Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
MLxloAVuCZ.exe

Overview

General Information

Sample name:MLxloAVuCZ.exe
renamed because original name is a hash value
Original sample name:d51b3625115680dc3d6e0f5881f914f0373a277e2ef2ec56c88c3f45de997877.exe
Analysis ID:1587959
MD5:5f38edf8c588efd365f6c82c92d5f0f6
SHA1:6f8ec411858b7410a22401f6c9d6a2a5c45aaa9b
SHA256:d51b3625115680dc3d6e0f5881f914f0373a277e2ef2ec56c88c3f45de997877
Tags:exeuser-adrian__luca
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Remcos
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Drops VBS files to the startup folder
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to detect virtual machines (SLDT)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to execute programs as a different user
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • MLxloAVuCZ.exe (PID: 7808 cmdline: "C:\Users\user\Desktop\MLxloAVuCZ.exe" MD5: 5F38EDF8C588EFD365F6C82C92D5F0F6)
    • derogates.exe (PID: 7876 cmdline: "C:\Users\user\Desktop\MLxloAVuCZ.exe" MD5: 5F38EDF8C588EFD365F6C82C92D5F0F6)
      • svchost.exe (PID: 7916 cmdline: "C:\Users\user\Desktop\MLxloAVuCZ.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
        • iexplore.exe (PID: 7932 cmdline: "c:\program files (x86)\internet explorer\iexplore.exe" MD5: 6F0F06D6AB125A99E43335427066A4A1)
  • wscript.exe (PID: 8020 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\derogates.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • derogates.exe (PID: 8080 cmdline: "C:\Users\user\AppData\Local\miaou\derogates.exe" MD5: 5F38EDF8C588EFD365F6C82C92D5F0F6)
      • svchost.exe (PID: 8100 cmdline: "C:\Users\user\AppData\Local\miaou\derogates.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["192.3.64.152:2559:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-ZFXG9Y", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000007.00000002.3876562999.0000000003200000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000007.00000002.3876896183.0000000004E1E000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000007.00000002.3876601412.0000000003212000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000003.00000002.1456080422.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
            00000003.00000002.1456080422.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
              Click to see the 38 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              2.2.derogates.exe.b40000.1.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                2.2.derogates.exe.b40000.1.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                  2.2.derogates.exe.b40000.1.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                    2.2.derogates.exe.b40000.1.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                    • 0x6aab8:$a1: Remcos restarted by watchdog!
                    • 0x6b030:$a3: %02i:%02i:%02i:%03i
                    2.2.derogates.exe.b40000.1.raw.unpackREMCOS_RAT_variantsunknownunknown
                    • 0x64b0c:$str_a1: C:\Windows\System32\cmd.exe
                    • 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                    • 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                    • 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                    • 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                    • 0x64b7c:$str_b2: Executing file:
                    • 0x65bfc:$str_b3: GetDirectListeningPort
                    • 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                    • 0x65728:$str_b7: \update.vbs
                    • 0x64ba4:$str_b9: Downloaded file:
                    • 0x64b90:$str_b10: Downloading file:
                    • 0x64c34:$str_b12: Failed to upload file:
                    • 0x65bc4:$str_b13: StartForward
                    • 0x65be4:$str_b14: StopForward
                    • 0x65680:$str_b15: fso.DeleteFile "
                    • 0x65614:$str_b16: On Error Resume Next
                    • 0x656b0:$str_b17: fso.DeleteFolder "
                    • 0x64c24:$str_b18: Uploaded file:
                    • 0x64be4:$str_b19: Unable to delete:
                    • 0x65648:$str_b20: while fso.FileExists("
                    • 0x650c1:$str_c0: [Firefox StoredLogins not found]
                    Click to see the 43 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: WScript or CScript Dropper
                    Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\derogates.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\derogates.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\derogates.vbs" , ProcessId: 8020, ProcessName: wscript.exe
                    Sigma detected: Uncommon Svchost Parent Process
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\MLxloAVuCZ.exe", CommandLine: "C:\Users\user\Desktop\MLxloAVuCZ.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\MLxloAVuCZ.exe", ParentImage: C:\Users\user\AppData\Local\miaou\derogates.exe, ParentProcessId: 7876, ParentProcessName: derogates.exe, ProcessCommandLine: "C:\Users\user\Desktop\MLxloAVuCZ.exe", ProcessId: 7916, ProcessName: svchost.exe
                    Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\derogates.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\derogates.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\derogates.vbs" , ProcessId: 8020, ProcessName: wscript.exe
                    Sigma detected: Windows Processes Suspicious Parent Directory
                    Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\MLxloAVuCZ.exe", CommandLine: "C:\Users\user\Desktop\MLxloAVuCZ.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\MLxloAVuCZ.exe", ParentImage: C:\Users\user\AppData\Local\miaou\derogates.exe, ParentProcessId: 7876, ParentProcessName: derogates.exe, ProcessCommandLine: "C:\Users\user\Desktop\MLxloAVuCZ.exe", ProcessId: 7916, ProcessName: svchost.exe

                    Data Obfuscation

                    barindex
                    Sigma detected: Drops script at startup location
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\miaou\derogates.exe, ProcessId: 7876, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\derogates.vbs

                    Stealing of Sensitive Information

                    barindex
                    Sigma detected: Remcos
                    Source: Registry Key setAuthor: Joe Security: Data: Details: 30 0F C2 2C CB 87 25 B5 69 01 22 00 77 48 42 83 92 4F 9F E5 99 5F D5 7C 8A D8 0F 42 5F 17 45 BF 49 A5 42 D4 38 96 AA F2 0E 1B 47 44 16 9A 49 78 80 FC 66 0B 6B 55 83 8F 77 20 D0 5B F9 67 8C ED , EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\svchost.exe, ProcessId: 7916, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-ZFXG9Y\exepath

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-10T19:48:38.983696+010020365941Malware Command and Control Activity Detected192.168.2.849807192.3.64.1522559TCP
                    2025-01-10T19:49:21.341638+010020365941Malware Command and Control Activity Detected192.168.2.849705192.3.64.1522559TCP
                    2025-01-10T19:49:43.705614+010020365941Malware Command and Control Activity Detected192.168.2.863891192.3.64.1522559TCP
                    2025-01-10T19:50:06.111549+010020365941Malware Command and Control Activity Detected192.168.2.863892192.3.64.1522559TCP
                    2025-01-10T19:50:28.514508+010020365941Malware Command and Control Activity Detected192.168.2.849799192.3.64.1522559TCP
                    2025-01-10T19:50:50.952959+010020365941Malware Command and Control Activity Detected192.168.2.849800192.3.64.1522559TCP
                    2025-01-10T19:51:13.329619+010020365941Malware Command and Control Activity Detected192.168.2.849801192.3.64.1522559TCP
                    2025-01-10T19:51:35.704487+010020365941Malware Command and Control Activity Detected192.168.2.849802192.3.64.1522559TCP
                    2025-01-10T19:51:58.160413+010020365941Malware Command and Control Activity Detected192.168.2.849803192.3.64.1522559TCP
                    2025-01-10T19:52:20.564760+010020365941Malware Command and Control Activity Detected192.168.2.849804192.3.64.1522559TCP
                    2025-01-10T19:52:43.110246+010020365941Malware Command and Control Activity Detected192.168.2.849805192.3.64.1522559TCP
                    2025-01-10T19:53:05.519342+010020365941Malware Command and Control Activity Detected192.168.2.849806192.3.64.1522559TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 00000007.00000002.3876562999.0000000003200000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["192.3.64.152:2559:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-ZFXG9Y", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeReversingLabs: Detection: 78%
                    Multi AV Scanner detection for submitted file
                    Source: MLxloAVuCZ.exeReversingLabs: Detection: 78%
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 2.2.derogates.exe.b40000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.derogates.exe.b40000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.derogates.exe.c70000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.derogates.exe.c70000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000007.00000002.3876562999.0000000003200000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.3876896183.0000000004E1E000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.3876601412.0000000003212000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1456080422.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.3875944290.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.1569823464.0000000000C70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.1453719778.0000000000B40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: derogates.exe PID: 7876, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7916, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: derogates.exe PID: 8080, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 8100, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: MLxloAVuCZ.exeJoe Sandbox ML: detected
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,3_2_004338C8
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,7_2_004338C8
                    Source: derogates.exe, 00000002.00000002.1453719778.0000000000B40000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_f5729dfa-0

                    Exploits

                    barindex
                    Yara detected UAC Bypass using CMSTP
                    Source: Yara matchFile source: 2.2.derogates.exe.b40000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.derogates.exe.b40000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.derogates.exe.c70000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.derogates.exe.c70000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.1456080422.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.3875944290.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.1569823464.0000000000C70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.1453719778.0000000000B40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: derogates.exe PID: 7876, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7916, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: derogates.exe PID: 8080, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 8100, type: MEMORYSTR

                    Privilege Escalation

                    barindex
                    Contains functionality to bypass UAC (CMSTPLUA)
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00407538 _wcslen,CoGetObject,3_2_00407538
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00407538 _wcslen,CoGetObject,7_2_00407538
                    Source: MLxloAVuCZ.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: Binary string: wntdll.pdbUGP source: derogates.exe, 00000002.00000003.1452126318.0000000003B40000.00000004.00001000.00020000.00000000.sdmp, derogates.exe, 00000002.00000003.1451776465.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp, derogates.exe, 00000006.00000003.1565765032.0000000003680000.00000004.00001000.00020000.00000000.sdmp, derogates.exe, 00000006.00000003.1567346824.0000000003570000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdb source: derogates.exe, 00000002.00000003.1452126318.0000000003B40000.00000004.00001000.00020000.00000000.sdmp, derogates.exe, 00000002.00000003.1451776465.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp, derogates.exe, 00000006.00000003.1565765032.0000000003680000.00000004.00001000.00020000.00000000.sdmp, derogates.exe, 00000006.00000003.1567346824.0000000003570000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: svchost.pdb source: svchost.exe, 00000003.00000003.1455985205.0000000003021000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1456512162.0000000002FC0000.00000040.10000000.00040000.00000000.sdmp, iexplore.exe, iexplore.exe, 00000004.00000002.1456171063.0000000000630000.00000040.80000000.00040000.00000000.sdmp
                    Source: Binary string: svchost.pdbUGP source: svchost.exe, 00000003.00000003.1455985205.0000000003021000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1456512162.0000000002FC0000.00000040.10000000.00040000.00000000.sdmp, iexplore.exe, 00000004.00000002.1456171063.0000000000630000.00000040.80000000.00040000.00000000.sdmp
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_0010445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0010445A
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_0010C6D1 FindFirstFileW,FindClose,0_2_0010C6D1
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_0010C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0010C75C
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_0010EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0010EF95
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_0010F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0010F0F2
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_0010F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0010F3F3
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_001037EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_001037EF
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_00103B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00103B12
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_0010BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0010BCBC
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_0091445A GetFileAttributesW,FindFirstFileW,FindClose,2_2_0091445A
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_0091C6D1 FindFirstFileW,FindClose,2_2_0091C6D1
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_0091C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_0091C75C
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_0091EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0091EF95
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_0091F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0091F0F2
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_0091F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0091F3F3
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_009137EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_009137EF
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_00913B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00913B12
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_0091BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0091BCBC
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,3_2_0040928E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,3_2_0041C322
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,3_2_0040C388
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,3_2_004096A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,3_2_00408847
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00407877 FindFirstFileW,FindNextFileW,3_2_00407877
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0044E8F9 FindFirstFileExA,3_2_0044E8F9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,3_2_0040BB6B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,3_2_00419B86
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,3_2_0040BD72
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,7_2_0040928E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,7_2_0041C322
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,7_2_0040C388
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,7_2_004096A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,7_2_00408847
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00407877 FindFirstFileW,FindNextFileW,7_2_00407877
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0044E8F9 FindFirstFileExA,7_2_0044E8F9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,7_2_0040BB6B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,7_2_00419B86
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,7_2_0040BD72
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,3_2_00407CD2

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:63891 -> 192.3.64.152:2559
                    Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49804 -> 192.3.64.152:2559
                    Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49802 -> 192.3.64.152:2559
                    Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49803 -> 192.3.64.152:2559
                    Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:63892 -> 192.3.64.152:2559
                    Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49799 -> 192.3.64.152:2559
                    Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49705 -> 192.3.64.152:2559
                    Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49805 -> 192.3.64.152:2559
                    Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49801 -> 192.3.64.152:2559
                    Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49806 -> 192.3.64.152:2559
                    Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49800 -> 192.3.64.152:2559
                    Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49807 -> 192.3.64.152:2559
                    System process connects to network (likely due to code injection or exploit)
                    Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.3.64.152 2559Jump to behavior
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorIPs: 192.3.64.152
                    Source: global trafficTCP traffic: 192.168.2.8:49796 -> 1.1.1.1:53
                    Source: global trafficTCP traffic: 192.168.2.8:63886 -> 162.159.36.2:53
                    Source: Joe Sandbox ViewIP Address: 192.3.64.152 192.3.64.152
                    Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                    Source: unknownDNS traffic detected: query: 171.39.242.20.in-addr.arpa replaycode: Name error (3)
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_001122EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_001122EE
                    Source: global trafficDNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa
                    Source: svchost.exeString found in binary or memory: http://geoplugin.net/json.gp
                    Source: derogates.exe, 00000002.00000002.1453719778.0000000000B40000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1456080422.0000000000400000.00000040.80000000.00040000.00000000.sdmp, derogates.exe, 00000006.00000002.1569823464.0000000000C70000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3875944290.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to register a low level keyboard hook
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040A2F3 SetWindowsHookExA 0000000D,0040A2DF,000000003_2_0040A2F3
                    Installs a global keyboard hook
                    Source: C:\Windows\SysWOW64\svchost.exeWindows user hook set: 0 keyboard low level C:\Windows\SysWOW64\svchost.exeJump to behavior
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_00114164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00114164
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_00114164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00114164
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_00924164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,2_2_00924164
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,3_2_004168FC
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,7_2_004168FC
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_00113F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00113F66
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_0010001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_0010001C
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_0012CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0012CABC
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_0093CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_0093CABC
                    Source: Yara matchFile source: 2.2.derogates.exe.b40000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.derogates.exe.b40000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.derogates.exe.c70000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.derogates.exe.c70000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.1456080422.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.3875944290.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.1569823464.0000000000C70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.1453719778.0000000000B40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: derogates.exe PID: 7876, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7916, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: derogates.exe PID: 8080, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 8100, type: MEMORYSTR

                    E-Banking Fraud

                    barindex
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 2.2.derogates.exe.b40000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.derogates.exe.b40000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.derogates.exe.c70000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.derogates.exe.c70000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000007.00000002.3876562999.0000000003200000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.3876896183.0000000004E1E000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.3876601412.0000000003212000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1456080422.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.3875944290.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.1569823464.0000000000C70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.1453719778.0000000000B40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: derogates.exe PID: 7876, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7916, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: derogates.exe PID: 8080, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 8100, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                    Spam, unwanted Advertisements and Ransom Demands

                    barindex
                    Contains functionalty to change the wallpaper
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041CA73 SystemParametersInfoW,3_2_0041CA73
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0041CA73 SystemParametersInfoW,7_2_0041CA73

