: 1378193009-0
                                    • Opcode ID: 6b31951ca4cd9689c24ad4b964498f2f7b6578b589d20f0fb03210a990329d01
                                    • Instruction ID: 7509f6928c5c60f0931384f5cb1a18cc4d8a35a91d6dbc8666bdb3cee9f037c7
                                    • Opcode Fuzzy Hash: 6b31951ca4cd9689c24ad4b964498f2f7b6578b589d20f0fb03210a990329d01
                                    • Instruction Fuzzy Hash: 592107B4904794DFE7329B248855BEBBBECAF02314F08009EE6DE56142D3756988CB61
                                    Function 00DD85B1 Relevance: 6.1, APIs: 4, Instructions: 65processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00DD85E2
                                    • OpenProcessToken.ADVAPI32(00000000), ref: 00DD85E9
                                    • CloseHandle.KERNEL32(00000004), ref: 00DD8603
                                    • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00DD8632
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Process$CloseCreateCurrentHandleLogonOpenTokenWith
                                    • String ID:
                                    • API String ID: 2621361867-0
                                    • Opcode ID: da94db9a584b46ac160ffea5816784d7d0f2b315d492dbba87eba41fd8073e51
                                    • Instruction ID: 23e1591dd394381dc3a6c4999b4d56db01539a59d97d1799dfc68f9047ee1d09
                                    • Opcode Fuzzy Hash: da94db9a584b46ac160ffea5816784d7d0f2b315d492dbba87eba41fd8073e51
                                    • Instruction Fuzzy Hash: 49115C72500249AFDF128FA5ED49BDE7BA9EF08714F084065FE04A2160C772DD64EB61
                                    Function 00DF6369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00D85A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00DE7896,?,?,00000000), ref: 00D85A2C
                                      • Part of subcall function 00D85A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00DE7896,?,?,00000000,?,?), ref: 00D85A50
                                    • gethostbyname.WS2_32(?), ref: 00DF6399
                                    • WSAGetLastError.WS2_32(00000000), ref: 00DF63A4
                                    • _memmove.LIBCMT ref: 00DF63D1
                                    • inet_ntoa.WS2_32(?), ref: 00DF63DC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                    • String ID:
                                    • API String ID: 1504782959-0
                                    • Opcode ID: 2e803503b684d6cde143801127332b06dc166d6bc28adaf1915e306cf8dea4ee
                                    • Instruction ID: 455006c72b4ec21f81c39bca5a720a75a406003d69d99c3630fc8f8d9c6bbd7e
                                    • Opcode Fuzzy Hash: 2e803503b684d6cde143801127332b06dc166d6bc28adaf1915e306cf8dea4ee
                                    • Instruction Fuzzy Hash: 6B111936500109AFCB04FBA4DD96CFEB7B8EF08310B148165F606A7261DB31AE54DBB1
                                    Function 00DD8B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 00DD8B61
                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00DD8B73
                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00DD8B89
                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00DD8BA4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID:
                                    • API String ID: 3850602802-0
                                    • Opcode ID: bd327bd036dedae22cd315d43810d2e0cec9a4ffaab98207392b9a1e27a1c1d6
                                    • Instruction ID: ca03c5dafe39326bf991798f69647b1a3d3d3ac1625157177d3162015098b6e9
                                    • Opcode Fuzzy Hash: bd327bd036dedae22cd315d43810d2e0cec9a4ffaab98207392b9a1e27a1c1d6
                                    • Instruction Fuzzy Hash: DC115E79900218FFDB11DFA5CC84F9DBB74FB48710F214096E900B7250DA716E11EBA4
                                    Function 00DE1142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00DDFCED,?,00DE0D40,?,00008000), ref: 00DE115F
                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,00DDFCED,?,00DE0D40,?,00008000), ref: 00DE1184
                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00DDFCED,?,00DE0D40,?,00008000), ref: 00DE118E
                                    • Sleep.KERNEL32(?,?,?,?,?,?,?,00DDFCED,?,00DE0D40,?,00008000), ref: 00DE11C1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: CounterPerformanceQuerySleep
                                    • String ID:
                                    • API String ID: 2875609808-0
                                    • Opcode ID: c76c36dd43dd8c2d8c73cfa933913f7d27d1976c3d607a67fc5a863a4b509425
                                    • Instruction ID: c03ab3d1aafa910bd4c4cd1b3918d740a270f4ef752bca58ce0ed5b2eb6acebe
                                    • Opcode Fuzzy Hash: c76c36dd43dd8c2d8c73cfa933913f7d27d1976c3d607a67fc5a863a4b509425
                                    • Instruction Fuzzy Hash: 1F115A35E0165CDBCF04AFA6D848AEEBBB8FF09711F004055EA81B2241CB7095A4CBE1
                                    Function 00DDD831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00DDD84D
                                    • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00DDD864
                                    • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00DDD879
                                    • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00DDD897
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Type$Register$FileLoadModuleNameUser
                                    • String ID:
                                    • API String ID: 1352324309-0
                                    • Opcode ID: ba7cf8abef4f6fbe21b6f5ebfe32d76c609d6463154cd4abcd2c7afc0ac33d5a
                                    • Instruction ID: 2d331b7a0ab33cba0f3e06958919621ab4c6efaa25ef5b0bbe34e945edc7dbbf
                                    • Opcode Fuzzy Hash: ba7cf8abef4f6fbe21b6f5ebfe32d76c609d6463154cd4abcd2c7afc0ac33d5a
                                    • Instruction Fuzzy Hash: 49118E71601304DFEB318F51EC08F92BBBDEB00B00F10856AE956D6640D7B1E958EBB1
                                    Function 00DB6FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                    • String ID:
                                    • API String ID: 3016257755-0
                                    • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                    • Instruction ID: ed1f603ecadccb9952ea995eff22eda0998ab9b7104ad8d22f9ed8f11d2f9243
                                    • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                    • Instruction Fuzzy Hash: DE014E7244814EFBCF266E84CC01CED3F72BB58351F598416FA5A58031D636C9B1ABA1
                                    Function 00E0B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowRect.USER32(?,?), ref: 00E0B2E4
                                    • ScreenToClient.USER32(?,?), ref: 00E0B2FC
                                    • ScreenToClient.USER32(?,?), ref: 00E0B320
                                    • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00E0B33B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: ClientRectScreen$InvalidateWindow
                                    • String ID:
                                    • API String ID: 357397906-0
                                    • Opcode ID: e21a54384fa4d4ed75427c1899e2f8a49c8d82828ebb8f290e9d2c23e1c049c9
                                    • Instruction ID: b39d338282aff8bd2358c40c6e4a38233571918ce9ed6e9b13425a8eece94ea6
                                    • Opcode Fuzzy Hash: e21a54384fa4d4ed75427c1899e2f8a49c8d82828ebb8f290e9d2c23e1c049c9
                                    • Instruction Fuzzy Hash: 32117775D00209EFDB11CF99D4449EEBBF9FF08310F104166E915E3620D735AAA58F90
                                    Function 00DE6BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                    Download Yara Rule
                                    APIs
                                    • RtlEnterCriticalSection.NTDLL(?), ref: 00DE6BE6
                                      • Part of subcall function 00DE76C4: _memset.LIBCMT ref: 00DE76F9
                                    • _memmove.LIBCMT ref: 00DE6C09
                                    • _memset.LIBCMT ref: 00DE6C16
                                    • RtlLeaveCriticalSection.NTDLL(?), ref: 00DE6C26
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: CriticalSection_memset$EnterLeave_memmove
                                    • String ID:
                                    • API String ID: 48991266-0
                                    • Opcode ID: 8e5fc0ac378df60f327a8c5d98cd60b12d1c6d1827e4461c74fa0eb35bb96d45
                                    • Instruction ID: 6b5be9e42e33b563ea2a4b9080febadeca0bd2a09d694d7b50f77a58027c8541
                                    • Opcode Fuzzy Hash: 8e5fc0ac378df60f327a8c5d98cd60b12d1c6d1827e4461c74fa0eb35bb96d45
                                    • Instruction Fuzzy Hash: 6AF0543A100100ABCF417F56DC85A4ABF29EF45321F048065FE086E227C732E951DBB4
                                    Function 00D82218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSysColor.USER32(00000008), ref: 00D82231