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 2.2.derogates.exe.b40000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 2.2.derogates.exe.b40000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 2.2.derogates.exe.b40000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 2.2.derogates.exe.b40000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 2.2.derogates.exe.b40000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 2.2.derogates.exe.b40000.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 6.2.derogates.exe.c70000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 6.2.derogates.exe.c70000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 6.2.derogates.exe.c70000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 6.2.derogates.exe.c70000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 6.2.derogates.exe.c70000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 6.2.derogates.exe.c70000.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 00000003.00000002.1456080422.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 00000003.00000002.1456080422.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 00000003.00000002.1456080422.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 00000007.00000002.3875944290.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 00000007.00000002.3875944290.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 00000007.00000002.3875944290.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 00000006.00000002.1569823464.0000000000C70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 00000006.00000002.1569823464.0000000000C70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 00000006.00000002.1569823464.0000000000C70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 00000002.00000002.1453719778.0000000000B40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 00000002.00000002.1453719778.0000000000B40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 00000002.00000002.1453719778.0000000000B40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: Process Memory Space: derogates.exe PID: 7876, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: Process Memory Space: svchost.exe PID: 7916, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: Process Memory Space: derogates.exe PID: 8080, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: Process Memory Space: svchost.exe PID: 8100, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Binary is likely a compiled AutoIt script file
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: This is a third-party compiled AutoIt script.0_2_000A3B3A
                    Source: MLxloAVuCZ.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                    Source: MLxloAVuCZ.exe, 00000000.00000003.1433226327.0000000003B83000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_1ee70dea-6
                    Source: MLxloAVuCZ.exe, 00000000.00000003.1433226327.0000000003B83000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_b66d9bf2-6
                    Source: MLxloAVuCZ.exe, 00000000.00000000.1423016365.0000000000154000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_e0156cda-a
                    Source: MLxloAVuCZ.exe, 00000000.00000000.1423016365.0000000000154000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_e7a032b9-b
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: This is a third-party compiled AutoIt script.2_2_008B3B3A
                    Source: derogates.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                    Source: derogates.exe, 00000002.00000000.1433722723.0000000000964000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_d3897278-b
                    Source: derogates.exe, 00000002.00000000.1433722723.0000000000964000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_a2da74e1-4
                    Source: derogates.exe, 00000006.00000002.1569373716.0000000000964000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_359de1fa-4
                    Source: derogates.exe, 00000006.00000002.1569373716.0000000000964000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_f5f63f53-4
                    Source: MLxloAVuCZ.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_5571c604-5
                    Source: MLxloAVuCZ.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_b085a12c-6
                    Source: derogates.exe.0.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_2196b966-a
                    Source: derogates.exe.0.drString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_ab4b6369-6
                    Windows Scripting host queries suspicious COM object (likely to drop second stage)
                    Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeProcess Stats: CPU usage > 49%
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041812A GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,3_2_0041812A
                    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 4_2_00633360 ExitProcess,NtSetInformationProcess,SetErrorMode,4_2_00633360
                    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 4_2_006333C0 NtSetInformationProcess,SetErrorMode,4_2_006333C0
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_0010A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_0010A1EF
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_000F8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_000F8310
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_001051BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_001051BD
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_009151BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,2_2_009151BD
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,3_2_004167EF
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,7_2_004167EF
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_000CD9750_2_000CD975
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_000C21C50_2_000C21C5
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_000D62D20_2_000D62D2
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_001203DA0_2_001203DA
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_000D242E0_2_000D242E
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_000C25FA0_2_000C25FA
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_000FE6160_2_000FE616
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_000AE6A00_2_000AE6A0
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_000B66E10_2_000B66E1
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_000D878F0_2_000D878F
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_000B88080_2_000B8808
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_001208570_2_00120857
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_000D68440_2_000D6844
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_001088890_2_00108889
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_000CCB210_2_000CCB21
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_000D6DB60_2_000D6DB6
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_000B6F9E0_2_000B6F9E
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_000B30300_2_000B3030
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_000C31870_2_000C3187
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_000CF1D90_2_000CF1D9
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_000A12870_2_000A1287
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_000C14840_2_000C1484
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_000B55200_2_000B5520
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_000C76960_2_000C7696
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_000B57600_2_000B5760
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_000C19780_2_000C1978
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_000D9AB50_2_000D9AB5
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_000AFCE00_2_000AFCE0
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_000C1D900_2_000C1D90
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_000CBDA60_2_000CBDA6
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_00127DDB0_2_00127DDB
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_000ADF000_2_000ADF00
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_000B3FE00_2_000B3FE0
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_01377E780_2_01377E78
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_008DD9752_2_008DD975
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_008D21C52_2_008D21C5
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_008E62D22_2_008E62D2
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_009303DA2_2_009303DA
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_008E242E2_2_008E242E
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_008D25FA2_2_008D25FA
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_008BE6A02_2_008BE6A0
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_008C66E12_2_008C66E1
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_0090E6162_2_0090E616
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_008E878F2_2_008E878F
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_009188892_2_00918889
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_008C88082_2_008C8808
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_009308572_2_00930857
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_008E68442_2_008E6844
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_008DCB212_2_008DCB21
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_008E6DB62_2_008E6DB6
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_008C6F9E2_2_008C6F9E
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_008C30302_2_008C3030
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_008D31872_2_008D3187
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_008DF1D92_2_008DF1D9
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_008B12872_2_008B1287
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_008D14842_2_008D1484
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_008C55202_2_008C5520
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_008D76962_2_008D7696
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_008C57602_2_008C5760
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_008D19782_2_008D1978
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_008E9AB52_2_008E9AB5
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_008BFCE02_2_008BFCE0
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_008D1D902_2_008D1D90
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_008DBDA62_2_008DBDA6
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_00937DDB2_2_00937DDB
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_008C3FE02_2_008C3FE0
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_008BDF002_2_008BDF00
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_014869402_2_01486940
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0043706A3_2_0043706A
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004140053_2_00414005
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0043E11C3_2_0043E11C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004541D93_2_004541D9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004381E83_2_004381E8
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041F18B3_2_0041F18B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004462703_2_00446270
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0043E34B3_2_0043E34B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004533AB3_2_004533AB
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0042742E3_2_0042742E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004375663_2_00437566
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0043E5A83_2_0043E5A8
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004387F03_2_004387F0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0043797E3_2_0043797E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004339D73_2_004339D7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0044DA493_2_0044DA49
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00427AD73_2_00427AD7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041DBF33_2_0041DBF3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00427C403_2_00427C40
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00437DB33_2_00437DB3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00435EEB3_2_00435EEB
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0043DEED3_2_0043DEED
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00426E9F3_2_00426E9F
                    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 4_2_006327204_2_00632720
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 6_2_00F207606_2_00F20760
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0043706A7_2_0043706A
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004140057_2_00414005
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0043E11C7_2_0043E11C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004541D97_2_004541D9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004381E87_2_004381E8
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0041F18B7_2_0041F18B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004462707_2_00446270
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0043E34B7_2_0043E34B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004533AB7_2_004533AB
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0042742E7_2_0042742E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004375667_2_00437566
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0043E5A87_2_0043E5A8
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004387F07_2_004387F0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0043797E7_2_0043797E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004339D77_2_004339D7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0044DA497_2_0044DA49
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00427AD77_2_00427AD7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0041DBF37_2_0041DBF3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00427C407_2_00427C40
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00437DB37_2_00437DB3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00435EEB7_2_00435EEB
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0043DEED7_2_0043DEED
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00426E9F7_2_00426E9F
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00402213 appears 38 times
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 004052FD appears 32 times
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0040417E appears 46 times
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00402093 appears 100 times
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00401E65 appears 68 times
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00434E70 appears 108 times
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00401FAB appears 38 times
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 004020DF appears 40 times
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00434801 appears 82 times
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00457AA8 appears 34 times
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00445951 appears 56 times
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0044854A appears 36 times
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00411FA2 appears 32 times
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 004046F7 appears 34 times
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: String function: 008D8900 appears 42 times
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: String function: 008D0AE3 appears 70 times
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: String function: 008B7DE1 appears 35 times
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: String function: 000A7DE1 appears 35 times
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: String function: 000C8900 appears 42 times
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: String function: 000C0AE3 appears 70 times
                    Source: MLxloAVuCZ.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: 2.2.derogates.exe.b40000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 2.2.derogates.exe.b40000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 2.2.derogates.exe.b40000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 2.2.derogates.exe.b40000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 2.2.derogates.exe.b40000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 2.2.derogates.exe.b40000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 6.2.derogates.exe.c70000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 6.2.derogates.exe.c70000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 6.2.derogates.exe.c70000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 6.2.derogates.exe.c70000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 6.2.derogates.exe.c70000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 6.2.derogates.exe.c70000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 00000003.00000002.1456080422.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 00000003.00000002.1456080422.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 00000003.00000002.1456080422.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 00000007.00000002.3875944290.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 00000007.00000002.3875944290.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 00000007.00000002.3875944290.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 00000006.00000002.1569823464.0000000000C70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 00000006.00000002.1569823464.0000000000C70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 00000006.00000002.1569823464.0000000000C70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 00000002.00000002.1453719778.0000000000B40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 00000002.00000002.1453719778.0000000000B40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 00000002.00000002.1453719778.0000000000B40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: Process Memory Space: derogates.exe PID: 7876, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: Process Memory Space: svchost.exe PID: 7916, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: Process Memory Space: derogates.exe PID: 8080, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: Process Memory Space: svchost.exe PID: 8100, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@12/7@1/1
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_0010A06A GetLastError,FormatMessageW,0_2_0010A06A
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_000F81CB AdjustTokenPrivileges,CloseHandle,0_2_000F81CB
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_000F87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_000F87E1
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_009081CB AdjustTokenPrivileges,CloseHandle,2_2_009081CB
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_009087E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,2_2_009087E1
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,3_2_0041798D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,7_2_0041798D
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_0010B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0010B333
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_0011EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0011EE0D
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_0010C397 CoInitialize,CoCreateInstance,CoUninitialize,0_2_0010C397
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_000A4E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_000A4E89
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,3_2_0041AADB
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeFile created: C:\Users\user\AppData\Local\miaouJump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-ZFXG9Y
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeFile created: C:\Users\user\AppData\Local\Temp\aut92C7.tmpJump to behavior
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\derogates.vbs"
                    Source: MLxloAVuCZ.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: MLxloAVuCZ.exeReversingLabs: Detection: 78%
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeFile read: C:\Users\user\Desktop\MLxloAVuCZ.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\MLxloAVuCZ.exe "C:\Users\user\Desktop\MLxloAVuCZ.exe"
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeProcess created: C:\Users\user\AppData\Local\miaou\derogates.exe "C:\Users\user\Desktop\MLxloAVuCZ.exe"
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\MLxloAVuCZ.exe"
                    Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "c:\program files (x86)\internet explorer\iexplore.exe"
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\derogates.vbs"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\miaou\derogates.exe "C:\Users\user\AppData\Local\miaou\derogates.exe"
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\miaou\derogates.exe"
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeProcess created: C:\Users\user\AppData\Local\miaou\derogates.exe "C:\Users\user\Desktop\MLxloAVuCZ.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\MLxloAVuCZ.exe"Jump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "c:\program files (x86)\internet explorer\iexplore.exe"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\miaou\derogates.exe "C:\Users\user\AppData\Local\miaou\derogates.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\miaou\derogates.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                    Source: MLxloAVuCZ.exeStatic file information: File size 1351680 > 1048576
                    Source: MLxloAVuCZ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                    Source: MLxloAVuCZ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                    Source: MLxloAVuCZ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                    Source: MLxloAVuCZ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: MLxloAVuCZ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                    Source: MLxloAVuCZ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                    Source: MLxloAVuCZ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: wntdll.pdbUGP source: derogates.exe, 00000002.00000003.1452126318.0000000003B40000.00000004.00001000.00020000.00000000.sdmp, derogates.exe, 00000002.00000003.1451776465.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp, derogates.exe, 00000006.00000003.1565765032.0000000003680000.00000004.00001000.00020000.00000000.sdmp, derogates.exe, 00000006.00000003.1567346824.0000000003570000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdb source: derogates.exe, 00000002.00000003.1452126318.0000000003B40000.00000004.00001000.00020000.00000000.sdmp, derogates.exe, 00000002.00000003.1451776465.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp, derogates.exe, 00000006.00000003.1565765032.0000000003680000.00000004.00001000.00020000.00000000.sdmp, derogates.exe, 00000006.00000003.1567346824.0000000003570000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: svchost.pdb source: svchost.exe, 00000003.00000003.1455985205.0000000003021000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1456512162.0000000002FC0000.00000040.10000000.00040000.00000000.sdmp, iexplore.exe, iexplore.exe, 00000004.00000002.1456171063.0000000000630000.00000040.80000000.00040000.00000000.sdmp
                    Source: Binary string: svchost.pdbUGP source: svchost.exe, 00000003.00000003.1455985205.0000000003021000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1456512162.0000000002FC0000.00000040.10000000.00040000.00000000.sdmp, iexplore.exe, 00000004.00000002.1456171063.0000000000630000.00000040.80000000.00040000.00000000.sdmp
                    Source: MLxloAVuCZ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                    Source: MLxloAVuCZ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                    Source: MLxloAVuCZ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                    Source: MLxloAVuCZ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                    Source: MLxloAVuCZ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_000A4B37 LoadLibraryA,GetProcAddress,0_2_000A4B37
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_000C8945 push ecx; ret 0_2_000C8958
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_008D8945 push ecx; ret 2_2_008D8958
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00457186 push ecx; ret 3_2_00457199
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0045E55D push esi; ret 3_2_0045E566
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00457AA8 push eax; ret 3_2_00457AC6
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00434EB6 push ecx; ret 3_2_00434EC9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00457186 push ecx; ret 7_2_00457199
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0045E55D push esi; ret 7_2_0045E566
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00457AA8 push eax; ret 7_2_00457AC6
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00434EB6 push ecx; ret 7_2_00434EC9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00406EEB ShellExecuteW,URLDownloadToFileW,3_2_00406EEB
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeFile created: C:\Users\user\AppData\Local\miaou\derogates.exeJump to dropped file

                    Boot Survival

                    barindex
                    Drops VBS files to the startup folder
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\derogates.vbsJump to dropped file
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\derogates.vbsJump to behavior
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\derogates.vbsJump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,3_2_0041AADB
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_000A48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_000A48D7
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_00125376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00125376
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_008B48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,2_2_008B48D7
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_00935376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,2_2_00935376
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_000C3187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_000C3187
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Delayed program exit found
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040F7E2 Sleep,ExitProcess,3_2_0040F7E2
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0040F7E2 Sleep,ExitProcess,7_2_0040F7E2
                    Switches to a custom stack to bypass stack traces
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeAPI/Special instruction interceptor: Address: 1486564
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeAPI/Special instruction interceptor: Address: F20384
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: derogates.exe, 00000006.00000003.1557690413.0000000000E15000.00000004.00000020.00020000.00000000.sdmp, derogates.exe, 00000006.00000003.1559943134.0000000000E15000.00000004.00000020.00020000.00000000.sdmp, derogates.exe, 00000006.00000002.1570268620.0000000000E14000.00000004.00000020.00020000.00000000.sdmp, derogates.exe, 00000006.00000003.1557549054.0000000000DBC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FIDDLER.EXEQ
                    Source: MLxloAVuCZ.exe, 00000000.00000003.1425561599.000000000120C000.00000004.00000020.00020000.00000000.sdmp, MLxloAVuCZ.exe, 00000000.00000002.1436578928.0000000001265000.00000004.00000020.00020000.00000000.sdmp, MLxloAVuCZ.exe, 00000000.00000003.1425658003.0000000001265000.00000004.00000020.00020000.00000000.sdmp, derogates.exe, 00000002.00000003.1436296027.000000000131C000.00000004.00000020.00020000.00000000.sdmp, derogates.exe, 00000002.00000002.1453942163.0000000001375000.00000004.00000020.00020000.00000000.sdmp, derogates.exe, 00000002.00000003.1436582733.0000000001375000.00000004.00000020.00020000.00000000.sdmp, derogates.exe, 00000006.00000003.1557690413.0000000000E15000.00000004.00000020.00020000.00000000.sdmp, derogates.exe, 00000006.00000003.1559943134.0000000000E15000.00000004.00000020.00020000.00000000.sdmp, derogates.exe, 00000006.00000002.1570268620.0000000000E14000.00000004.00000020.00020000.00000000.sdmp, derogates.exe, 00000006.00000003.1557549054.0000000000DBC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FIDDLER.EXE
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_000B8C74 sldt word ptr [eax]0_2_000B8C74
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,3_2_0041A7D9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,7_2_0041A7D9
                    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeWindow / User API: threadDelayed 551Jump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeWindow / User API: threadDelayed 8879Jump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeWindow / User API: foregroundWindowGot 1738Jump to behavior
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-102687
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeAPI coverage: 4.4 %
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeAPI coverage: 4.6 %
                    Source: C:\Windows\SysWOW64\svchost.exe TID: 8124Thread sleep count: 269 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exe TID: 8124Thread sleep time: -134500s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exe TID: 8128Thread sleep count: 551 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exe TID: 8128Thread sleep time: -1653000s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exe TID: 8128Thread sleep count: 8879 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exe TID: 8128Thread sleep time: -26637000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_0010445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0010445A
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_0010C6D1 FindFirstFileW,FindClose,0_2_0010C6D1
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_0010C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0010C75C
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_0010EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0010EF95
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_0010F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0010F0F2
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_0010F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0010F3F3
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_001037EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_001037EF
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_00103B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00103B12
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_0010BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0010BCBC
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_0091445A GetFileAttributesW,FindFirstFileW,FindClose,2_2_0091445A
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_0091C6D1 FindFirstFileW,FindClose,2_2_0091C6D1
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_0091C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_0091C75C
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_0091EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0091EF95
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_0091F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0091F0F2
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_0091F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0091F3F3
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_009137EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_009137EF
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_00913B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00913B12
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_0091BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0091BCBC
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,3_2_0040928E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,3_2_0041C322
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,3_2_0040C388
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,3_2_004096A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,3_2_00408847
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00407877 FindFirstFileW,FindNextFileW,3_2_00407877
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0044E8F9 FindFirstFileExA,3_2_0044E8F9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,3_2_0040BB6B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,3_2_00419B86
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,3_2_0040BD72
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,7_2_0040928E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,7_2_0041C322
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,7_2_0040C388
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,7_2_004096A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,7_2_00408847
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00407877 FindFirstFileW,FindNextFileW,7_2_00407877
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0044E8F9 FindFirstFileExA,7_2_0044E8F9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,7_2_0040BB6B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,7_2_00419B86
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,7_2_0040BD72
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,3_2_00407CD2
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_000A49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_000A49A0
                    Source: wscript.exe, 00000005.00000002.1557433402.000001FEF4F84000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}.
                    Source: svchost.exe, 00000007.00000002.3876601412.0000000003212000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllfh,
                    Source: wscript.exe, 00000005.00000002.1557433402.000001FEF4F84000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeAPI call chain: ExitProcess graph end nodegraph_0-101100
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Windows\SysWOW64\svchost.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_00113F09 BlockInput,0_2_00113F09
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_000A3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_000A3B3A
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_000D5A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_000D5A7C
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_000A4B37 LoadLibraryA,GetProcAddress,0_2_000A4B37
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_01376698 mov eax, dword ptr fs:[00000030h]0_2_01376698
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_01377D08 mov eax, dword ptr fs:[00000030h]0_2_01377D08
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_01377D68 mov eax, dword ptr fs:[00000030h]0_2_01377D68
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_01485160 mov eax, dword ptr fs:[00000030h]2_2_01485160
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_014867D0 mov eax, dword ptr fs:[00000030h]2_2_014867D0
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_01486830 mov eax, dword ptr fs:[00000030h]2_2_01486830
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00443355 mov eax, dword ptr fs:[00000030h]3_2_00443355
                    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 4_2_00633060 mov eax, dword ptr fs:[00000030h]4_2_00633060
                    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 4_2_00633060 mov eax, dword ptr fs:[00000030h]4_2_00633060
                    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 4_2_00633060 mov eax, dword ptr fs:[00000030h]4_2_00633060
                    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 4_2_00633060 mov eax, dword ptr fs:[00000030h]4_2_00633060
                    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 4_2_00633540 mov eax, dword ptr fs:[00000030h]4_2_00633540
                    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 4_2_00633540 mov eax, dword ptr fs:[00000030h]4_2_00633540
                    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 4_2_00633540 mov eax, dword ptr fs:[00000030h]4_2_00633540
                    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 4_2_006356A0 mov eax, dword ptr fs:[00000030h]4_2_006356A0
                    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 4_2_006356A0 mov ecx, dword ptr fs:[00000030h]4_2_006356A0
                    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 4_2_00634610 mov eax, dword ptr fs:[00000030h]4_2_00634610
                    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 4_2_00634610 mov eax, dword ptr fs:[00000030h]4_2_00634610
                    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 4_2_00634610 mov eax, dword ptr fs:[00000030h]4_2_00634610
                    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 4_2_00634610 mov eax, dword ptr fs:[00000030h]4_2_00634610
                    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 4_2_00634410 mov eax, dword ptr fs:[00000030h]4_2_00634410
                    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 4_2_00634410 mov eax, dword ptr fs:[00000030h]4_2_00634410
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 6_2_00F205F0 mov eax, dword ptr fs:[00000030h]6_2_00F205F0
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 6_2_00F20650 mov eax, dword ptr fs:[00000030h]6_2_00F20650
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 6_2_00F1EF80 mov eax, dword ptr fs:[00000030h]6_2_00F1EF80
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00443355 mov eax, dword ptr fs:[00000030h]7_2_00443355
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_000F80A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,0_2_000F80A9
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_000CA124 SetUnhandledExceptionFilter,0_2_000CA124
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_000CA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_000CA155
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_008DA124 SetUnhandledExceptionFilter,2_2_008DA124
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_008DA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_008DA155
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_0043503C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00434A8A
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_0043BB71
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00434BD8 SetUnhandledExceptionFilter,3_2_00434BD8
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_0043503C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00434A8A
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_0043BB71
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00434BD8 SetUnhandledExceptionFilter,7_2_00434BD8

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    System process connects to network (likely due to code injection or exploit)
                    Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.3.64.152 2559Jump to behavior
                    Contains functionality to inject code into remote processes
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041812A GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,3_2_0041812A
                    Maps a DLL or memory area into another process
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\Internet Explorer\iexplore.exe protection: execute and read and writeJump to behavior
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: A7B008Jump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeMemory written: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 292E008Jump to behavior
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: D3F008Jump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe3_2_00412132
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe7_2_00412132
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_000F87B1 LogonUserW,0_2_000F87B1
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_000A3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_000A3B3A
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_000A48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_000A48D7
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_00104C27 mouse_event,0_2_00104C27
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\MLxloAVuCZ.exe"Jump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "c:\program files (x86)\internet explorer\iexplore.exe"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\miaou\derogates.exe "C:\Users\user\AppData\Local\miaou\derogates.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\miaou\derogates.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_000F7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_000F7CAF
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_000F874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_000F874B
                    Source: MLxloAVuCZ.exe, derogates.exe.0.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                    Source: svchost.exe, 00000007.00000002.3876734835.0000000003238000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerProgram Manager
                    Source: svchost.exe, 00000007.00000002.3876734835.0000000003238000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerProgram ManagerProgram ManagerProgram ManagerProgram ManagerProgram ManagerProgram ManagerProgram ManagerProgram ManagerProgram ManagerProgram ManagerProgram ManagerProgram ManagerProgram Manager
                    Source: MLxloAVuCZ.exe, derogates.exeBinary or memory string: Shell_TrayWnd
                    Source: svchost.exe, 00000007.00000002.3876734835.0000000003236000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager?
                    Source: svchost.exe, 00000007.00000002.3876734835.0000000003238000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerProgram ManagerR
                    Source: svchost.exe, 00000007.00000002.3876657584.0000000003231000.00000004.00000020.00020000.00000000.sdmp, logs.dat.7.drBinary or memory string: [Program Manager]
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_000C862B cpuid 0_2_000C862B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: EnumSystemLocalesW,3_2_0045201B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: EnumSystemLocalesW,3_2_004520B6
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,3_2_00452143
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoW,3_2_00452393
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: EnumSystemLocalesW,3_2_00448484
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,3_2_004524BC
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoW,3_2_004525C3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,3_2_00452690
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoW,3_2_0044896D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoA,3_2_0040F90C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,3_2_00451D58
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: EnumSystemLocalesW,3_2_00451FD0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: EnumSystemLocalesW,7_2_0045201B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: EnumSystemLocalesW,7_2_004520B6
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,7_2_00452143
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoW,7_2_00452393
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: EnumSystemLocalesW,7_2_00448484
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,7_2_004524BC
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoW,7_2_004525C3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,7_2_00452690
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoW,7_2_0044896D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoA,7_2_0040F90C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,7_2_00451D58
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: EnumSystemLocalesW,7_2_00451FD0
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_000D4E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_000D4E87
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_000E1E06 GetUserNameW,0_2_000E1E06
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_000D3F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_000D3F3A
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_000A49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_000A49A0
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 2.2.derogates.exe.b40000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.derogates.exe.b40000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.derogates.exe.c70000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.derogates.exe.c70000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000007.00000002.3876562999.0000000003200000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.3876896183.0000000004E1E000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.3876601412.0000000003212000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1456080422.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.3875944290.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.1569823464.0000000000C70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.1453719778.0000000000B40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: derogates.exe PID: 7876, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7916, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: derogates.exe PID: 8080, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 8100, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                    Contains functionality to steal Chrome passwords or cookies
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data3_2_0040BA4D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data7_2_0040BA4D
                    Contains functionality to steal Firefox passwords or cookies
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\3_2_0040BB6B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: \key3.db3_2_0040BB6B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\7_2_0040BB6B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: \key3.db7_2_0040BB6B
                    Source: derogates.exeBinary or memory string: WIN_81
                    Source: derogates.exeBinary or memory string: WIN_XP
                    Source: derogates.exeBinary or memory string: WIN_XPe
                    Source: derogates.exeBinary or memory string: WIN_VISTA
                    Source: derogates.exeBinary or memory string: WIN_7
                    Source: derogates.exeBinary or memory string: WIN_8
                    Source: derogates.exe.0.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

                    Remote Access Functionality

                    barindex
                    Detected Remcos RAT
                    Source: C:\Windows\SysWOW64\svchost.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-ZFXG9YJump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-ZFXG9YJump to behavior
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 2.2.derogates.exe.b40000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.derogates.exe.b40000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.derogates.exe.c70000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.derogates.exe.c70000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000007.00000002.3876562999.0000000003200000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.3876896183.0000000004E1E000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.3876601412.0000000003212000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1456080422.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.3875944290.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.1569823464.0000000000C70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.1453719778.0000000000B40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: derogates.exe PID: 7876, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7916, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: derogates.exe PID: 8080, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 8100, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: cmd.exe3_2_0040569A
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: cmd.exe7_2_0040569A
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_00116283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00116283
                    Source: C:\Users\user\Desktop\MLxloAVuCZ.exeCode function: 0_2_00116747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00116747
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_00926283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,2_2_00926283
                    Source: C:\Users\user\AppData\Local\miaou\derogates.exeCode function: 2_2_00926747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,2_2_00926747

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information111
                    Scripting                    		2
                    Valid Accounts                    		2
                    Native API                    		111
                    Scripting                    		1
                    Exploitation for Privilege Escalation                    		1
                    Disable or Modify Tools                    		1
                    OS Credential Dumping                    		2
                    System Time Discovery                    		Remote Services11
                    Archive Collected Data                    		11
                    Ingress Tool Transfer                    		Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts1
                    Command and Scripting Interpreter                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Deobfuscate/Decode Files or Information                    		221
                    Input Capture                    		1
                    Account Discovery                    		Remote Desktop Protocol221
                    Input Capture                    		2
                    Encrypted Channel                    		Exfiltration Over Bluetooth1
                    Defacement
                    Email AddressesDNS ServerDomain Accounts2
                    Service Execution                    		2
                    Valid Accounts                    		1
                    Bypass User Account Control                    		2
                    Obfuscated Files or Information                    		2
                    Credentials In Files                    		1
                    System Service Discovery                    		SMB/Windows Admin Shares3
                    Clipboard Data                    		1
                    Remote Access Software                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCron1
                    Windows Service                    		2
                    Valid Accounts                    		1
                    DLL Side-Loading                    		NTDS3
                    File and Directory Discovery                    		Distributed Component Object ModelInput Capture1
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchd2
                    Registry Run Keys / Startup Folder                    		21
                    Access Token Manipulation                    		1
                    Bypass User Account Control                    		LSA Secrets126
                    System Information Discovery                    		SSHKeylogging11
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
                    Windows Service                    		1
                    Masquerading                    		Cached Domain Credentials331
                    Security Software Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items422
                    Process Injection                    		2
                    Valid Accounts                    		DCSync2
                    Virtualization/Sandbox Evasion                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/Job2
                    Registry Run Keys / Startup Folder                    		2
                    Virtualization/Sandbox Evasion                    		Proc Filesystem3
                    Process Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
                    Access Token Manipulation                    		/etc/passwd and /etc/shadow11
                    Application Window Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron422
                    Process Injection                    		Network Sniffing1
                    System Owner/User Discovery                    		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1587959 Sample: MLxloAVuCZ.exe Startdate: 10/01/2025 Architecture: WINDOWS Score: 100 36 171.39.242.20.in-addr.arpa 2->36 54 Suricata IDS alerts for network traffic 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 10 other signatures 2->60 9 MLxloAVuCZ.exe 4 2->9         started        13 wscript.exe 1 2->13         started        signatures3 process4 file5 30 C:\Users\user\AppData\Local\...\derogates.exe, PE32 9->30 dropped 74 Binary is likely a compiled AutoIt script file 9->74 76 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->76 15 derogates.exe 2 9->15         started        78 Windows Scripting host queries suspicious COM object (likely to drop second stage) 13->78 19 derogates.exe 1 13->19         started        signatures6 process7 file8 34 C:\Users\user\AppData\...\derogates.vbs, data 15->34 dropped 40 Multi AV Scanner detection for dropped file 15->40 42 Binary is likely a compiled AutoIt script file 15->42 44 Machine Learning detection for dropped file 15->44 52 2 other signatures 15->52 21 svchost.exe 2 15->21         started        46 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 19->46 48 Writes to foreign memory regions 19->48 50 Maps a DLL or memory area into another process 19->50 24 svchost.exe 2 2 19->24         started        signatures9 process10 dnsIp11 62 Contains functionality to bypass UAC (CMSTPLUA) 21->62 64 Detected Remcos RAT 21->64 66 Contains functionalty to change the wallpaper 21->66 72 7 other signatures 21->72 28 iexplore.exe 21->28         started        38 192.3.64.152, 2559, 49705, 49799 AS-COLOCROSSINGUS United States 24->38 32 C:\ProgramData\remcos\logs.dat, data 24->32 dropped 68 System process connects to network (likely due to code injection or exploit) 24->68 70 Installs a global keyboard hook 24->70 file12 signatures13 process14

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    MLxloAVuCZ.exe79%ReversingLabsWin32.Backdoor.Remcos
                    MLxloAVuCZ.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\miaou\derogates.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\miaou\derogates.exe79%ReversingLabsWin32.Backdoor.Remcos

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    No Antivirus matches

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    171.39.242.20.in-addr.arpa
                    		unknown
                    		unknownfalse
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://geoplugin.net/json.gpsvchost.exefalse
                        		high
                        http://geoplugin.net/json.gp/Cderogates.exe, 00000002.00000002.1453719778.0000000000B40000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1456080422.0000000000400000.00000040.80000000.00040000.00000000.sdmp, derogates.exe, 00000006.00000002.1569823464.0000000000C70000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3875944290.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                          		high

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          192.3.64.152
                          		unknownUnited States
                          		36352AS-COLOCROSSINGUStrue

                          General Information

                          Joe Sandbox version:42.0.0 Malachite
                          Analysis ID:1587959
                          Start date and time:2025-01-10 19:47:48 +01:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 10m 52s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:12
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:MLxloAVuCZ.exe
                          renamed because original name is a hash value
                          Original Sample Name:d51b3625115680dc3d6e0f5881f914f0373a277e2ef2ec56c88c3f45de997877.exe
                          Detection:MAL
                          Classification:mal100.rans.troj.spyw.expl.evad.winEXE@12/7@1/1
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 100%
                          • Number of executed functions: 53
                          • Number of non-executed functions: 282
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                          Warnings

                          • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                          • Excluded IPs from analysis (whitelisted): 20.109.210.53, 20.242.39.171, 172.202.163.200
                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size exceeded maximum capacity and may have missing disassembly code.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • VT rate limit hit for: MLxloAVuCZ.exe

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          13:49:30API Interceptor5173611x Sleep call for process: svchost.exe modified
                          19:48:47AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\derogates.vbs

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          192.3.64.1521evAkYZpwDV0N4v.exeGet hashmaliciousRemcosBrowse
                            LdSbZG1iH6.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                              EIuz8Bk9kGav2ix.exeGet hashmaliciousRemcosBrowse
                                6Ctc0o7vhqKgjU7.exeGet hashmaliciousRemcosBrowse
                                  New Order.exeGet hashmaliciousRemcosBrowse
                                    UsoOuMVYCv8QrxG.exeGet hashmaliciousRemcosBrowse
                                      New Order.exeGet hashmaliciousRemcosBrowse
                                        SecuriteInfo.com.Trojan.PackedNET.3042.4675.2937.exeGet hashmaliciousRemcosBrowse
                                          Quote.exeGet hashmaliciousRemcosBrowse
                                            SecuriteInfo.com.Win32.PWSX-gen.3135.16188.exeGet hashmaliciousRemcosBrowse

                                              Domains

                                              No context

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              AS-COLOCROSSINGUSbwYw3UUfy7.exeGet hashmaliciousRemcosBrowse
                                              • 192.210.150.26
                                              Nuevo-orden.xla.xlsxGet hashmaliciousUnknownBrowse
                                              • 192.3.27.144
                                              Nuevo-orden.xla.xlsxGet hashmaliciousUnknownBrowse
                                              • 192.3.27.144
                                              Nuevo-orden.xla.xlsxGet hashmaliciousUnknownBrowse
                                              • 192.3.27.144
                                              sh4.elfGet hashmaliciousMiraiBrowse
                                              • 23.95.117.229
                                              sweetnessgoodforgreatnessthingswithgood.tIF.vbsGet hashmaliciousSmokeLoaderBrowse
                                              • 192.3.27.144
                                              begoodforeverythinggreatthingsformebetterforgood.htaGet hashmaliciousCobalt Strike, SmokeLoaderBrowse
                                              • 192.3.27.144
                                              PO#3311-20250108003.xlsGet hashmaliciousUnknownBrowse
                                              • 192.3.27.144
                                              PO#3311-20250108003.xlsGet hashmaliciousUnknownBrowse
                                              • 192.3.27.144
                                              PO#3311-20250108003.xlsGet hashmaliciousUnknownBrowse
                                              • 192.3.27.144

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\ProgramData\remcos\logs.dat

                                              Download File
                                              Process:C:\Windows\SysWOW64\svchost.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):144
                                              Entropy (8bit):3.38816599775145
                                              Encrypted:false
                                              SSDEEP:3:rglsOlfUlWlNT+d4b5JWRal2Jl+7R0DAlBG45klovDl6v:Mls6UlWyCb5YcIeeDAlOWAv
                                              MD5:9BE3644D85269AA39F36AB99425888F1
                                              SHA1:3C451DA706656E8230F9F7CA5CBDC799E0C402A0
                                              SHA-256:729FE9576E94EEC5D41C98E9268424CAEAFDFEE8A2BDAFEE1691A9BA51B700F3
                                              SHA-512:01670764E772A71AB3DC757D4969FC7CF3BF39C227BDD44F4FD17E85E57C81A02B2CB993159960AEE23363972D382009D07D304F3C67AFBBEC6A83E6F9A0C234
                                              Malicious:true
                                              Yara Hits:
                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                              Reputation:low
                                              Preview:....[.2.0.2.5./.0.1./.1.0. .1.3.:.4.8.:.5.8. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                              C:\Users\user\AppData\Local\Temp\aut92C7.tmp

                                              Download File
                                              Process:C:\Users\user\Desktop\MLxloAVuCZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):435204
                                              Entropy (8bit):7.988380266490117
                                              Encrypted:false
                                              SSDEEP:12288:MKU48175JWYme9crIadbkrdYUAilE8nKrR2JXi:ZUN17zWx1tkrdYUAilx824
                                              MD5:7A6DFA9FB95E532AD4BDB953FD850322
                                              SHA1:AACC7E3F1D407D4DC98EBAC26C9CEEA1D3A8DADD
                                              SHA-256:20545ED762F57FD5FA696DF46CB11D46407D0E20050A179BA4517E07F5C7F538
                                              SHA-512:ABB9194CE150615D9DE608BD4455F2C93263EAD25DCD8D56DE7D57DAEECD47690C1F0B928C476432AF4C95A0873266924D307957C59B16B71E3418461175B248
                                              Malicious:false
                                              Reputation:low
                                              Preview:EA06.....DzT*...9.R*s..&mA..iT9.2.6.Rit*.\.d....Y..5...H.g....m8.c......p.T.k.Z.+.FhS..~oW..j..$..8..&....Yw..c7h<.1(.........K.:Y..\e..m..Be.y..ok..i.....r.j$~I..}a.X+~9|.Cc.F%.I.w.S..+..f./.Y%.z^....O.~.f.....k..=.U..E%..........zF......I...a..@.....5.J.R.$.U#.V03....%....).....T..u...(u..&s2.U..Y.......Sj.d.......ENqU.K&..U.cM.K..*...#.........Uz.\.e.Qf.`..W.W...Ug..........p......Z.+...Tl..}...S.m|.JML...e'.....83:.&.....$ry.4.d..&sj...d..j3j.......f6I.V[%..9y...B..&T.H.i@.....z.....L..@.B....j.j...d....~.....I....F..2.(Si...d....~........Y..c|.E)<.-..F.Kj........If3Z..Y.....Z.*.}..*......A..l....}U.Rpw...O>.R-..%.............G.-.Ah[.."s2.v....{Y..R._/........Td.WM....(..l.|.w.]G....%\...s...'t[..Wu..*d#+.C(X.6..7.R'y...m..Y.4;F>w6..@..].....2<..LXo...d....23`.LB....\....21P.LM}..m....)4.VfQ...n....9...oqjV...M.Z......'S(.B.E...*.....Tk..:...]h..^/.@.\f..z.C..e.:...u...xL.....k|....sI..)...K..g./.F....2.9...u.A.:L...I.`e...~.u.n.w...S....}...kR.b?p(<...