                                    • SetTextColor.GDI32(?,000000FF), ref: 00D8223B
                                    • SetBkMode.GDI32(?,00000001), ref: 00D82250
                                    • GetStockObject.GDI32(00000005), ref: 00D82258
                                    • GetWindowDC.USER32(?,00000000), ref: 00DBBE83
                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 00DBBE90
                                    • GetPixel.GDI32(00000000,?,00000000), ref: 00DBBEA9
                                    • GetPixel.GDI32(00000000,00000000,?), ref: 00DBBEC2
                                    • GetPixel.GDI32(00000000,?,?), ref: 00DBBEE2
                                    • ReleaseDC.USER32(?,00000000), ref: 00DBBEED
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                    • String ID:
                                    • API String ID: 1946975507-0
                                    • Opcode ID: a0a79fd397ce26cf2f1562ac8b98223485f7cad14e9d0e8180a2b627dcd6ad19
                                    • Instruction ID: 78054244eda00f858d6401b69483df83131cd468907ebeb93671607423c6b72d
                                    • Opcode Fuzzy Hash: a0a79fd397ce26cf2f1562ac8b98223485f7cad14e9d0e8180a2b627dcd6ad19
                                    • Instruction Fuzzy Hash: 13E03932104244EEDB215FA5EC0D7E83B10EB15332F048366FA69680E287B249A4DB22
                                    Function 00DD8712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentThread.KERNEL32 ref: 00DD871B
                                    • OpenThreadToken.ADVAPI32(00000000,?,?,?,00DD82E6), ref: 00DD8722
                                    • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00DD82E6), ref: 00DD872F
                                    • OpenProcessToken.ADVAPI32(00000000,?,?,?,00DD82E6), ref: 00DD8736
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: CurrentOpenProcessThreadToken
                                    • String ID:
                                    • API String ID: 3974789173-0
                                    • Opcode ID: edcb49c2cd20ac272a4a4d9ef3cd84000b7b3d14e50ad54385ec01aad48b978e
                                    • Instruction ID: 03cb9d7d29eb3affc4b64ed665abfd1bbbfad32fadb21acd64f52536b37efa0a
                                    • Opcode Fuzzy Hash: edcb49c2cd20ac272a4a4d9ef3cd84000b7b3d14e50ad54385ec01aad48b978e
                                    • Instruction Fuzzy Hash: 47E08636611211AFD7305FF65D0CB563BACEF50792F148828F245E9050DA358499D760
                                    Function 00D86240 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: %
                                    • API String ID: 0-2291192146
                                    • Opcode ID: 993443d96edb41b7ac1c5b7134b09307095e1564e577c8ff8f830050c03b716b
                                    • Instruction ID: b9a7f558254bbd0a476a22ffd5feb80cdf063b3e45d99566121cdb07be96bbfe
                                    • Opcode Fuzzy Hash: 993443d96edb41b7ac1c5b7134b09307095e1564e577c8ff8f830050c03b716b
                                    • Instruction Fuzzy Hash: F6B19F71804109DACF14FF98C885AFEB7B5EF44320F584066E952A7295EB34DE81CBB1
                                    Function 00DFAEA2 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: __itow_s
                                    • String ID: xb$xb
                                    • API String ID: 3653519197-3775679291
                                    • Opcode ID: f78039c7b7f64559c013f8e8115b3d32b6ac8b9bd7b652f3f15e07ddd2d5711c
                                    • Instruction ID: 06fe0c47afbb7fddf9d84d4f39c27a9087d9320d9c610ec7ab69026747181f38
                                    • Opcode Fuzzy Hash: f78039c7b7f64559c013f8e8115b3d32b6ac8b9bd7b652f3f15e07ddd2d5711c
                                    • Instruction Fuzzy Hash: 60B15E74A00209EFCB14EF58D891DBABBB9FF59310F15805AFA459B291EB70E941CB70
                                    Function 00DEAFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00D9FC86: _wcscpy.LIBCMT ref: 00D9FCA9
                                      • Part of subcall function 00D89837: __itow.LIBCMT ref: 00D89862
                                      • Part of subcall function 00D89837: __swprintf.LIBCMT ref: 00D898AC
                                    • __wcsnicmp.LIBCMT ref: 00DEB02D
                                    • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00DEB0F6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                    • String ID: LPT
                                    • API String ID: 3222508074-1350329615