                                              C:\Users\user\AppData\Local\Temp\aut96FE.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\miaou\derogates.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):435204
                                              Entropy (8bit):7.988380266490117
                                              Encrypted:false
                                              SSDEEP:12288:MKU48175JWYme9crIadbkrdYUAilE8nKrR2JXi:ZUN17zWx1tkrdYUAilx824
                                              MD5:7A6DFA9FB95E532AD4BDB953FD850322
                                              SHA1:AACC7E3F1D407D4DC98EBAC26C9CEEA1D3A8DADD
                                              SHA-256:20545ED762F57FD5FA696DF46CB11D46407D0E20050A179BA4517E07F5C7F538
                                              SHA-512:ABB9194CE150615D9DE608BD4455F2C93263EAD25DCD8D56DE7D57DAEECD47690C1F0B928C476432AF4C95A0873266924D307957C59B16B71E3418461175B248
                                              Malicious:false
                                              Reputation:low
                                              Preview:EA06.....DzT*...9.R*s..&mA..iT9.2.6.Rit*.\.d....Y..5...H.g....m8.c......p.T.k.Z.+.FhS..~oW..j..$..8..&....Yw..c7h<.1(.........K.:Y..\e..m..Be.y..ok..i.....r.j$~I..}a.X+~9|.Cc.F%.I.w.S..+..f./.Y%.z^....O.~.f.....k..=.U..E%..........zF......I...a..@.....5.J.R.$.U#.V03....%....).....T..u...(u..&s2.U..Y.......Sj.d.......ENqU.K&..U.cM.K..*...#.........Uz.\.e.Qf.`..W.W...Ug..........p......Z.+...Tl..}...S.m|.JML...e'.....83:.&.....$ry.4.d..&sj...d..j3j.......f6I.V[%..9y...B..&T.H.i@.....z.....L..@.B....j.j...d....~.....I....F..2.(Si...d....~........Y..c|.E)<.-..F.Kj........If3Z..Y.....Z.*.}..*......A..l....}U.Rpw...O>.R-..%.............G.-.Ah[.."s2.v....{Y..R._/........Td.WM....(..l.|.w.]G....%\...s...'t[..Wu..*d#+.C(X.6..7.R'y...m..Y.4;F>w6..@..].....2<..LXo...d....23`.LB....\....21P.LM}..m....)4.VfQ...n....9...oqjV...M.Z......'S(.B.E...*.....Tk..:...]h..^/.@.\f..z.C..e.:...u...xL.....k|....sI..)...K..g./.F....2.9...u.A.:L...I.`e...~.u.n.w...S....}...kR.b?p(<...

                                              C:\Users\user\AppData\Local\Temp\autC66A.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\miaou\derogates.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):435204
                                              Entropy (8bit):7.988380266490117
                                              Encrypted:false
                                              SSDEEP:12288:MKU48175JWYme9crIadbkrdYUAilE8nKrR2JXi:ZUN17zWx1tkrdYUAilx824
                                              MD5:7A6DFA9FB95E532AD4BDB953FD850322
                                              SHA1:AACC7E3F1D407D4DC98EBAC26C9CEEA1D3A8DADD
                                              SHA-256:20545ED762F57FD5FA696DF46CB11D46407D0E20050A179BA4517E07F5C7F538
                                              SHA-512:ABB9194CE150615D9DE608BD4455F2C93263EAD25DCD8D56DE7D57DAEECD47690C1F0B928C476432AF4C95A0873266924D307957C59B16B71E3418461175B248
                                              Malicious:false
                                              Reputation:low
                                              Preview:EA06.....DzT*...9.R*s..&mA..iT9.2.6.Rit*.\.d....Y..5...H.g....m8.c......p.T.k.Z.+.FhS..~oW..j..$..8..&....Yw..c7h<.1(.........K.:Y..\e..m..Be.y..ok..i.....r.j$~I..}a.X+~9|.Cc.F%.I.w.S..+..f./.Y%.z^....O.~.f.....k..=.U..E%..........zF......I...a..@.....5.J.R.$.U#.V03....%....).....T..u...(u..&s2.U..Y.......Sj.d.......ENqU.K&..U.cM.K..*...#.........Uz.\.e.Qf.`..W.W...Ug..........p......Z.+...Tl..}...S.m|.JML...e'.....83:.&.....$ry.4.d..&sj...d..j3j.......f6I.V[%..9y...B..&T.H.i@.....z.....L..@.B....j.j...d....~.....I....F..2.(Si...d....~........Y..c|.E)<.-..F.Kj........If3Z..Y.....Z.*.}..*......A..l....}U.Rpw...O>.R-..%.............G.-.Ah[.."s2.v....{Y..R._/........Td.WM....(..l.|.w.]G....%\...s...'t[..Wu..*d#+.C(X.6..7.R'y...m..Y.4;F>w6..@..].....2<..LXo...d....23`.LB....\....21P.LM}..m....)4.VfQ...n....9...oqjV...M.Z......'S(.B.E...*.....Tk..:...]h..^/.@.\f..z.C..e.:...u...xL.....k|....sI..)...K..g./.F....2.9...u.A.:L...I.`e...~.u.n.w...S....}...kR.b?p(<...

                                              C:\Users\user\AppData\Local\Temp\cerecloths

                                              Download File
                                              Process:C:\Users\user\Desktop\MLxloAVuCZ.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):494592
                                              Entropy (8bit):7.662774544934913
                                              Encrypted:false
                                              SSDEEP:12288:QzB90EAKlfwQihu+KhTtYKMUUaBSAeOI0i+wnQoiscwfyiiZ4kGP0MW:fKlfQhuRtYpUUaoAehZD1fJiiLfW
                                              MD5:1FEEC4959309F93B31ED96BB1C991A90
                                              SHA1:65BED2AB9EBCE344E29322980C4782AC2921C1D9
                                              SHA-256:B9E8C2EE4BEC14965B15F8E28FCE1BA98C3BBD412BCDE16DCE424D1698DF3132
                                              SHA-512:722513D8CF35CE524576E870A4D6AD9AE59C14BB5AABCBFE17417A3543423B089A63FE867025BCAE8427BA4D47BD4C0EFE682A9317F1AC35AB768BE9FCD80051
                                              Malicious:false
                                              Reputation:low
                                              Preview:...BTBG96HS8..6A.QJC1LQ6.IKBBWBG92HS8E66A5QJC1LQ6RIKBBWBG92HK9E68^._J.8.p.S..c.?+4.B:<_7W[aV0$-^8qT7i97,w+).v...(YR$.\GI.LQ6RIKBN,.jq(.-p_.H./.4..k/mH.5..r<.#.6..aH`[./.!c2.,.7..S).].L...:d,.K...N>K.,...==X.Gs*.F.,.?}K.=GW.H...=nM.9.va-q_.H.q.5.+./d;*#.X.<G92HS8E66A5QJC1LQ6RIKBBW..92.R?E...SQJC1LQ6R.K@C\CI92:V8E 4A5QJC..R6RYKBB.GG92.S8U66A7QJF1MQ6RIKGBVBG92HS.M66E5QJC1LS6R.KBRWBW92HS(E6&A5QJC1\Q6RIKBBWBG9..U8A76A5.MC..Q6RIKBBWBG92HS8E66A.VJ..LQf.OKzBWBG92HS8E66A5QJC1L..TISBBW.?2.S8E66A5QJC1L.3RINBBWBG92HS8E66A5QJC1LQ6RIKBl#'?M2HS.436A%QJCCIQ6VIKBBWBG92HS8E6.A51d1U-%WRI.;CWB.<2H)9E6@D5QJC1LQ6RIKBB.BGy.,2L$66Aq.JC1\V6RGKBB.DG92HS8E66A5QJ.1L..&%8BBWBN92HSHB66C5QJ.7LQ6RIKBBWBG92.S8..Q'\59C1|S6RI.EBWFG92HT8E66A5QJC1LQ6.IK.l%15Z2HS..66A.VJC}LQ6VNKBBWBG92HS8E6vA5.d1T >URI.yBWB.>2Ho8E6fF5QJC1LQ6RIKBB.BG{2HS8E66A5QJC1LQ6RIKBBWBG92HS8E66A5QJC1LQ6RIKBBWBG92HS8E66A5QJC1LQ6RIKBBWBG92HS8E66A5QJC1LQ6RIKBBWBG92HS8E66A5QJC1LQ6RIKBBWBG92HS8E66A5QJC1LQ6RIKBBWBG92HS8E66A5QJC1LQ6RIKBBWBG92HS8E66A5QJC1LQ6R

                                              C:\Users\user\AppData\Local\miaou\derogates.exe

                                              Download File
                                              Process:C:\Users\user\Desktop\MLxloAVuCZ.exe
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):1351680
                                              Entropy (8bit):7.320078437960566
                                              Encrypted:false
                                              SSDEEP:24576:Cu6J33O0c+JY5UZ+XC0kGso6FapubMGC8db/ZOid2MNTosdIIDnWY:ku0c++OCvkGs9FapCX0yTnyY
                                              MD5:5F38EDF8C588EFD365F6C82C92D5F0F6
                                              SHA1:6F8EC411858B7410A22401F6C9D6A2A5C45AAA9B
                                              SHA-256:D51B3625115680DC3D6E0F5881F914F0373A277E2EF2EC56C88C3F45DE997877
                                              SHA-512:7BC7886D3C81421D6D9CDC1CF4EE3AF5FEA572DE578FBC8C42509129B37716DE7552E3147A3AC84261C463FE79FB60511EFF18D45C3BC3D411905C22389028EF
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              • Antivirus: ReversingLabs, Detection: 79%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L...|{_g.........."..................}............@.................................h'....@...@.......@.....................L...|....p..t........................q...+..............................pH..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...t....p......................@..@.reloc...q.......r..................@..B........................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\derogates.vbs

                                              Download File
                                              Process:C:\Users\user\AppData\Local\miaou\derogates.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):272
                                              Entropy (8bit):3.4094994025079943
                                              Encrypted:false
                                              SSDEEP:6:DMM8lfm3OOQdUfclwL1UEZ+lX1IlM69fAnv6nriIM8lfQVn:DsO+vNlwBQ1IlM6VAnv4mA2n
                                              MD5:1CCB9B6DA8C70EA737C6E01F48FD0FE4
                                              SHA1:0ED73B9F1887C2570210ABCFD4BA5723CF5E79DA
                                              SHA-256:E799EBD776B959AE559C2D8277971CAF281E60DF33492A7D75E88B6E2B4404F0
                                              SHA-512:AB45166C005C4DAD7F7027DC0F870D61FEBA3890D3A6517A24827F572B72A5E6504AE3BF15F9F3F7F0BF9A91A972933D382101FB7AE04DF46766DE861BF0D88B
                                              Malicious:true
                                              Preview:S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.h.u.b.e.r.t.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.m.i.a.o.u.\.d.e.r.o.g.a.t.e.s...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Entropy (8bit):7.320078437960566
                                              TrID:
                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                              • DOS Executable Generic (2002/1) 0.02%
                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                              File name:MLxloAVuCZ.exe
                                              File size:1'351'680 bytes
                                              MD5:5f38edf8c588efd365f6c82c92d5f0f6
                                              SHA1:6f8ec411858b7410a22401f6c9d6a2a5c45aaa9b
                                              SHA256:d51b3625115680dc3d6e0f5881f914f0373a277e2ef2ec56c88c3f45de997877
                                              SHA512:7bc7886d3c81421d6d9cdc1cf4ee3af5fea572de578fbc8c42509129b37716de7552e3147a3ac84261c463fe79fb60511eff18d45c3bc3d411905c22389028ef
                                              SSDEEP:24576:Cu6J33O0c+JY5UZ+XC0kGso6FapubMGC8db/ZOid2MNTosdIIDnWY:ku0c++OCvkGs9FapCX0yTnyY
                                              TLSH:0855DF2273DDC360CB669173BF29B7056EBF7C610630B85B2F980D7DA950162262D7A3
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

                                              File Icon

                                              Icon Hash:aaf3e3e3938382a0

                                              Static PE Info

                                              General

                                              Entrypoint:0x427dcd
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                              DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                              Time Stamp:0x675F7B7C [Mon Dec 16 00:59:40 2024 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:5
                                              OS Version Minor:1
                                              File Version Major:5
                                              File Version Minor:1
                                              Subsystem Version Major:5
                                              Subsystem Version Minor:1
                                              Import Hash:afcdf79be1557326c854b6e20cb900a7

                                              Entrypoint Preview

                                              Instruction
                                              call 00007FEE58D05D5Ah
                                              jmp 00007FEE58CF8B24h
                                              int3
                                              int3
                                              int3
                                              int3
                                              int3
                                              int3
                                              int3
                                              int3
                                              int3
                                              push edi
                                              push esi
                                              mov esi, dword ptr [esp+10h]
                                              mov ecx, dword ptr [esp+14h]
                                              mov edi, dword ptr [esp+0Ch]
                                              mov eax, ecx
                                              mov edx, ecx
                                              add eax, esi
                                              cmp edi, esi
                                              jbe 00007FEE58CF8CAAh
                                              cmp edi, eax
                                              jc 00007FEE58CF900Eh
                                              bt dword ptr [004C31FCh], 01h
                                              jnc 00007FEE58CF8CA9h
                                              rep movsb
                                              jmp 00007FEE58CF8FBCh
                                              cmp ecx, 00000080h
                                              jc 00007FEE58CF8E74h
                                              mov eax, edi
                                              xor eax, esi
                                              test eax, 0000000Fh
                                              jne 00007FEE58CF8CB0h
                                              bt dword ptr [004BE324h], 01h
                                              jc 00007FEE58CF9180h
                                              bt dword ptr [004C31FCh], 00000000h
                                              jnc 00007FEE58CF8E4Dh
                                              test edi, 00000003h
                                              jne 00007FEE58CF8E5Eh
                                              test esi, 00000003h
                                              jne 00007FEE58CF8E3Dh
                                              bt edi, 02h
                                              jnc 00007FEE58CF8CAFh
                                              mov eax, dword ptr [esi]
                                              sub ecx, 04h
                                              lea esi, dword ptr [esi+04h]
                                              mov dword ptr [edi], eax
                                              lea edi, dword ptr [edi+04h]
                                              bt edi, 03h
                                              jnc 00007FEE58CF8CB3h
                                              movq xmm1, qword ptr [esi]
                                              sub ecx, 08h
                                              lea esi, dword ptr [esi+08h]
                                              movq qword ptr [edi], xmm1
                                              lea edi, dword ptr [edi+08h]
                                              test esi, 00000007h
                                              je 00007FEE58CF8D05h
                                              bt esi, 03h
                                              jnc 00007FEE58CF8D58h

                                              Rich Headers

                                              Programming Language:
                                              • [ASM] VS2013 build 21005
                                              • [ C ] VS2013 build 21005
                                              • [C++] VS2013 build 21005
                                              • [ C ] VS2008 SP1 build 30729
                                              • [IMP] VS2008 SP1 build 30729
                                              • [ASM] VS2013 UPD4 build 31101
                                              • [RES] VS2013 build 21005
                                              • [LNK] VS2013 UPD4 build 31101

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x81674.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x1490000x711c.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x10000x8dcc40x8de00d28a820a1d9ff26cda02d12b888ba4b4False0.5728679102422908data6.676118058520316IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rdata0x8f0000x2e10e0x2e20079b14b254506b0dbc8cd0ad67fb70ad9False0.33535526761517614OpenPGP Public Key5.76010872795207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .rsrc0xc70000x816740x818008343513307bd20018aaa1b20757424a2False0.9490735853040541data7.93817481915676IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0x1490000x711c0x72006fcae3cbbf6bfbabf5ec5bbe7cf612c3False0.7650767543859649data6.779031650454199IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              RT_ICON0xc75a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                              RT_ICON0xc76d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                              RT_ICON0xc77f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                              RT_ICON0xc79200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                              RT_ICON0xc7c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                              RT_ICON0xc7d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                              RT_ICON0xc8bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                              RT_ICON0xc94800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                              RT_ICON0xc99e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                              RT_ICON0xcbf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                              RT_ICON0xcd0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                              RT_MENU0xcd4a00x50dataEnglishGreat Britain0.9
                                              RT_STRING0xcd4f00x594dataEnglishGreat Britain0.3333333333333333
                                              RT_STRING0xcda840x68adataEnglishGreat Britain0.2747909199522103
                                              RT_STRING0xce1100x490dataEnglishGreat Britain0.3715753424657534
                                              RT_STRING0xce5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                              RT_STRING0xceb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                              RT_STRING0xcf1f80x466dataEnglishGreat Britain0.3605683836589698
                                              RT_STRING0xcf6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                              RT_RCDATA0xcf7b80x7893bdata1.0003259881388913
                                              RT_GROUP_ICON0x1480f40x76dataEnglishGreat Britain0.6610169491525424
                                              RT_GROUP_ICON0x14816c0x14dataEnglishGreat Britain1.25
                                              RT_GROUP_ICON0x1481800x14dataEnglishGreat Britain1.15
                                              RT_GROUP_ICON0x1481940x14dataEnglishGreat Britain1.25
                                              RT_VERSION0x1481a80xdcdataEnglishGreat Britain0.6181818181818182
                                              RT_MANIFEST0x1482840x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                              Imports

                                              DLLImport
                                              WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                              VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                              WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                              COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                              MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                              WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                              PSAPI.DLLGetProcessMemoryInfo
                                              IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                              USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                              UxTheme.dllIsThemeActive
                                              KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                              USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                              GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                              COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                              ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                              SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                              ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                              OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                              Possible Origin

                                              Language of compilation systemCountry where language is spokenMap
                                              EnglishGreat Britain

                                              Network Behavior

                                              Suricata IDS Alerts

                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                              2025-01-10T19:48:38.983696+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849807192.3.64.1522559TCP
                                              2025-01-10T19:49:21.341638+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849705192.3.64.1522559TCP
                                              2025-01-10T19:49:43.705614+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.863891192.3.64.1522559TCP
                                              2025-01-10T19:50:06.111549+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.863892192.3.64.1522559TCP
                                              2025-01-10T19:50:28.514508+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849799192.3.64.1522559TCP
                                              2025-01-10T19:50:50.952959+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849800192.3.64.1522559TCP
                                              2025-01-10T19:51:13.329619+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849801192.3.64.1522559TCP
                                              2025-01-10T19:51:35.704487+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849802192.3.64.1522559TCP
                                              2025-01-10T19:51:58.160413+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849803192.3.64.1522559TCP
                                              2025-01-10T19:52:20.564760+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849804192.3.64.1522559TCP
                                              2025-01-10T19:52:43.110246+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849805192.3.64.1522559TCP
                                              2025-01-10T19:53:05.519342+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849806192.3.64.1522559TCP