                                    • Opcode ID: 5aa60d1dae3f99c8167264812620bf9ff9bebebd61be365e13c9539152500d05
                                    • Instruction ID: ca4a38f6a4af0a0c46629f73d935a1bfe8b92523f8313e6665ecbec17f4ebc28
                                    • Opcode Fuzzy Hash: 5aa60d1dae3f99c8167264812620bf9ff9bebebd61be365e13c9539152500d05
                                    • Instruction Fuzzy Hash: 4D616075A00215AFCB14EF95C891EAFB7B4EB09720F14406AF956AB351D770BE44CBB0
                                    Function 00D92957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNEL32(00000000), ref: 00D92968
                                    • GlobalMemoryStatusEx.KERNEL32(?), ref: 00D92981
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: GlobalMemorySleepStatus
                                    • String ID: @
                                    • API String ID: 2783356886-2766056989
                                    • Opcode ID: 9d4d5afd93341e9b3e470c860c2627259f84bee75e920493dd57dcd71027284b
                                    • Instruction ID: 3b2712b6dc34e14ccdb656dcac202488677c2ead4e36993354382d3c55b03e3c
                                    • Opcode Fuzzy Hash: 9d4d5afd93341e9b3e470c860c2627259f84bee75e920493dd57dcd71027284b
                                    • Instruction Fuzzy Hash: 905165B2408745ABD320EF10D886BAFBBF8FB85344F85885DF2D9510A1DB31856DCB66
                                    Function 00DE9734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00D84F0B: __fread_nolock.LIBCMT ref: 00D84F29
                                    • _wcscmp.LIBCMT ref: 00DE9824
                                    • _wcscmp.LIBCMT ref: 00DE9837
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: _wcscmp$__fread_nolock
                                    • String ID: FILE
                                    • API String ID: 4029003684-3121273764
                                    • Opcode ID: a83cf0ceb23dc7782fb75bc9351340866e9f4784829bd82cf96f570a68d383ed
                                    • Instruction ID: 463096ebbb964be6cd09c6f0b7bf94f43a8a02d69f5061cec8f3715e8dfd1556
                                    • Opcode Fuzzy Hash: a83cf0ceb23dc7782fb75bc9351340866e9f4784829bd82cf96f570a68d383ed
                                    • Instruction Fuzzy Hash: 2C41C671A0024ABADF21AAA5CC95FEFBBBDDF86710F000469F904B7191DB719A04CB71
                                    Function 00DC0574 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: ClearVariant
                                    • String ID: Dd$Dd
                                    • API String ID: 1473721057-2413357308
                                    • Opcode ID: 445ef162d2db46ea5b1e58e80253d4d8457aea001fbc414a2a04888f18f13bf4
                                    • Instruction ID: 9a259786eee1034ef1b61954d28ef0c16199e20aa608d50dcfef98d3361ee124
                                    • Opcode Fuzzy Hash: 445ef162d2db46ea5b1e58e80253d4d8457aea001fbc414a2a04888f18f13bf4
                                    • Instruction Fuzzy Hash: 47510578604301DFEB54DF19C484A1ABBF1BB99354F58485EF9858B361D331E885CF62
                                    Function 00DF258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 00DF259E
                                    • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00DF25D4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: CrackInternet_memset
                                    • String ID: |
                                    • API String ID: 1413715105-2343686810
                                    • Opcode ID: fdca3ffc26bbcc7fa9d4ff02dbb1b2df36a2f98c0136e26575c04b3dd243bf37
                                    • Instruction ID: a51e1f18ebd78d67aa3a7430da4529377a6e57d103342ff175938c004bc3249d
                                    • Opcode Fuzzy Hash: fdca3ffc26bbcc7fa9d4ff02dbb1b2df36a2f98c0136e26575c04b3dd243bf37
                                    • Instruction Fuzzy Hash: 11310871905119ABCF11EFA5CC85EEEBFB8FF08310F104069F915A6162EB319956DB70
                                    Function 00E07A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 00E07B61
                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00E07B76
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID: '
                                    • API String ID: 3850602802-1997036262
                                    • Opcode ID: 01ff49035254f76b02726bf4ba8a32c0d4c7a87ee6bf05af9807f5a2fb4a3477
                                    • Instruction ID: c7631298ae0db77ccb06aef9bfa223432b653e30e8a00c9070ad34410d9d81a6
                                    • Opcode Fuzzy Hash: 01ff49035254f76b02726bf4ba8a32c0d4c7a87ee6bf05af9807f5a2fb4a3477
                                    • Instruction Fuzzy Hash: 2F413874E0520A9FDB14CF69C881BEABBB5FF09304F10116AE944EB381D730A991CFA0
                                    Function 00E06A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                    Download Yara Rule
                                    APIs
                                    • DestroyWindow.USER32(?,?,?,?), ref: 00E06B17
                                    • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00E06B53
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Window$DestroyMove
                                    • String ID: static
                                    • API String ID: 2139405536-2160076837
                                    • Opcode ID: 208849169fb2513c5af39fe485411c609813901842e5fc8a18c782ce42d214d5
                                    • Instruction ID: b9a49e93c6bed14aced79e0714a539a69b5ae19778d8acd0c4bbb9f205508f9a
                                    • Opcode Fuzzy Hash: 208849169fb2513c5af39fe485411c609813901842e5fc8a18c782ce42d214d5
                                    • Instruction Fuzzy Hash: 3E31B171200604AEDB10AF64CC80BFB73B9FF48764F10961AF9A5E7190DB31ACA1CB60
                                    Function 00DE28A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 00DE2911
                                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00DE294C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: InfoItemMenu_memset
                                    • String ID: 0
                                    • API String ID: 2223754486-4108050209
                                    • Opcode ID: 4ff660633b8c3b368478f8a48eedb7fdc6c2af55c6fcabc209c41bab98d359ff
                                    • Instruction ID: a721fddc75b027c807e3efef657e84e3e7699e66cfe32cbf7be0044b2535aad3
                                    • Opcode Fuzzy Hash: 4ff660633b8c3b368478f8a48eedb7fdc6c2af55c6fcabc209c41bab98d359ff
                                    • Instruction Fuzzy Hash: 0631E5715403459FDB28EF5ACC85BBEBBBCEF45350F181029E885A61A2DB709944CF71
                                    Function 00E066D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00E06761
                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00E0676C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID: Combobox
                                    • API String ID: 3850602802-2096851135
                                    • Opcode ID: 5143eed00ba3595fbd3b995692ebe7ece47773ca747e0868b5ff073a76ff9c79
                                    • Instruction ID: 03222616297804dffe339d7368f62062fb4f0396421d9c0578a079945592a2af
                                    • Opcode Fuzzy Hash: 5143eed00ba3595fbd3b995692ebe7ece47773ca747e0868b5ff073a76ff9c79
                                    • Instruction Fuzzy Hash: 1B11B675200209AFEF119F54DC80FEB37AAEB4436CF141126F914A72D1D671DCA187A0
                                    Function 00E06C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00D81D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00D81D73
                                      • Part of subcall function 00D81D35: GetStockObject.GDI32(00000011), ref: 00D81D87
                                      • Part of subcall function 00D81D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00D81D91
                                    • GetWindowRect.USER32(00000000,?), ref: 00E06C71
                                    • GetSysColor.USER32(00000012), ref: 00E06C8B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Window$ColorCreateMessageObjectRectSendStock
                                    • String ID: static
                                    • API String ID: 1983116058-2160076837
                                    • Opcode ID: 17b698e95f89daa5bddac691624d64c9dc5f2731640fa32423cb43289c2a561a
                                    • Instruction ID: cdf0a072f76f2a02954d2b57c4a4baa9c36bb0dd72354414fc5d5944d5281761
                                    • Opcode Fuzzy Hash: 17b698e95f89daa5bddac691624d64c9dc5f2731640fa32423cb43289c2a561a
                                    • Instruction Fuzzy Hash: 79212C76510209AFDF14DFA8CC45AFABBA8FB08318F005529F955E2290D635E8A5DB60
                                    Function 00E06920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowTextLengthW.USER32(00000000), ref: 00E069A2
                                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00E069B1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: LengthMessageSendTextWindow