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Jan 10, 2025 19:48:59.977179050 CET497052559192.168.2.8192.3.64.152
                                              Jan 10, 2025 19:48:59.982074022 CET255949705192.3.64.152192.168.2.8
                                              Jan 10, 2025 19:48:59.982172012 CET497052559192.168.2.8192.3.64.152
                                              Jan 10, 2025 19:48:59.987915039 CET497052559192.168.2.8192.3.64.152
                                              Jan 10, 2025 19:48:59.992671013 CET255949705192.3.64.152192.168.2.8
                                              Jan 10, 2025 19:49:16.569957972 CET6388653192.168.2.8162.159.36.2
                                              Jan 10, 2025 19:49:16.574836016 CET5363886162.159.36.2192.168.2.8
                                              Jan 10, 2025 19:49:16.575097084 CET6388653192.168.2.8162.159.36.2
                                              Jan 10, 2025 19:49:16.580032110 CET5363886162.159.36.2192.168.2.8
                                              Jan 10, 2025 19:49:17.038465023 CET6388653192.168.2.8162.159.36.2
                                              Jan 10, 2025 19:49:17.043476105 CET5363886162.159.36.2192.168.2.8
                                              Jan 10, 2025 19:49:17.043576956 CET6388653192.168.2.8162.159.36.2
                                              Jan 10, 2025 19:49:21.341495037 CET255949705192.3.64.152192.168.2.8
                                              Jan 10, 2025 19:49:21.341638088 CET497052559192.168.2.8192.3.64.152
                                              Jan 10, 2025 19:49:21.341727972 CET497052559192.168.2.8192.3.64.152
                                              Jan 10, 2025 19:49:21.346450090 CET255949705192.3.64.152192.168.2.8
                                              Jan 10, 2025 19:49:22.343858957 CET638912559192.168.2.8192.3.64.152
                                              Jan 10, 2025 19:49:22.348819017 CET255963891192.3.64.152192.168.2.8
                                              Jan 10, 2025 19:49:22.348906994 CET638912559192.168.2.8192.3.64.152
                                              Jan 10, 2025 19:49:22.355359077 CET638912559192.168.2.8192.3.64.152
                                              Jan 10, 2025 19:49:22.360196114 CET255963891192.3.64.152192.168.2.8
                                              Jan 10, 2025 19:49:43.702186108 CET255963891192.3.64.152192.168.2.8
                                              Jan 10, 2025 19:49:43.705614090 CET638912559192.168.2.8192.3.64.152
                                              Jan 10, 2025 19:49:43.705698013 CET638912559192.168.2.8192.3.64.152
                                              Jan 10, 2025 19:49:43.710424900 CET255963891192.3.64.152192.168.2.8
                                              Jan 10, 2025 19:49:44.718749046 CET638922559192.168.2.8192.3.64.152
                                              Jan 10, 2025 19:49:44.723700047 CET255963892192.3.64.152192.168.2.8
                                              Jan 10, 2025 19:49:44.723793983 CET638922559192.168.2.8192.3.64.152
                                              Jan 10, 2025 19:49:44.732937098 CET638922559192.168.2.8192.3.64.152
                                              Jan 10, 2025 19:49:44.737762928 CET255963892192.3.64.152192.168.2.8
                                              Jan 10, 2025 19:50:02.279398918 CET4979653192.168.2.81.1.1.1
                                              Jan 10, 2025 19:50:02.284301043 CET53497961.1.1.1192.168.2.8
                                              Jan 10, 2025 19:50:02.284420967 CET4979653192.168.2.81.1.1.1
                                              Jan 10, 2025 19:50:02.289258957 CET53497961.1.1.1192.168.2.8
                                              Jan 10, 2025 19:50:02.729527950 CET4979653192.168.2.81.1.1.1
                                              Jan 10, 2025 19:50:02.734566927 CET53497961.1.1.1192.168.2.8
                                              Jan 10, 2025 19:50:02.734628916 CET4979653192.168.2.81.1.1.1
                                              Jan 10, 2025 19:50:06.108983040 CET255963892192.3.64.152192.168.2.8
                                              Jan 10, 2025 19:50:06.111548901 CET638922559192.168.2.8192.3.64.152
                                              Jan 10, 2025 19:50:06.111582994 CET638922559192.168.2.8192.3.64.152
                                              Jan 10, 2025 19:50:06.116497993 CET255963892192.3.64.152192.168.2.8
                                              Jan 10, 2025 19:50:07.125211000 CET497992559192.168.2.8192.3.64.152
                                              Jan 10, 2025 19:50:07.130048037 CET255949799192.3.64.152192.168.2.8
                                              Jan 10, 2025 19:50:07.130132914 CET497992559192.168.2.8192.3.64.152
                                              Jan 10, 2025 19:50:07.134957075 CET497992559192.168.2.8192.3.64.152
                                              Jan 10, 2025 19:50:07.139812946 CET255949799192.3.64.152192.168.2.8
                                              Jan 10, 2025 19:50:28.514319897 CET255949799192.3.64.152192.168.2.8
                                              Jan 10, 2025 19:50:28.514508009 CET497992559192.168.2.8192.3.64.152
                                              Jan 10, 2025 19:50:28.514563084 CET497992559192.168.2.8192.3.64.152
                                              Jan 10, 2025 19:50:28.519522905 CET255949799192.3.64.152192.168.2.8
                                              Jan 10, 2025 19:50:29.594286919 CET498002559192.168.2.8192.3.64.152
                                              Jan 10, 2025 19:50:29.599325895 CET255949800192.3.64.152192.168.2.8
                                              Jan 10, 2025 19:50:29.599467993 CET498002559192.168.2.8192.3.64.152
                                              Jan 10, 2025 19:50:29.605369091 CET498002559192.168.2.8192.3.64.152
                                              Jan 10, 2025 19:50:29.610251904 CET255949800192.3.64.152192.168.2.8
                                              Jan 10, 2025 19:50:50.952205896 CET255949800192.3.64.152192.168.2.8
                                              Jan 10, 2025 19:50:50.952959061 CET498002559192.168.2.8192.3.64.152
                                              Jan 10, 2025 19:50:50.953042984 CET498002559192.168.2.8192.3.64.152
                                              Jan 10, 2025 19:50:50.957814932 CET255949800192.3.64.152192.168.2.8
                                              Jan 10, 2025 19:50:51.969253063 CET498012559192.168.2.8192.3.64.152
                                              Jan 10, 2025 19:50:51.974049091 CET255949801192.3.64.152192.168.2.8
                                              Jan 10, 2025 19:50:51.974124908 CET498012559192.168.2.8192.3.64.152
                                              Jan 10, 2025 19:50:51.988832951 CET498012559192.168.2.8192.3.64.152
                                              Jan 10, 2025 19:50:51.993710041 CET255949801192.3.64.152192.168.2.8
                                              Jan 10, 2025 19:51:13.326837063 CET255949801192.3.64.152192.168.2.8
                                              Jan 10, 2025 19:51:13.329618931 CET498012559192.168.2.8192.3.64.152
                                              Jan 10, 2025 19:51:13.329668045 CET498012559192.168.2.8192.3.64.152
                                              Jan 10, 2025 19:51:13.334517002 CET255949801192.3.64.152192.168.2.8
                                              Jan 10, 2025 19:51:14.344677925 CET498022559192.168.2.8192.3.64.152
                                              Jan 10, 2025 19:51:14.349781990 CET255949802192.3.64.152192.168.2.8
                                              Jan 10, 2025 19:51:14.349884987 CET498022559192.168.2.8192.3.64.152
                                              Jan 10, 2025 19:51:14.354799032 CET498022559192.168.2.8192.3.64.152
                                              Jan 10, 2025 19:51:14.359663010 CET255949802192.3.64.152192.168.2.8
                                              Jan 10, 2025 19:51:35.704432011 CET255949802192.3.64.152192.168.2.8
                                              Jan 10, 2025 19:51:35.704487085 CET498022559192.168.2.8192.3.64.152
                                              Jan 10, 2025 19:51:35.704528093 CET498022559192.168.2.8192.3.64.152
                                              Jan 10, 2025 19:51:35.709316015 CET255949802192.3.64.152192.168.2.8
                                              Jan 10, 2025 19:51:36.722263098 CET498032559192.168.2.8192.3.64.152
                                              Jan 10, 2025 19:51:36.727157116 CET255949803192.3.64.152192.168.2.8
                                              Jan 10, 2025 19:51:36.727243900 CET498032559192.168.2.8192.3.64.152
                                              Jan 10, 2025 19:51:36.731158018 CET498032559192.168.2.8192.3.64.152
                                              Jan 10, 2025 19:51:36.735914946 CET255949803192.3.64.152192.168.2.8
                                              Jan 10, 2025 19:51:58.160259008 CET255949803192.3.64.152192.168.2.8
                                              Jan 10, 2025 19:51:58.160413027 CET498032559192.168.2.8192.3.64.152
                                              Jan 10, 2025 19:51:58.160460949 CET498032559192.168.2.8192.3.64.152
                                              Jan 10, 2025 19:51:58.165363073 CET255949803192.3.64.152192.168.2.8
                                              Jan 10, 2025 19:51:59.172575951 CET498042559192.168.2.8192.3.64.152
                                              Jan 10, 2025 19:51:59.177413940 CET255949804192.3.64.152192.168.2.8
                                              Jan 10, 2025 19:51:59.177521944 CET498042559192.168.2.8192.3.64.152
                                              Jan 10, 2025 19:51:59.181765079 CET498042559192.168.2.8192.3.64.152
                                              Jan 10, 2025 19:51:59.186594009 CET255949804192.3.64.152192.168.2.8
                                              Jan 10, 2025 19:52:20.564656019 CET255949804192.3.64.152192.168.2.8
                                              Jan 10, 2025 19:52:20.564759970 CET498042559192.168.2.8192.3.64.152
                                              Jan 10, 2025 19:52:20.564829111 CET498042559192.168.2.8192.3.64.152
                                              Jan 10, 2025 19:52:20.569607019 CET255949804192.3.64.152192.168.2.8
                                              Jan 10, 2025 19:52:21.578888893 CET498052559192.168.2.8192.3.64.152
                                              Jan 10, 2025 19:52:21.583827019 CET255949805192.3.64.152192.168.2.8
                                              Jan 10, 2025 19:52:21.583906889 CET498052559192.168.2.8192.3.64.152
                                              Jan 10, 2025 19:52:21.587966919 CET498052559192.168.2.8192.3.64.152
                                              Jan 10, 2025 19:52:21.592762947 CET255949805192.3.64.152192.168.2.8
                                              Jan 10, 2025 19:52:43.110166073 CET255949805192.3.64.152192.168.2.8
                                              Jan 10, 2025 19:52:43.110245943 CET498052559192.168.2.8192.3.64.152
                                              Jan 10, 2025 19:52:43.110372066 CET498052559192.168.2.8192.3.64.152
                                              Jan 10, 2025 19:52:43.115151882 CET255949805192.3.64.152192.168.2.8
                                              Jan 10, 2025 19:52:44.125778913 CET498062559192.168.2.8192.3.64.152
                                              Jan 10, 2025 19:52:44.130577087 CET255949806192.3.64.152192.168.2.8
                                              Jan 10, 2025 19:52:44.130798101 CET498062559192.168.2.8192.3.64.152
                                              Jan 10, 2025 19:52:44.145544052 CET498062559192.168.2.8192.3.64.152
                                              Jan 10, 2025 19:52:44.150335073 CET255949806192.3.64.152192.168.2.8
                                              Jan 10, 2025 19:53:05.519002914 CET255949806192.3.64.152192.168.2.8
                                              Jan 10, 2025 19:53:05.519341946 CET498062559192.168.2.8192.3.64.152
                                              Jan 10, 2025 19:53:05.519341946 CET498062559192.168.2.8192.3.64.152
                                              Jan 10, 2025 19:53:05.524310112 CET255949806192.3.64.152192.168.2.8
                                              Jan 10, 2025 19:53:06.531785965 CET498072559192.168.2.8192.3.64.152
                                              Jan 10, 2025 19:53:06.538877010 CET255949807192.3.64.152192.168.2.8
                                              Jan 10, 2025 19:53:06.538958073 CET498072559192.168.2.8192.3.64.152
                                              Jan 10, 2025 19:53:06.542771101 CET498072559192.168.2.8192.3.64.152
                                              Jan 10, 2025 19:53:06.549729109 CET255949807192.3.64.152192.168.2.8

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Jan 10, 2025 19:49:16.568767071 CET5352384162.159.36.2192.168.2.8
                                              Jan 10, 2025 19:49:17.045623064 CET5981253192.168.2.81.1.1.1
                                              Jan 10, 2025 19:49:17.052933931 CET53598121.1.1.1192.168.2.8
                                              Jan 10, 2025 19:50:02.278987885 CET53555611.1.1.1192.168.2.8

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Jan 10, 2025 19:49:17.045623064 CET192.168.2.81.1.1.10xb247Standard query (0)171.39.242.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Jan 10, 2025 19:49:17.052933931 CET1.1.1.1192.168.2.80xb247Name error (3)171.39.242.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:13:48:44
                                              Start date:10/01/2025
                                              Path:C:\Users\user\Desktop\MLxloAVuCZ.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\MLxloAVuCZ.exe"
                                              Imagebase:0xa0000
                                              File size:1'351'680 bytes
                                              MD5 hash:5F38EDF8C588EFD365F6C82C92D5F0F6
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:2
                                              Start time:13:48:45
                                              Start date:10/01/2025
                                              Path:C:\Users\user\AppData\Local\miaou\derogates.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\MLxloAVuCZ.exe"
                                              Imagebase:0x8b0000
                                              File size:1'351'680 bytes
                                              MD5 hash:5F38EDF8C588EFD365F6C82C92D5F0F6
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000002.00000002.1453719778.0000000000B40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.1453719778.0000000000B40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000002.00000002.1453719778.0000000000B40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000002.00000002.1453719778.0000000000B40000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                              • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000002.00000002.1453719778.0000000000B40000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                              • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000002.00000002.1453719778.0000000000B40000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                              Antivirus matches:
                                              • Detection: 100%, Joe Sandbox ML
                                              • Detection: 79%, ReversingLabs
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:3
                                              Start time:13:48:47
                                              Start date:10/01/2025
                                              Path:C:\Windows\SysWOW64\svchost.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\MLxloAVuCZ.exe"
                                              Imagebase:0xef0000
                                              File size:46'504 bytes
                                              MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000003.00000002.1456080422.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.1456080422.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000003.00000002.1456080422.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000003.00000002.1456080422.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                              • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000003.00000002.1456080422.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                              • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000003.00000002.1456080422.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:4
                                              Start time:13:48:47
                                              Start date:10/01/2025
                                              Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                              Wow64 process (32bit):true
                                              Commandline:"c:\program files (x86)\internet explorer\iexplore.exe"
                                              Imagebase:0x650000
                                              File size:828'368 bytes
                                              MD5 hash:6F0F06D6AB125A99E43335427066A4A1
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate
                                              Has exited:true

                                              General

                                              Target ID:5
                                              Start time:13:48:56
                                              Start date:10/01/2025
                                              Path:C:\Windows\System32\wscript.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\derogates.vbs"
                                              Imagebase:0x7ff606aa0000
                                              File size:170'496 bytes
                                              MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:6
                                              Start time:13:48:57
                                              Start date:10/01/2025
                                              Path:C:\Users\user\AppData\Local\miaou\derogates.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\AppData\Local\miaou\derogates.exe"
                                              Imagebase:0x8b0000
                                              File size:1'351'680 bytes
                                              MD5 hash:5F38EDF8C588EFD365F6C82C92D5F0F6
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000006.00000002.1569823464.0000000000C70000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.1569823464.0000000000C70000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000006.00000002.1569823464.0000000000C70000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000006.00000002.1569823464.0000000000C70000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                              • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000006.00000002.1569823464.0000000000C70000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                              • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000006.00000002.1569823464.0000000000C70000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:7
                                              Start time:13:48:58
                                              Start date:10/01/2025
                                              Path:C:\Windows\SysWOW64\svchost.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\AppData\Local\miaou\derogates.exe"
                                              Imagebase:0xef0000
                                              File size:46'504 bytes
                                              MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.3876562999.0000000003200000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.3876896183.0000000004E1E000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.3876601412.0000000003212000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000007.00000002.3875944290.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.3875944290.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000007.00000002.3875944290.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000007.00000002.3875944290.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                              • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000007.00000002.3875944290.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                              • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000007.00000002.3875944290.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
                                              Reputation:high
                                              Has exited:false