                                    • String ID: edit
                                    • API String ID: 2978978980-2167791130
                                    • Opcode ID: ae62fc76d47ce52b0f5ed76982fa8df82cc5901d5294af6c6b90034893fe161a
                                    • Instruction ID: 5cc4da380f39881feaf3d0b7c903345bdc952ec4a312104976f878b1f1149052
                                    • Opcode Fuzzy Hash: ae62fc76d47ce52b0f5ed76982fa8df82cc5901d5294af6c6b90034893fe161a
                                    • Instruction Fuzzy Hash: 58116A71500208AFEB108E64DC44BEB37A9EB85378F905724F9A5B75E0C672DCA59BA0
                                    Function 00DE29AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 00DE2A22
                                    • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00DE2A41
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: InfoItemMenu_memset
                                    • String ID: 0
                                    • API String ID: 2223754486-4108050209
                                    • Opcode ID: dffc5c9dd66fcfac5cf5d348c7026ef122c54a8a0310597e85c5ae36071f2e15
                                    • Instruction ID: 9d7261bbdda4136b42dbb76900e28b3e8a4c969ca6af63466938909651b0fe38
                                    • Opcode Fuzzy Hash: dffc5c9dd66fcfac5cf5d348c7026ef122c54a8a0310597e85c5ae36071f2e15
                                    • Instruction Fuzzy Hash: AE11DD32941294ABCB34FA9ADC44BBA73ADAB46314F084031E855F72A1D770ED0AC7B1
                                    Function 00DF21D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00DF222C
                                    • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00DF2255
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Internet$OpenOption
                                    • String ID: <local>
                                    • API String ID: 942729171-4266983199
                                    • Opcode ID: 8b7be9a0abdf7c863944fecd70ef421c81e8e637282af10cc143a00a5bcd885f
                                    • Instruction ID: 9a8df5c8748bb60d147c4886f3d494c402b7610cdd165a9942942e895d8741e9
                                    • Opcode Fuzzy Hash: 8b7be9a0abdf7c863944fecd70ef421c81e8e637282af10cc143a00a5bcd885f
                                    • Instruction Fuzzy Hash: 7F113E70140229BEEB248F518C89EBBFBA8FF06351F01C22AFA4496040D3709890C6F1
                                    Function 00D9092D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00D83C14,00E452F8,?,?,?), ref: 00D9096E
                                      • Part of subcall function 00D87BCC: _memmove.LIBCMT ref: 00D87C06
                                    • _wcscat.LIBCMT ref: 00DC4CB7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: FullNamePath_memmove_wcscat
                                    • String ID: S
                                    • API String ID: 257928180-3334745618
                                    • Opcode ID: 665390aed70e632e6db65fdf45d2deaf094fc0fed366fa4357a8149b995dd491
                                    • Instruction ID: 8a1e1559ffce8897d894d7ec1442c248ac15635de9624d5d4946285638d2f6b9
                                    • Opcode Fuzzy Hash: 665390aed70e632e6db65fdf45d2deaf094fc0fed366fa4357a8149b995dd491
                                    • Instruction Fuzzy Hash: E711A535A05219AFCF10FF64DC06EDD77F8EF48350B1444A5B948E3186EA70EA848B30
                                    Function 00DD8E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00D87DE1: _memmove.LIBCMT ref: 00D87E22
                                      • Part of subcall function 00DDAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00DDAABC
                                    • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00DD8E73
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: ClassMessageNameSend_memmove
                                    • String ID: ComboBox$ListBox
                                    • API String ID: 372448540-1403004172
                                    • Opcode ID: 0570dbda33d7502ec1cabb15230fd5b3a507bcbf99c026576cecc77d5054ed6a
                                    • Instruction ID: dabc2190dcef123529053dccd576d10dd9a86360df7481cfa082b217572b25e6
                                    • Opcode Fuzzy Hash: 0570dbda33d7502ec1cabb15230fd5b3a507bcbf99c026576cecc77d5054ed6a
                                    • Instruction Fuzzy Hash: 1101F5B5601228ABCB15FBA4CC458FE7768EF41320B540B1AF871673D1DE329808DB70
                                    Function 00DD8CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00D87DE1: _memmove.LIBCMT ref: 00D87E22