                                              Disassembly

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:3.3%
                                                Dynamic/Decrypted Code Coverage:0.4%
                                                Signature Coverage:7.8%
                                                Total number of Nodes:2000
                                                Total number of Limit Nodes:158
                                                execution_graph 101018 e416f 101022 f5fe6 101018->101022 101020 e417a 101021 f5fe6 85 API calls 101020->101021 101021->101020 101027 f5ff3 101022->101027 101032 f6020 101022->101032 101023 f6022 101061 a9328 84 API calls Mailbox 101023->101061 101025 f6027 101033 a9837 101025->101033 101027->101023 101027->101025 101030 f601a 101027->101030 101027->101032 101060 a95a0 59 API calls _wcsstr 101030->101060 101032->101020 101034 a9851 101033->101034 101046 a984b 101033->101046 101035 df5d3 __i64tow 101034->101035 101036 a9899 101034->101036 101038 a9857 __itow 101034->101038 101042 df4da 101034->101042 101076 c3698 83 API calls 3 library calls 101036->101076 101062 c0db6 101038->101062 101041 df552 Mailbox _wcscpy 101077 c3698 83 API calls 3 library calls 101041->101077 101042->101041 101044 c0db6 Mailbox 59 API calls 101042->101044 101043 a9871 101043->101046 101072 a7de1 101043->101072 101048 df51f 101044->101048 101051 a7b2e 101046->101051 101047 c0db6 Mailbox 59 API calls 101049 df545 101047->101049 101048->101047 101049->101041 101050 a7de1 59 API calls 101049->101050 101050->101041 101052 dec6b 101051->101052 101053 a7b40 101051->101053 101112 f7bdb 59 API calls _memmove 101052->101112 101106 a7a51 101053->101106 101056 a7b4c 101056->101032 101057 dec75 101113 a8047 101057->101113 101059 dec7d Mailbox 101060->101032 101061->101025 101064 c0dbe 101062->101064 101065 c0dd8 101064->101065 101067 c0ddc std::exception::exception 101064->101067 101078 c571c 101064->101078 101095 c33a1 DecodePointer 101064->101095 101065->101043 101096 c859b RaiseException 101067->101096 101069 c0e06 101097 c84d1 58 API calls _free 101069->101097 101071 c0e18 101071->101043 101073 a7df0 __wsetenvp _memmove 101072->101073 101074 c0db6 Mailbox 59 API calls 101073->101074 101075 a7e2e 101074->101075 101075->101046 101076->101038 101077->101035 101079 c5797 101078->101079 101091 c5728 101078->101091 101104 c33a1 DecodePointer 101079->101104 101081 c579d 101105 c8b28 58 API calls __getptd_noexit 101081->101105 101084 c575b RtlAllocateHeap 101084->101091 101094 c578f 101084->101094 101086 c5783 101102 c8b28 58 API calls __getptd_noexit 101086->101102 101090 c5733 101090->101091 101098 ca16b 58 API calls 2 library calls 101090->101098 101099 ca1c8 58 API calls 8 library calls 101090->101099 101100 c309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 101090->101100 101091->101084 101091->101086 101091->101090 101092 c5781 101091->101092 101101 c33a1 DecodePointer 101091->101101 101103 c8b28 58 API calls __getptd_noexit 101092->101103 101094->101064 101095->101064 101096->101069 101097->101071 101098->101090 101099->101090 101101->101091 101102->101092 101103->101094 101104->101081 101105->101094 101107 a7a5f 101106->101107 101111 a7a85 _memmove 101106->101111 101108 c0db6 Mailbox 59 API calls 101107->101108 101107->101111 101109 a7ad4 101108->101109 101110 c0db6 Mailbox 59 API calls 101109->101110 101110->101111 101111->101056 101112->101057 101114 a805a 101113->101114 101115 a8052 101113->101115 101114->101059 101117 a7f77 59 API calls 2 library calls 101115->101117 101117->101114 101118 dfdfc 101143 aab30 Mailbox _memmove 101118->101143 101122 ab525 101205 109e4a 89 API calls 4 library calls 101122->101205 101125 c0db6 59 API calls Mailbox 101141 a9f37 Mailbox 101125->101141 101126 e09e5 101211 109e4a 89 API calls 4 library calls 101126->101211 101127 e0055 101204 109e4a 89 API calls 4 library calls 101127->101204 101128 aa55a 101209 109e4a 89 API calls 4 library calls 101128->101209 101131 ab475 101135 a8047 59 API calls 101131->101135 101133 e0064 101142 aa057 101135->101142 101137 ab47a 101137->101126 101137->101127 101138 a8047 59 API calls 101138->101141 101140 a7667 59 API calls 101140->101141 101141->101125 101141->101127 101141->101128 101141->101131 101141->101137 101141->101138 101141->101140 101141->101142 101144 f6e8f 59 API calls 101141->101144 101146 c2d40 67 API calls __cinit 101141->101146 101147 e09d6 101141->101147 101169 ac8c0 341 API calls 2 library calls 101141->101169 101170 ab900 60 API calls Mailbox 101141->101170 101143->101122 101143->101141 101143->101142 101145 a7de1 59 API calls 101143->101145 101151 c0db6 59 API calls Mailbox 101143->101151 101152 ab2b6 101143->101152 101155 e086a 101143->101155 101157 e0878 101143->101157 101159 e085c 101143->101159 101160 ab21c 101143->101160 101164 f6e8f 59 API calls 101143->101164 101166 11df23 101143->101166 101171 a9ea0 101143->101171 101195 a9c90 59 API calls Mailbox 101143->101195 101199 11c193 85 API calls 2 library calls 101143->101199 101200 11c2e0 96 API calls Mailbox 101143->101200 101201 107956 59 API calls Mailbox 101143->101201 101202 11bc6b 341 API calls Mailbox 101143->101202 101203 f617e 59 API calls Mailbox 101143->101203 101144->101141 101145->101143 101146->101141 101210 109e4a 89 API calls 4 library calls 101147->101210 101151->101143 101198 af6a3 341 API calls 101152->101198 101207 a9c90 59 API calls Mailbox 101155->101207 101208 109e4a 89 API calls 4 library calls 101157->101208 101159->101142 101206 f617e 59 API calls Mailbox 101159->101206 101196 a9d3c 60 API calls Mailbox 101160->101196 101162 ab22d 101197 a9d3c 60 API calls Mailbox 101162->101197 101164->101143 101212 11cadd 101166->101212 101168 11df33 101168->101143 101169->101141 101170->101141 101172 a9ebf 101171->101172 101181 a9eed Mailbox 101171->101181 101173 c0db6 Mailbox 59 API calls 101172->101173 101173->101181 101174 c2d40 67 API calls __cinit 101174->101181 101175 ab47a 101178 e09e5 101175->101178 101179 e0055 101175->101179 101176 ab475 101177 a8047 59 API calls 101176->101177 101184 aa057 101177->101184 101358 109e4a 89 API calls 4 library calls 101178->101358 101355 109e4a 89 API calls 4 library calls 101179->101355 101181->101174 101181->101175 101181->101176 101181->101179 101181->101184 101186 c0db6 59 API calls Mailbox 101181->101186 101188 a8047 59 API calls 101181->101188 101189 a7667 59 API calls 101181->101189 101191 f6e8f 59 API calls 101181->101191 101192 e09d6 101181->101192 101194 aa55a 101181->101194 101353 ac8c0 341 API calls 2 library calls 101181->101353 101354 ab900 60 API calls Mailbox 101181->101354 101184->101143 101185 e0064 101185->101143 101186->101181 101188->101181 101189->101181 101191->101181 101357 109e4a 89 API calls 4 library calls 101192->101357 101356 109e4a 89 API calls 4 library calls 101194->101356 101195->101143 101196->101162 101197->101152 101198->101122 101199->101143 101200->101143 101201->101143 101202->101143 101203->101143 101204->101133 101205->101159 101206->101142 101207->101159 101208->101159 101209->101142 101210->101126 101211->101142 101213 a9837 84 API calls 101212->101213 101214 11cb1a 101213->101214 101218 11cb61 Mailbox 101214->101218 101250 11d7a5 101214->101250 101216 11cf2e 101300 11d8c8 92 API calls Mailbox 101216->101300 101218->101168 101220 11cf3d 101222 11cdc7 101220->101222 101223 11cf49 101220->101223 101221 11cbb2 Mailbox 101221->101218 101224 a9837 84 API calls 101221->101224 101237 11cdb9 101221->101237 101282 11fbce 59 API calls 2 library calls 101221->101282 101283 11cfdf 61 API calls 2 library calls 101221->101283 101263 11c96e 101222->101263 101223->101218 101224->101221 101229 11ce00 101278 c0c08 101229->101278 101232 11ce33 101285 a92ce 101232->101285 101233 11ce1a 101284 109e4a 89 API calls 4 library calls 101233->101284 101236 11ce25 GetCurrentProcess TerminateProcess 101236->101232 101237->101216 101237->101222 101241 11cfa4 101241->101218 101245 11cfb8 FreeLibrary 101241->101245 101243 11ce6b 101297 11d649 107 API calls _free 101243->101297 101245->101218 101249 11ce7c 101249->101241 101298 a8d40 59 API calls Mailbox 101249->101298 101299 a9d3c 60 API calls Mailbox 101249->101299 101301 11d649 107 API calls _free 101249->101301 101302 a7e4f 101250->101302 101252 11d7c0 CharLowerBuffW 101306 ff167 101252->101306 101259 11d810 101331 a7d2c 101259->101331 101261 11d81c Mailbox 101262 11d858 Mailbox 101261->101262 101335 11cfdf 61 API calls 2 library calls 101261->101335 101262->101221 101264 11c989 101263->101264 101268 11c9de 101263->101268 101265 c0db6 Mailbox 59 API calls 101264->101265 101266 11c9ab 101265->101266 101267 c0db6 Mailbox 59 API calls 101266->101267 101266->101268 101267->101266 101269 11da50 101268->101269 101270 11dc79 Mailbox 101269->101270 101277 11da73 _strcat _wcscpy __wsetenvp 101269->101277 101270->101229 101271 a9b3c 59 API calls 101271->101277 101272 a9be6 59 API calls 101272->101277 101273 a9b98 59 API calls 101273->101277 101274 a9837 84 API calls 101274->101277 101275 c571c 58 API calls _W_store_winword 101275->101277 101277->101270 101277->101271 101277->101272 101277->101273 101277->101274 101277->101275 101342 105887 61 API calls 2 library calls 101277->101342 101279 c0c1d 101278->101279 101280 c0cb5 VirtualProtect 101279->101280 101281 c0c83 101279->101281 101280->101281 101281->101232 101281->101233 101282->101221 101283->101221 101284->101236 101286 a92d6 101285->101286 101287 c0db6 Mailbox 59 API calls 101286->101287 101288 a92e4 101287->101288 101289 a92f0 101288->101289 101343 a91fc 59 API calls Mailbox 101288->101343 101291 a9050 101289->101291 101344 a9160 101291->101344 101293 c0db6 Mailbox 59 API calls 101294 a90fb 101293->101294 101294->101249 101296 a8d40 59 API calls Mailbox 101294->101296 101295 a905f 101295->101293 101295->101294 101296->101243 101297->101249 101298->101249 101299->101249 101300->101220 101301->101249 101303 a7e62 101302->101303 101305 a7e5f _memmove 101302->101305 101304 c0db6 Mailbox 59 API calls 101303->101304 101304->101305 101305->101252 101307 ff192 __wsetenvp 101306->101307 101308 ff1d1 101307->101308 101311 ff1c7 101307->101311 101312 ff278 101307->101312 101308->101261 101313 a7667 101308->101313 101311->101308 101336 a78c4 61 API calls 101311->101336 101312->101308 101337 a78c4 61 API calls 101312->101337 101314 c0db6 Mailbox 59 API calls 101313->101314 101315 a7688 101314->101315 101316 c0db6 Mailbox 59 API calls 101315->101316 101317 a7696 101316->101317 101318 a784b 101317->101318 101319 a785a 101318->101319 101320 a78b7 101318->101320 101319->101320 101322 a7865 101319->101322 101321 a7d2c 59 API calls 101320->101321 101327 a7888 _memmove 101321->101327 101323 deb09 101322->101323 101324 a7880 101322->101324 101339 a8029 101323->101339 101338 a7f27 59 API calls Mailbox 101324->101338 101327->101259 101328 deb13 101329 c0db6 Mailbox 59 API calls 101328->101329 101330 deb33 101329->101330 101332 a7d43 _memmove 101331->101332 101333 a7d3a 101331->101333 101332->101261 101333->101332 101334 a7e4f 59 API calls 101333->101334 101334->101332 101335->101262 101336->101311 101337->101312 101338->101327 101340 c0db6 Mailbox 59 API calls 101339->101340 101341 a8033 101340->101341 101341->101328 101342->101277 101343->101289 101345 a9169 Mailbox 101344->101345 101346 df19f 101345->101346 101351 a9173 101345->101351 101347 c0db6 Mailbox 59 API calls 101346->101347 101349 df1ab 101347->101349 101348 a917a 101348->101295 101351->101348 101352 a9c90 59 API calls Mailbox 101351->101352 101352->101351 101353->101181 101354->101181 101355->101185 101356->101184 101357->101178 101358->101184 101359 a107d 101364 a708b 101359->101364 101361 a108c 101395 c2d40 101361->101395 101365 a709b __write_nolock 101364->101365 101366 a7667 59 API calls 101365->101366 101367 a7151 101366->101367 101398 a4706 101367->101398 101369 a715a 101405 c050b 101369->101405 101376 a7667 59 API calls 101377 a718b 101376->101377 101424 a7d8c 101377->101424 101379 a7194 RegOpenKeyExW 101380 de8b1 RegQueryValueExW 101379->101380 101384 a71b6 Mailbox 101379->101384 101381 de8ce 101380->101381 101382 de943 RegCloseKey 101380->101382 101383 c0db6 Mailbox 59 API calls 101381->101383 101382->101384 101394 de955 _wcscat Mailbox __wsetenvp 101382->101394 101385 de8e7 101383->101385 101384->101361 101428 a522e 101385->101428 101388 de90f 101431 a7bcc 101388->101431 101390 a79f2 59 API calls 101390->101394 101391 de929 101391->101382 101392 a7de1 59 API calls 101392->101394 101393 a3f74 59 API calls 101393->101394 101394->101384 101394->101390 101394->101392 101394->101393 101462 c2c44 101395->101462 101397 a1096 101440 d1940 101398->101440 101401 a7de1 59 API calls 101402 a4739 101401->101402 101442 a4750 101402->101442 101404 a4743 Mailbox 101404->101369 101406 d1940 __write_nolock 101405->101406 101407 c0518 GetFullPathNameW 101406->101407 101408 c053a 101407->101408 101409 a7bcc 59 API calls 101408->101409 101410 a7165 101409->101410 101411 a7cab 101410->101411 101412 a7cbf 101411->101412 101413 ded4a 101411->101413 101456 a7c50 101412->101456 101414 a8029 59 API calls 101413->101414 101417 ded55 __wsetenvp _memmove 101414->101417 101416 a7173 101418 a3f74 101416->101418 101419 a3f82 101418->101419 101423 a3fa4 _memmove 101418->101423 101421 c0db6 Mailbox 59 API calls 101419->101421 101420 c0db6 Mailbox 59 API calls 101422 a3fb8 101420->101422 101421->101423 101422->101376 101423->101420 101425 a7d99 101424->101425 101426 a7da6 101424->101426 101425->101379 101427 c0db6 Mailbox 59 API calls 101426->101427 101427->101425 101429 c0db6 Mailbox 59 API calls 101428->101429 101430 a5240 RegQueryValueExW 101429->101430 101430->101388 101430->101391 101432 a7c45 101431->101432 101433 a7bd8 __wsetenvp 101431->101433 101434 a7d2c 59 API calls 101432->101434 101435 a7bee 101433->101435 101436 a7c13 101433->101436 101439 a7bf6 _memmove 101434->101439 101461 a7f27 59 API calls Mailbox 101435->101461 101437 a8029 59 API calls 101436->101437 101437->101439 101439->101391 101441 a4713 GetModuleFileNameW 101440->101441 101441->101401 101443 d1940 __write_nolock 101442->101443 101444 a475d GetFullPathNameW 101443->101444 101445 a4799 101444->101445 101446 a477c 101444->101446 101448 a7d8c 59 API calls 101445->101448 101447 a7bcc 59 API calls 101446->101447 101449 a4788 101447->101449 101448->101449 101452 a7726 101449->101452 101453 a7734 101452->101453 101454 a7d2c 59 API calls 101453->101454 101455 a4794 101454->101455 101455->101404 101457 a7c5f __wsetenvp 101456->101457 101458 a8029 59 API calls 101457->101458 101459 a7c70 _memmove 101457->101459 101460 ded07 _memmove 101458->101460 101459->101416 101461->101439 101463 c2c50 __write 101462->101463 101470 c3217 101463->101470 101469 c2c77 __write 101469->101397 101487 c9c0b 101470->101487 101472 c2c59 101473 c2c88 DecodePointer DecodePointer 101472->101473 101474 c2cb5 101473->101474 101475 c2c65 101473->101475 101474->101475 101533 c87a4 59 API calls __write_nolock 101474->101533 101484 c2c82 101475->101484 101477 c2d18 EncodePointer EncodePointer 101477->101475 101478 c2cc7 101478->101477 101479 c2cec 101478->101479 101534 c8864 61 API calls 2 library calls 101478->101534 101479->101475 101483 c2d06 EncodePointer 101479->101483 101535 c8864 61 API calls 2 library calls 101479->101535 101482 c2d00 101482->101475 101482->101483 101483->101477 101536 c3220 101484->101536 101488 c9c1c 101487->101488 101489 c9c2f EnterCriticalSection 101487->101489 101494 c9c93 101488->101494 101489->101472 101491 c9c22 101491->101489 101518 c30b5 58 API calls 3 library calls 101491->101518 101495 c9c9f __write 101494->101495 101496 c9ca8 101495->101496 101497 c9cc0 101495->101497 101519 ca16b 58 API calls 2 library calls 101496->101519 101503 c9ce1 __write 101497->101503 101522 c881d 58 API calls 2 library calls 101497->101522 101499 c9cad 101520 ca1c8 58 API calls 8 library calls 101499->101520 101502 c9cd5 101505 c9cdc 101502->101505 101506 c9ceb 101502->101506 101503->101491 101504 c9cb4 101521 c309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 101504->101521 101523 c8b28 58 API calls __getptd_noexit 101505->101523 101508 c9c0b __lock 58 API calls 101506->101508 101510 c9cf2 101508->101510 101512 c9cff 101510->101512 101513 c9d17 101510->101513 101524 c9e2b InitializeCriticalSectionAndSpinCount 101512->101524 101525 c2d55 101513->101525 101516 c9d0b 101531 c9d33 LeaveCriticalSection _doexit 101516->101531 101519->101499 101520->101504 101522->101502 101523->101503 101524->101516 101526 c2d5e RtlFreeHeap 101525->101526 101527 c2d87 __dosmaperr 101525->101527 101526->101527 101528 c2d73 101526->101528 101527->101516 101532 c8b28 58 API calls __getptd_noexit 101528->101532 101530 c2d79 GetLastError 101530->101527 101531->101503 101532->101530 101533->101478 101534->101479 101535->101482 101539 c9d75 LeaveCriticalSection 101536->101539 101538 c2c87 101538->101469 101539->101538 101540 a3633 101541 a366a 101540->101541 101542 a3688 101541->101542 101543 a36e7 101541->101543 101579 a36e5 101541->101579 101544 a374b PostQuitMessage 101542->101544 101545 a3695 101542->101545 101547 dd0cc 101543->101547 101548 a36ed 101543->101548 101582 a36d8 101544->101582 101550 dd154 101545->101550 101551 a36a0 101545->101551 101546 a36ca DefWindowProcW 101546->101582 101589 b1070 10 API calls Mailbox 101547->101589 101552 a36f2 101548->101552 101553 a3715 SetTimer RegisterWindowMessageW 101548->101553 101605 102527 71 API calls _memset 101550->101605 101555 a36a8 101551->101555 101556 a3755 101551->101556 101559 dd06f 101552->101559 101560 a36f9 KillTimer 101552->101560 101557 a373e CreatePopupMenu 101553->101557 101553->101582 101554 dd0f3 101590 b1093 341 API calls Mailbox 101554->101590 101562 a36b3 101555->101562 101568 dd139 101555->101568 101587 a44a0 64 API calls _memset 101556->101587 101557->101582 101564 dd0a8 MoveWindow 101559->101564 101565 dd074 101559->101565 101585 a443a Shell_NotifyIconW _memset 101560->101585 101569 a36be 101562->101569 101570 dd124 101562->101570 101564->101582 101573 dd078 101565->101573 101574 dd097 SetFocus 101565->101574 101567 a370c 101586 a3114 DeleteObject DestroyWindow Mailbox 101567->101586 101568->101546 101604 f7c36 59 API calls Mailbox 101568->101604 101569->101546 101591 a443a Shell_NotifyIconW _memset 101569->101591 101603 102d36 81 API calls _memset 101570->101603 101571 dd166 101571->101546 101571->101582 101572 a3764 101572->101582 101573->101569 101577 dd081 101573->101577 101574->101582 101588 b1070 10 API calls Mailbox 101577->101588 101579->101546 101583 dd118 101592 a434a 101583->101592 101585->101567 101586->101582 101587->101572 101588->101582 101589->101554 101590->101569 101591->101583 101593 a4375 _memset 101592->101593 101606 a4182 101593->101606 101596 a43fa 101598 a4430 Shell_NotifyIconW 101596->101598 101599 a4414 Shell_NotifyIconW 101596->101599 101600 a4422 101598->101600 101599->101600 101610 a407c 101600->101610 101602 a4429 101602->101579 101603->101572 101604->101579 101605->101571 101607 a4196 101606->101607 101608 dd423 101606->101608 101607->101596 101632 102f94 62 API calls _W_store_winword 101607->101632 101608->101607 101609 dd42c DestroyIcon 101608->101609 101609->101607 101611 a4098 101610->101611 101631 a416f Mailbox 101610->101631 101633 a7a16 101611->101633 101614 dd3c8 LoadStringW 101618 dd3e2 101614->101618 101615 a40b3 101616 a7bcc 59 API calls 101615->101616 101617 a40c8 101616->101617 101617->101618 101619 a40d9 101617->101619 101620 a7b2e 59 API calls 101618->101620 101621 a40e3 101619->101621 101622 a4174 101619->101622 101625 dd3ec 101620->101625 101624 a7b2e 59 API calls 101621->101624 101623 a8047 59 API calls 101622->101623 101628 a40ed _memset _wcscpy 101623->101628 101624->101628 101626 a7cab 59 API calls 101625->101626 101625->101628 101627 dd40e 101626->101627 101630 a7cab 59 API calls 101627->101630 101629 a4155 Shell_NotifyIconW 101628->101629 101629->101631 101630->101628 101631->101602 101632->101596 101634 c0db6 Mailbox 59 API calls 101633->101634 101635 a7a3b 101634->101635 101636 a8029 59 API calls 101635->101636 101637 a40a6 101636->101637 101637->101614 101637->101615 101638 c7c56 101639 c7c62 __write 101638->101639 101675 c9e08 GetStartupInfoW 101639->101675 101641 c7c67 101677 c8b7c GetProcessHeap 101641->101677 101643 c7cbf 101644 c7cca 101643->101644 101760 c7da6 58 API calls 3 library calls 101643->101760 101678 c9ae6 101644->101678 101647 c7cd0 101648 c7cdb __RTC_Initialize 101647->101648 101761 c7da6 58 API calls 3 library calls 101647->101761 101699 cd5d2 101648->101699 101651 c7cea 101652 c7cf6 GetCommandLineW 101651->101652 101762 c7da6 58 API calls 3 library calls 101651->101762 101718 d4f23 GetEnvironmentStringsW 101652->101718 101655 c7cf5 101655->101652 101658 c7d10 101659 c7d1b 101658->101659 101763 c30b5 58 API calls 3 library calls 101658->101763 101728 d4d58 101659->101728 101662 c7d21 101663 c7d2c 101662->101663 101764 c30b5 58 API calls 3 library calls 101662->101764 101742 c30ef 101663->101742 101666 c7d34 101667 c7d3f __wwincmdln 101666->101667 101765 c30b5 58 API calls 3 library calls 101666->101765 101748 a47d0 101667->101748 101670 c7d53 101671 c7d62 101670->101671 101766 c3358 58 API calls _doexit 101670->101766 101767 c30e0 58 API calls _doexit 101671->101767 101674 c7d67 __write 101676 c9e1e 101675->101676 101676->101641 101677->101643 101768 c3187 36 API calls 2 library calls 101678->101768 101680 c9aeb 101769 c9d3c InitializeCriticalSectionAndSpinCount __alloc_osfhnd 101680->101769 101682 c9af0 101683 c9af4 101682->101683 101771 c9d8a TlsAlloc 101682->101771 101770 c9b5c 61 API calls 2 library calls 101683->101770 101686 c9af9 101686->101647 101687 c9b06 101687->101683 101688 c9b11 101687->101688 101772 c87d5 101688->101772 101691 c9b53 101780 c9b5c 61 API calls 2 library calls 101691->101780 101694 c9b58 101694->101647 101695 c9b32 101695->101691 101696 c9b38 101695->101696 101779 c9a33 58 API calls 4 library calls 101696->101779 101698 c9b40 GetCurrentThreadId 101698->101647 101700 cd5de __write 101699->101700 101701 c9c0b __lock 58 API calls 101700->101701 101702 cd5e5 101701->101702 101703 c87d5 __calloc_crt 58 API calls 101702->101703 101704 cd5f6 101703->101704 101705 cd661 GetStartupInfoW 101704->101705 101706 cd601 __write @_EH4_CallFilterFunc@8 101704->101706 101712 cd676 101705->101712 101715 cd7a5 101705->101715 101706->101651 101707 cd86d 101794 cd87d LeaveCriticalSection _doexit 101707->101794 101709 c87d5 __calloc_crt 58 API calls 101709->101712 101710 cd7f2 GetStdHandle 101710->101715 101711 cd805 GetFileType 101711->101715 101712->101709 101714 cd6c4 101712->101714 101712->101715 101713 cd6f8 GetFileType 101713->101714 101714->101713 101714->101715 101792 c9e2b InitializeCriticalSectionAndSpinCount 101714->101792 101715->101707 101715->101710 101715->101711 101793 c9e2b InitializeCriticalSectionAndSpinCount 101715->101793 101719 c7d06 101718->101719 101720 d4f34 101718->101720 101724 d4b1b GetModuleFileNameW 101719->101724 101795 c881d 58 API calls 2 library calls 101720->101795 101722 d4f5a _memmove 101723 d4f70 FreeEnvironmentStringsW 101722->101723 101723->101719 101725 d4b4f _wparse_cmdline 101724->101725 101727 d4b8f _wparse_cmdline 101725->101727 101796 c881d 58 API calls 2 library calls 101725->101796 101727->101658 101729 d4d69 101728->101729 101731 d4d71 __wsetenvp 101728->101731 101729->101662 101730 c87d5 __calloc_crt 58 API calls 101738 d4d9a __wsetenvp 101730->101738 101731->101730 101732 d4df1 101733 c2d55 _free 58 API calls 101732->101733 101733->101729 101734 c87d5 __calloc_crt 58 API calls 101734->101738 101735 d4e16 101737 c2d55 _free 58 API calls 101735->101737 101737->101729 101738->101729 101738->101732 101738->101734 101738->101735 101739 d4e2d 101738->101739 101797 d4607 58 API calls __write_nolock 101738->101797 101798 c8dc6 IsProcessorFeaturePresent 101739->101798 101741 d4e39 101741->101662 101743 c30fb __IsNonwritableInCurrentImage 101742->101743 101821 ca4d1 101743->101821 101745 c3119 __initterm_e 101746 c2d40 __cinit 67 API calls 101745->101746 101747 c3138 _doexit __IsNonwritableInCurrentImage 101745->101747 101746->101747 101747->101666 101749 a47ea 101748->101749 101759 a4889 101748->101759 101750 a4824 IsThemeActive 101749->101750 101824 c336c 101750->101824 101754 a4850 101836 a48fd SystemParametersInfoW SystemParametersInfoW 101754->101836 101756 a485c 101837 a3b3a 101756->101837 101758 a4864 SystemParametersInfoW 101758->101759 101759->101670 101760->101644 101761->101648 101762->101655 101766->101671 101767->101674 101768->101680 101769->101682 101770->101686 101771->101687 101775 c87dc 101772->101775 101774 c8817 101774->101691 101778 c9de6 TlsSetValue 101774->101778 101775->101774 101777 c87fa 101775->101777 101781 d51f6 101775->101781 101777->101774 101777->101775 101789 ca132 Sleep 101777->101789 101778->101695 101779->101698 101780->101694 101782 d5201 101781->101782 101787 d521c 101781->101787 101783 d520d 101782->101783 101782->101787 101790 c8b28 58 API calls __getptd_noexit 101783->101790 101785 d522c RtlAllocateHeap 101785->101787 101788 d5212 101785->101788 101787->101785 101787->101788 101791 c33a1 DecodePointer 101787->101791 101788->101775 101789->101777 101790->101788 101791->101787 101792->101714 101793->101715 101794->101706 101795->101722 101796->101727 101797->101738 101799 c8dd1 101798->101799 101804 c8c59 101799->101804 101803 c8dec 101803->101741 101805 c8c73 _memset ___raise_securityfailure 101804->101805 101806 c8c93 IsDebuggerPresent 101805->101806 101812 ca155 SetUnhandledExceptionFilter UnhandledExceptionFilter 101806->101812 101809 c8d7a 101811 ca140 GetCurrentProcess TerminateProcess 101809->101811 101810 c8d57 ___raise_securityfailure 101813 cc5f6 101810->101813 101811->101803 101812->101810 101814 cc5fe 101813->101814 101815 cc600 IsProcessorFeaturePresent 101813->101815 101814->101809 101817 d590a 101815->101817 101820 d58b9 5 API calls ___raise_securityfailure 101817->101820 101819 d59ed 101819->101809 101820->101819 101822 ca4d4 EncodePointer 101821->101822 101822->101822 101823 ca4ee 101822->101823 101823->101745 101825 c9c0b __lock 58 API calls 101824->101825 101826 c3377 DecodePointer EncodePointer 101825->101826 101889 c9d75 LeaveCriticalSection 101826->101889 101828 a4849 101829 c33d4 101828->101829 101830 c33de 101829->101830 101831 c33f8 101829->101831 101830->101831 101890 c8b28 58 API calls __getptd_noexit 101830->101890 101831->101754 101833 c33e8 101891 c8db6 9 API calls __write_nolock 101833->101891 101835 c33f3 101835->101754 101836->101756 101838 a3b47 __write_nolock 101837->101838 101839 a7667 59 API calls 101838->101839 101840 a3b51 GetCurrentDirectoryW 101839->101840 101892 a3766 101840->101892 101842 a3b7a IsDebuggerPresent 101843 a3b88 101842->101843 101844 dd272 MessageBoxA 101842->101844 101846 dd28c 101843->101846 101847 a3ba5 101843->101847 101876 a3c61 101843->101876 101844->101846 101845 a3c68 SetCurrentDirectoryW 101850 a3c75 Mailbox 101845->101850 102091 a7213 59 API calls Mailbox 101846->102091 101973 a7285 101847->101973 101850->101758 101851 dd29c 101856 dd2b2 SetCurrentDirectoryW 101851->101856 101853 a3bc3 GetFullPathNameW 101854 a7bcc 59 API calls 101853->101854 101855 a3bfe 101854->101855 101989 b092d 101855->101989 101856->101850 101859 a3c1c 101860 a3c26 101859->101860 102092 f874b AllocateAndInitializeSid CheckTokenMembership FreeSid 101859->102092 102005 a3a46 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 101860->102005 101863 dd2cf 101863->101860 101866 dd2e0 101863->101866 101868 a4706 61 API calls 101866->101868 101867 a3c30 101869 a3c43 101867->101869 101871 a434a 68 API calls 101867->101871 101870 dd2e8 101868->101870 102013 b09d0 101869->102013 101873 a7de1 59 API calls 101870->101873 101871->101869 101875 dd2f5 101873->101875 101874 a3c4e 101874->101876 102090 a443a Shell_NotifyIconW _memset 101874->102090 101877 dd2ff 101875->101877 101878 dd324 101875->101878 101876->101845 101881 a7cab 59 API calls 101877->101881 101880 a7cab 59 API calls 101878->101880 101882 dd320 GetForegroundWindow ShellExecuteW 101880->101882 101883 dd30a 101881->101883 101886 dd354 Mailbox 101882->101886 101885 a7b2e 59 API calls 101883->101885 101887 dd317 101885->101887 101886->101876 101888 a7cab 59 API calls 101887->101888 101888->101882 101889->101828 101890->101833 101891->101835 101893 a7667 59 API calls 101892->101893 101894 a377c 101893->101894 102093 a3d31 101894->102093 101896 a379a 101897 a4706 61 API calls 101896->101897 101898 a37ae 101897->101898 101899 a7de1 59 API calls 101898->101899 101900 a37bb 101899->101900 102107 a4ddd 101900->102107 101903 a37dc Mailbox 101908 a8047 59 API calls 101903->101908 101904 dd173 102163 10955b 101904->102163 101907 dd192 101910 c2d55 _free 58 API calls 101907->101910 101911 a37ef 101908->101911 101912 dd19f 101910->101912 102131 a928a 101911->102131 101914 a4e4a 84 API calls 101912->101914 101916 dd1a8 101914->101916 101920 a3ed0 59 API calls 101916->101920 101917 a7de1 59 API calls 101918 a3808 101917->101918 102134 a84c0 101918->102134 101922 dd1c3 101920->101922 101921 a381a Mailbox 101923 a7de1 59 API calls 101921->101923 101924 a3ed0 59 API calls 101922->101924 101925 a3840 101923->101925 101926 dd1df 101924->101926 101927 a84c0 69 API calls 101925->101927 101928 a4706 61 API calls 101926->101928 101930 a384f Mailbox 101927->101930 101929 dd204 101928->101929 101931 a3ed0 59 API calls 101929->101931 101933 a7667 59 API calls 101930->101933 101932 dd210 101931->101932 101934 a8047 59 API calls 101932->101934 101935 a386d 101933->101935 101936 dd21e 101934->101936 102138 a3ed0 101935->102138 101938 a3ed0 59 API calls 101936->101938 101940 dd22d 101938->101940 101946 a8047 59 API calls 101940->101946 101942 a3887 101942->101916 101943 a3891 101942->101943 101944 c2efd _W_store_winword 60 API calls 101943->101944 101945 a389c 101944->101945 101945->101922 101947 a38a6 101945->101947 101948 dd24f 101946->101948 101949 c2efd _W_store_winword 60 API calls 101947->101949 101950 a3ed0 59 API calls 101948->101950 101951 a38b1 101949->101951 101952 dd25c 101950->101952 101951->101926 101953 a38bb 101951->101953 101952->101952 101954 c2efd _W_store_winword 60 API calls 101953->101954 101955 a38c6 101954->101955 101955->101940 101956 a3907 101955->101956 101958 a3ed0 59 API calls 101955->101958 101956->101940 101957 a3914 101956->101957 101959 a92ce 59 API calls 101957->101959 101960 a38ea 101958->101960 101961 a3924 101959->101961 101962 a8047 59 API calls 101960->101962 101963 a9050 59 API calls 101961->101963 101964 a38f8 101962->101964 101965 a3932 101963->101965 101966 a3ed0 59 API calls 101964->101966 102154 a8ee0 101965->102154 101966->101956 101968 a928a 59 API calls 101970 a394f 101968->101970 101969 a8ee0 60 API calls 101969->101970 101970->101968 101970->101969 101971 a3ed0 59 API calls 101970->101971 101972 a3995 Mailbox 101970->101972 101971->101970 101972->101842 101974 a7292 __write_nolock 101973->101974 101975 a72ab 101974->101975 101976 dea22 _memset 101974->101976 101977 a4750 60 API calls 101975->101977 101979 dea3e GetOpenFileNameW 101976->101979 101978 a72b4 101977->101978 103009 c0791 101978->103009 101981 dea8d 101979->101981 101982 a7bcc 59 API calls 101981->101982 101984 deaa2 101982->101984 101984->101984 101986 a72c9 103027 a686a 101986->103027 101990 b093a __write_nolock 101989->101990 103265 a6d80 101990->103265 101992 b093f 101993 a3c14 101992->101993 103276 b119e 89 API calls 101992->103276 101993->101851 101993->101859 101995 b094c 101995->101993 103277 b3ee7 91 API calls Mailbox 101995->103277 101997 b0955 101997->101993 101998 b0959 GetFullPathNameW 101997->101998 101999 a7bcc 59 API calls 101998->101999 102000 b0985 101999->102000 102001 a7bcc 59 API calls 102000->102001 102002 b0992 102001->102002 102003 e4cab _wcscat 102002->102003 102004 a7bcc 59 API calls 102002->102004 102004->101993 102006 a3ab0 LoadImageW RegisterClassExW 102005->102006 102007 dd261 102005->102007 103310 a3041 7 API calls 102006->103310 103311 a47a0 LoadImageW EnumResourceNamesW 102007->103311 102010 a3b34 102012 a39d5 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 102010->102012 102011 dd26a 102012->101867 102014 e4cc3 102013->102014 102028 b09f5 102013->102028 103369 109e4a 89 API calls 4 library calls 102014->103369 102016 b0cfa 102016->101874 102018 b0ee4 102018->102016 102020 b0ef1 102018->102020 102021 b0a4b PeekMessageW 102076 b0a05 Mailbox 102021->102076 102025 e4e81 Sleep 102025->102076 102027 b0ce4 102027->102016 103366 b1070 10 API calls Mailbox 102027->103366 102028->102076 103370 a9e5d 60 API calls 102028->103370 103371 f6349 341 API calls 102028->103371 102032 b0e43 PeekMessageW 102032->102076 102033 b0ea5 TranslateMessage DispatchMessageW 102033->102032 102034 e4d50 TranslateAcceleratorW 102034->102032 102034->102076 102035 c0db6 59 API calls Mailbox 102035->102076 102036 b0d13 timeGetTime 102036->102076 102037 e581f WaitForSingleObject 102039 e583c GetExitCodeProcess CloseHandle 102037->102039 102037->102076 102073 b0f95 102039->102073 102040 b0e5f Sleep 102075 b0e70 Mailbox 