                                      • Part of subcall function 00DDAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00DDAABC
                                    • SendMessageW.USER32(?,00000180,00000000,?), ref: 00DD8D6B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: ClassMessageNameSend_memmove
                                    • String ID: ComboBox$ListBox
                                    • API String ID: 372448540-1403004172
                                    • Opcode ID: 1fae8ce4a585fd9643f90873fa573778e1bf3eeb9858de1d92ec8ebe994fc843
                                    • Instruction ID: b3c24400277520b5da791b0411bba77b57c1215b16a99a9d5beedddf192d7f5a
                                    • Opcode Fuzzy Hash: 1fae8ce4a585fd9643f90873fa573778e1bf3eeb9858de1d92ec8ebe994fc843
                                    • Instruction Fuzzy Hash: F101DFB5A41108ABCB25FBA0C956AFE77A9DF15340F64011AB842632E1DE259E08E7B1
                                    Function 00DD8D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00D87DE1: _memmove.LIBCMT ref: 00D87E22
                                      • Part of subcall function 00DDAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00DDAABC
                                    • SendMessageW.USER32(?,00000182,?,00000000), ref: 00DD8DEE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: ClassMessageNameSend_memmove
                                    • String ID: ComboBox$ListBox
                                    • API String ID: 372448540-1403004172
                                    • Opcode ID: fbc443b0e20363f63a52d79c5b373f0214f664daf2c3ffce82d347a7aed8fd81
                                    • Instruction ID: 7927ffe941bff1cb62697efbc032192872e86bfaf4b8999efd8acbba4d41be70
                                    • Opcode Fuzzy Hash: fbc443b0e20363f63a52d79c5b373f0214f664daf2c3ffce82d347a7aed8fd81
                                    • Instruction Fuzzy Hash: D801F2B5A41208ABCB26FAA4C946AFE77A9CF11300F144116B841733D2DE259E0CE671
                                    Function 00DDC4EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                    Download Yara Rule
                                    APIs
                                    • VariantInit.OLEAUT32(?), ref: 00DDC534
                                      • Part of subcall function 00DDC816: _memmove.LIBCMT ref: 00DDC860
                                      • Part of subcall function 00DDC816: VariantInit.OLEAUT32(00000000), ref: 00DDC882
                                      • Part of subcall function 00DDC816: VariantCopy.OLEAUT32(00000000,?), ref: 00DDC88C
                                    • VariantClear.OLEAUT32(?), ref: 00DDC556
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Variant$Init$ClearCopy_memmove
                                    • String ID: d}
                                    • API String ID: 2932060187-1207350282
                                    • Opcode ID: e71ea053803df36aa2a090de8580815b3c991db69b8fbca132957843ec1b2812
                                    • Instruction ID: f9398dd822f95eec074d6d7eeacbb1188a9ded38b7bc538d556e48e5174bba90
                                    • Opcode Fuzzy Hash: e71ea053803df36aa2a090de8580815b3c991db69b8fbca132957843ec1b2812
                                    • Instruction Fuzzy Hash: 9B11FEB19007099FC720DF9AD88489AF7F8FB08314B50856FE58A97611D771AA49CB60
                                    Function 00DE4F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: ClassName_wcscmp
                                    • String ID: #32770
                                    • API String ID: 2292705959-463685578
                                    • Opcode ID: 538f0206aa1fbfa3f407f1fc47051e934d6a6b879b3111cfe47a1e056f328dc4
                                    • Instruction ID: 9037af8b05455070661fd223e50985ab0d7ada8d56ee08842aea0bf56b2a0b83
                                    • Opcode Fuzzy Hash: 538f0206aa1fbfa3f407f1fc47051e934d6a6b879b3111cfe47a1e056f328dc4
                                    • Instruction Fuzzy Hash: 04E09B329003282AD7209A5A9C49AA7F7ACDB46B71F000057FD04E2051D560AA5587E1
                                    Function 00DBB2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00DBB314: _memset.LIBCMT ref: 00DBB321
                                      • Part of subcall function 00DA0940: InitializeCriticalSectionAndSpinCount.KERNEL32(00E44158,00000000,00E44144,00DBB2F0,?,?,?,00D8100A), ref: 00DA0945
                                    • IsDebuggerPresent.KERNEL32(?,?,?,00D8100A), ref: 00DBB2F4
                                    • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00D8100A), ref: 00DBB303
                                    Strings
                                    • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00DBB2FE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                    • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                    • API String ID: 3158253471-631824599
                                    • Opcode ID: 9afcdf46bd5a056a7d97e74f005e48d003394d6a1b843e74ad01bb75e3e27621
                                    • Instruction ID: b6e1dd5df88e57fbaa0e25949c4862836d24e2ec1386b9f5aaa6740b7f423ac7
                                    • Opcode Fuzzy Hash: 9afcdf46bd5a056a7d97e74f005e48d003394d6a1b843e74ad01bb75e3e27621
                                    • Instruction Fuzzy Hash: A1E03270200710CFD761AF29E8043827AE8EF01724F058A2EE496D6751EBB5A848CBB1
                                    Function 00DC1935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemDirectoryW.KERNEL32(?), ref: 00DC1775
                                      • Part of subcall function 00DFBFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,00DC195E,?), ref: 00DFBFFE
                                      • Part of subcall function 00DFBFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00DFC010
                                    • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00DC196D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                    • String ID: WIN_XPe
                                    • API String ID: 582185067-3257408948
                                    • Opcode ID: 5bc2be5c65ded841fa1c3fb46a89b1f47e7dc77c22165a57676f64a0580bb0cd
                                    • Instruction ID: 1ed3ea4938b0eb2619e3aa6ed9b46edc7620e959f490e3be056d4289d513e23a
                                    • Opcode Fuzzy Hash: 5bc2be5c65ded841fa1c3fb46a89b1f47e7dc77c22165a57676f64a0580bb0cd
                                    • Instruction Fuzzy Hash: C2F0157480001ADFDB26DBA1C984BECBAB8AB09301F140199E102B30A2D7718E88CF70
                                    Function 00E05998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00E059AE
                                    • PostMessageW.USER32(00000000), ref: 00E059B5
                                      • Part of subcall function 00DE5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00DE52BC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: FindMessagePostSleepWindow
                                    • String ID: Shell_TrayWnd
                                    • API String ID: 529655941-2988720461
                                    • Opcode ID: 72de9bb3d114bdf4ca177ed9e7a2dd6cf95a2a085a840ec37608b036233a2a18
                                    • Instruction ID: eb65af580a948416afd9386e78193356cc33a2617bf6d70fbde14d35e0412adc
                                    • Opcode Fuzzy Hash: 72de9bb3d114bdf4ca177ed9e7a2dd6cf95a2a085a840ec37608b036233a2a18
                                    • Instruction Fuzzy Hash: 57D0C9317843117AE678BB71AC0FF966A15AB05B51F000825B345BA5D4C9E1A854C6A8
                                    Function 00E05964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00E0596E
                                    • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00E05981
                                      • Part of subcall function 00DE5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00DE52BC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1421643506.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                    • Associated: 00000000.00000002.1421625841.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421643506.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421822351.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1421843326.0000000000ED8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d80000_uIarPolvHR.jbxd
                                    Similarity
                                    • API ID: FindMessagePostSleepWindow
                                    • String ID: Shell_TrayWnd
                                    • API String ID: 529655941-2988720461
                                    • Opcode ID: a7817848d436f6dcdda7069d515ad90263435aba9cc87a17dcb671fb4f47b16b
                                    • Instruction ID: 4435b51a3c9e18e826b56f77495165445df53577168df9fe16c0781c67a94487
                                    • Opcode Fuzzy Hash: a7817848d436f6dcdda7069d515ad90263435aba9cc87a17dcb671fb4f47b16b
                                    • Instruction Fuzzy Hash: A5D0C931784311BAE678BB71AC1FF966A15AB00B51F000825B349BA5D4C9E19854C6A4