102040->102075 102041 a8047 59 API calls 102041->102076 102042 a7667 59 API calls 102042->102075 102043 e5af8 Sleep 102043->102075 102045 ab73c 314 API calls 102045->102076 102047 c049f timeGetTime 102047->102075 102048 b0f4e timeGetTime 103368 a9e5d 60 API calls 102048->103368 102051 a9837 84 API calls 102051->102076 102052 e5b8f GetExitCodeProcess 102053 e5bbb CloseHandle 102052->102053 102054 e5ba5 WaitForSingleObject 102052->102054 102053->102075 102054->102053 102054->102076 102057 125f25 110 API calls 102057->102075 102058 ab7dd 109 API calls 102058->102075 102059 e5874 102059->102073 102060 e5c17 Sleep 102060->102076 102061 e5078 Sleep 102061->102076 102063 a7de1 59 API calls 102063->102075 102066 a9e5d 60 API calls 102066->102076 102069 a9ea0 314 API calls 102069->102076 102073->101874 102075->102042 102075->102047 102075->102052 102075->102057 102075->102058 102075->102059 102075->102060 102075->102061 102075->102063 102075->102073 102075->102076 103378 102408 60 API calls 102075->103378 103379 a9e5d 60 API calls 102075->103379 103380 a89b3 69 API calls Mailbox 102075->103380 103381 ab73c 341 API calls 102075->103381 103382 f64da 60 API calls 102075->103382 103383 105244 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 102075->103383 103384 103c55 66 API calls Mailbox 102075->103384 102076->102021 102076->102025 102076->102027 102076->102032 102076->102033 102076->102034 102076->102035 102076->102036 102076->102037 102076->102040 102076->102041 102076->102043 102076->102045 102076->102048 102076->102051 102076->102066 102076->102069 102076->102073 102076->102075 102077 109e4a 89 API calls 102076->102077 102079 a9c90 59 API calls Mailbox 102076->102079 102080 a84c0 69 API calls 102076->102080 102082 f617e 59 API calls Mailbox 102076->102082 102083 e55d5 VariantClear 102076->102083 102084 e566b VariantClear 102076->102084 102085 a8cd4 59 API calls Mailbox 102076->102085 102086 e5419 VariantClear 102076->102086 102087 f6e8f 59 API calls 102076->102087 102088 a7de1 59 API calls 102076->102088 102089 a89b3 69 API calls 102076->102089 103312 ae6a0 102076->103312 103343 af460 102076->103343 103363 ae420 341 API calls 102076->103363 103364 afce0 341 API calls 2 library calls 102076->103364 103365 a31ce IsDialogMessageW GetClassLongW 102076->103365 103372 126018 59 API calls 102076->103372 103373 109a15 59 API calls Mailbox 102076->103373 103374 fd4f2 59 API calls 102076->103374 103375 f60ef 59 API calls 2 library calls 102076->103375 103376 a8401 59 API calls 102076->103376 103377 a82df 59 API calls Mailbox 102076->103377 102077->102076 102079->102076 102080->102076 102082->102076 102083->102076 102084->102076 102085->102076 102086->102076 102087->102076 102088->102076 102089->102076 102090->101876 102091->101851 102092->101863 102094 a3d3e __write_nolock 102093->102094 102095 a7bcc 59 API calls 102094->102095 102099 a3ea4 Mailbox 102094->102099 102096 a3d70 102095->102096 102106 a3da6 Mailbox 102096->102106 102204 a79f2 102096->102204 102098 a3e77 102098->102099 102100 a7de1 59 API calls 102098->102100 102099->101896 102102 a3e98 102100->102102 102101 a7de1 59 API calls 102101->102106 102103 a3f74 59 API calls 102102->102103 102103->102099 102104 a79f2 59 API calls 102104->102106 102105 a3f74 59 API calls 102105->102106 102106->102098 102106->102099 102106->102101 102106->102104 102106->102105 102207 a4bb5 102107->102207 102112 a4e08 LoadLibraryExW 102217 a4b6a 102112->102217 102113 dd8e6 102115 a4e4a 84 API calls 102113->102115 102116 dd8ed 102115->102116 102118 a4b6a 3 API calls 102116->102118 102121 dd8f5 102118->102121 102120 a4e2f 102120->102121 102122 a4e3b 102120->102122 102243 a4f0b 102121->102243 102124 a4e4a 84 API calls 102122->102124 102126 a37d4 102124->102126 102126->101903 102126->101904 102128 dd91c 102251 a4ec7 102128->102251 102130 dd929 102132 c0db6 Mailbox 59 API calls 102131->102132 102133 a37fb 102132->102133 102133->101917 102135 a84cb 102134->102135 102137 a84f2 102135->102137 102678 a89b3 69 API calls Mailbox 102135->102678 102137->101921 102139 a3eda 102138->102139 102140 a3ef3 102138->102140 102142 a8047 59 API calls 102139->102142 102141 a7bcc 59 API calls 102140->102141 102143 a3879 102141->102143 102142->102143 102144 c2efd 102143->102144 102145 c2f7e 102144->102145 102146 c2f09 102144->102146 102681 c2f90 60 API calls 3 library calls 102145->102681 102153 c2f2e 102146->102153 102679 c8b28 58 API calls __getptd_noexit 102146->102679 102148 c2f8b 102148->101942 102150 c2f15 102680 c8db6 9 API calls __write_nolock 102150->102680 102152 c2f20 102152->101942 102153->101942 102155 df17c 102154->102155 102158 a8ef7 102154->102158 102155->102158 102683 a8bdb 59 API calls Mailbox 102155->102683 102157 a8fff 102157->101970 102158->102157 102159 a8ff8 102158->102159 102160 a9040 102158->102160 102161 c0db6 Mailbox 59 API calls 102159->102161 102682 a9d3c 60 API calls Mailbox 102160->102682 102161->102157 102164 a4ee5 85 API calls 102163->102164 102165 1095ca 102164->102165 102684 109734 102165->102684 102168 a4f0b 74 API calls 102169 1095f7 102168->102169 102170 a4f0b 74 API calls 102169->102170 102171 109607 102170->102171 102172 a4f0b 74 API calls 102171->102172 102173 109622 102172->102173 102174 a4f0b 74 API calls 102173->102174 102175 10963d 102174->102175 102176 a4ee5 85 API calls 102175->102176 102177 109654 102176->102177 102178 c571c _W_store_winword 58 API calls 102177->102178 102179 10965b 102178->102179 102180 c571c _W_store_winword 58 API calls 102179->102180 102181 109665 102180->102181 102182 a4f0b 74 API calls 102181->102182 102183 109679 102182->102183 102184 109109 GetSystemTimeAsFileTime 102183->102184 102185 10968c 102184->102185 102186 1096a1 102185->102186 102187 1096b6 102185->102187 102188 c2d55 _free 58 API calls 102186->102188 102189 10971b 102187->102189 102190 1096bc 102187->102190 102193 1096a7 102188->102193 102192 c2d55 _free 58 API calls 102189->102192 102690 108b06 102190->102690 102195 dd186 102192->102195 102196 c2d55 _free 58 API calls 102193->102196 102195->101907 102198 a4e4a 102195->102198 102196->102195 102197 c2d55 _free 58 API calls 102197->102195 102199 a4e54 102198->102199 102201 a4e5b 102198->102201 102200 c53a6 __fcloseall 83 API calls 102199->102200 102200->102201 102202 a4e6a 102201->102202 102203 a4e7b FreeLibrary 102201->102203 102202->101907 102203->102202 102205 a7e4f 59 API calls 102204->102205 102206 a79fd 102205->102206 102206->102096 102256 a4c03 102207->102256 102210 a4bdc 102211 a4bec FreeLibrary 102210->102211 102212 a4bf5 102210->102212 102211->102212 102214 c525b 102212->102214 102213 a4c03 2 API calls 102213->102210 102260 c5270 102214->102260 102216 a4dfc 102216->102112 102216->102113 102418 a4c36 102217->102418 102220 a4c36 2 API calls 102223 a4b8f 102220->102223 102221 a4baa 102224 a4c70 102221->102224 102222 a4ba1 FreeLibrary 102222->102221 102223->102221 102223->102222 102225 c0db6 Mailbox 59 API calls 102224->102225 102226 a4c85 102225->102226 102227 a522e 59 API calls 102226->102227 102228 a4c91 _memmove 102227->102228 102229 a4ccc 102228->102229 102231 a4d89 102228->102231 102232 a4dc1 102228->102232 102230 a4ec7 69 API calls 102229->102230 102240 a4cd5 102230->102240 102422 a4e89 CreateStreamOnHGlobal 102231->102422 102433 10991b 95 API calls 102232->102433 102235 a4f0b 74 API calls 102235->102240 102237 a4d69 102237->102120 102238 dd8a7 102239 a4ee5 85 API calls 102238->102239 102241 dd8bb 102239->102241 102240->102235 102240->102237 102240->102238 102428 a4ee5 102240->102428 102242 a4f0b 74 API calls 102241->102242 102242->102237 102244 a4f1d 102243->102244 102247 dd9cd 102243->102247 102457 c55e2 102244->102457 102248 109109 102655 108f5f 102248->102655 102250 10911f 102250->102128 102252 a4ed6 102251->102252 102253 dd990 102251->102253 102660 c5c60 102252->102660 102255 a4ede 102255->102130 102257 a4bd0 102256->102257 102258 a4c0c LoadLibraryA 102256->102258 102257->102210 102257->102213 102258->102257 102259 a4c1d GetProcAddress 102258->102259 102259->102257 102263 c527c __write 102260->102263 102261 c528f 102309 c8b28 58 API calls __getptd_noexit 102261->102309 102263->102261 102265 c52c0 102263->102265 102264 c5294 102310 c8db6 9 API calls __write_nolock 102264->102310 102279 d04e8 102265->102279 102268 c52c5 102269 c52ce 102268->102269 102270 c52db 102268->102270 102311 c8b28 58 API calls __getptd_noexit 102269->102311 102272 c5305 102270->102272 102273 c52e5 102270->102273 102294 d0607 102272->102294 102312 c8b28 58 API calls __getptd_noexit 102273->102312 102274 c529f __write @_EH4_CallFilterFunc@8 102274->102216 102280 d04f4 __write 102279->102280 102281 c9c0b __lock 58 API calls 102280->102281 102292 d0502 102281->102292 102282 d0576 102314 d05fe 102282->102314 102283 d057d 102319 c881d 58 API calls 2 library calls 102283->102319 102286 d05f3 __write 102286->102268 102287 d0584 102287->102282 102320 c9e2b InitializeCriticalSectionAndSpinCount 102287->102320 102289 c9c93 __mtinitlocknum 58 API calls 102289->102292 102291 d05aa EnterCriticalSection 102291->102282 102292->102282 102292->102283 102292->102289 102317 c6c50 59 API calls __lock 102292->102317 102318 c6cba LeaveCriticalSection LeaveCriticalSection _doexit 102292->102318 102302 d0627 __wopenfile 102294->102302 102295 d0641 102325 c8b28 58 API calls __getptd_noexit 102295->102325 102297 d07fc 102297->102295 102301 d085f 102297->102301 102298 d0646 102326 c8db6 9 API calls __write_nolock 102298->102326 102300 c5310 102313 c5332 LeaveCriticalSection LeaveCriticalSection __wfsopen 102300->102313 102322 d85a1 102301->102322 102302->102295 102302->102297 102327 c37cb 60 API calls 2 library calls 102302->102327 102305 d07f5 102305->102297 102328 c37cb 60 API calls 2 library calls 102305->102328 102307 d0814 102307->102297 102329 c37cb 60 API calls 2 library calls 102307->102329 102309->102264 102310->102274 102311->102274 102312->102274 102313->102274 102321 c9d75 LeaveCriticalSection 102314->102321 102316 d0605 102316->102286 102317->102292 102318->102292 102319->102287 102320->102291 102321->102316 102330 d7d85 102322->102330 102324 d85ba 102324->102300 102325->102298 102326->102300 102327->102305 102328->102307 102329->102297 102331 d7d91 __write 102330->102331 102332 d7da7 102331->102332 102334 d7ddd 102331->102334 102415 c8b28 58 API calls __getptd_noexit 102332->102415 102341 d7e4e 102334->102341 102335 d7dac 102416 c8db6 9 API calls __write_nolock 102335->102416 102338 d7db6 __write 102338->102324 102339 d7df9 102417 d7e22 LeaveCriticalSection __unlock_fhandle 102339->102417 102342 d7e6e 102341->102342 102343 c44ea __wsopen_nolock 58 API calls 102342->102343 102346 d7e8a 102343->102346 102344 c8dc6 __invoke_watson 8 API calls 102345 d85a0 102344->102345 102348 d7d85 __wsopen_helper 103 API calls 102345->102348 102347 d7ec4 102346->102347 102358 d7ee7 102346->102358 102390 d7fc1 102346->102390 102349 c8af4 __write_nolock 58 API calls 102347->102349 102350 d85ba 102348->102350 102351 d7ec9 102349->102351 102350->102339 102352 c8b28 __write_nolock 58 API calls 102351->102352 102353 d7ed6 102352->102353 102355 c8db6 __write_nolock 9 API calls 102353->102355 102354 d7fa5 102356 c8af4 __write_nolock 58 API calls 102354->102356 102357 d7ee0 102355->102357 102359 d7faa 102356->102359 102357->102339 102358->102354 102363 d7f83 102358->102363 102360 c8b28 __write_nolock 58 API calls 102359->102360 102361 d7fb7 102360->102361 102362 c8db6 __write_nolock 9 API calls 102361->102362 102362->102390 102364 cd294 __alloc_osfhnd 61 API calls 102363->102364 102365 d8051 102364->102365 102366 d807e 102365->102366 102367 d805b 102365->102367 102369 d7cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 102366->102369 102368 c8af4 __write_nolock 58 API calls 102367->102368 102370 d8060 102368->102370 102377 d80a0 102369->102377 102372 c8b28 __write_nolock 58 API calls 102370->102372 102371 d811e GetFileType 102375 d8129 GetLastError 102371->102375 102376 d816b 102371->102376 102374 d806a 102372->102374 102373 d80ec GetLastError 102378 c8b07 __dosmaperr 58 API calls 102373->102378 102379 c8b28 __write_nolock 58 API calls 102374->102379 102380 c8b07 __dosmaperr 58 API calls 102375->102380 102386 cd52a __set_osfhnd 59 API calls 102376->102386 102377->102371 102377->102373 102381 d7cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 102377->102381 102382 d8111 102378->102382 102379->102357 102383 d8150 CloseHandle 102380->102383 102385 d80e1 102381->102385 102388 c8b28 __write_nolock 58 API calls 102382->102388 102383->102382 102384 d815e 102383->102384 102387 c8b28 __write_nolock 58 API calls 102384->102387 102385->102371 102385->102373 102392 d8189 102386->102392 102389 d8163 102387->102389 102388->102390 102389->102382 102390->102344 102391 d8344 102391->102390 102394 d8517 CloseHandle 102391->102394 102392->102391 102393 d18c1 __lseeki64_nolock 60 API calls 102392->102393 102410 d820a 102392->102410 102395 d81f3 102393->102395 102396 d7cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 102394->102396 102397 c8af4 __write_nolock 58 API calls 102395->102397 102395->102410 102399 d853e 102396->102399 102397->102410 102398 d0e5b 70 API calls __read_nolock 102398->102410 102400 d8572 102399->102400 102401 d8546 GetLastError 102399->102401 102400->102390 102402 c8b07 __dosmaperr 58 API calls 102401->102402 102403 d8552 102402->102403 102407 cd43d __free_osfhnd 59 API calls 102403->102407 102404 d0add __close_nolock 61 API calls 102404->102410 102405 d823c 102408 d97a2 __chsize_nolock 82 API calls 102405->102408 102405->102410 102406 d18c1 60 API calls __lseeki64_nolock 102406->102410 102407->102400 102408->102405 102409 cd886 __write 78 API calls 102409->102410 102410->102391 102410->102398 102410->102404 102410->102405 102410->102406 102410->102409 102411 d83c1 102410->102411 102412 d0add __close_nolock 61 API calls 102411->102412 102413 d83c8 102412->102413 102414 c8b28 __write_nolock 58 API calls 102413->102414 102414->102390 102415->102335 102416->102338 102417->102338 102419 a4b83 102418->102419 102420 a4c3f LoadLibraryA 102418->102420 102419->102220 102419->102223 102420->102419 102421 a4c50 GetProcAddress 102420->102421 102421->102419 102423 a4ea3 FindResourceExW 102422->102423 102424 a4ec0 102422->102424 102423->102424 102425 dd933 LoadResource 102423->102425 102424->102229 102425->102424 102426 dd948 SizeofResource 102425->102426 102426->102424 102427 dd95c LockResource 102426->102427 102427->102424 102429 dd9ab 102428->102429 102430 a4ef4 102428->102430 102434 c584d 102430->102434 102432 a4f02 102432->102240 102433->102229 102435 c5859 __write 102434->102435 102436 c586b 102435->102436 102438 c5891 102435->102438 102447 c8b28 58 API calls __getptd_noexit 102436->102447 102449 c6c11 102438->102449 102439 c5870 102448 c8db6 9 API calls __write_nolock 102439->102448 102442 c5897 102455 c57be 83 API calls 4 library calls 102442->102455 102444 c58a6 102456 c58c8 LeaveCriticalSection LeaveCriticalSection __wfsopen 102444->102456 102445 c587b __write 102445->102432 102447->102439 102448->102445 102450 c6c21 102449->102450 102451 c6c43 EnterCriticalSection 102449->102451 102450->102451 102452 c6c29 102450->102452 102453 c6c39 102451->102453 102454 c9c0b __lock 58 API calls 102452->102454 102453->102442 102454->102453 102455->102444 102456->102445 102460 c55fd 102457->102460 102459 a4f2e 102459->102248 102461 c5609 __write 102460->102461 102462 c564c 102461->102462 102463 c5644 __write 102461->102463 102467 c561f _memset 102461->102467 102464 c6c11 __lock_file 59 API calls 102462->102464 102463->102459 102466 c5652 102464->102466 102473 c541d 102466->102473 102487 c8b28 58 API calls __getptd_noexit 102467->102487 102468 c5639 102488 c8db6 9 API calls __write_nolock 102468->102488 102476 c5438 _memset 102473->102476 102480 c5453 102473->102480 102474 c5443 102585 c8b28 58 API calls __getptd_noexit 102474->102585 102476->102474 102476->102480 102481 c5493 102476->102481 102477 c5448 102586 c8db6 9 API calls __write_nolock 102477->102586 102489 c5686 LeaveCriticalSection LeaveCriticalSection __wfsopen 102480->102489 102481->102480 102482 c55a4 _memset 102481->102482 102490 c46e6 102481->102490 102497 d0e5b 102481->102497 102565 d0ba7 102481->102565 102587 d0cc8 58 API calls 3 library calls 102481->102587 102588 c8b28 58 API calls __getptd_noexit 102482->102588 102487->102468 102488->102463 102489->102463 102491 c4705 102490->102491 102492 c46f0 102490->102492 102491->102481 102589 c8b28 58 API calls __getptd_noexit 102492->102589 102494 c46f5 102590 c8db6 9 API calls __write_nolock 102494->102590 102496 c4700 102496->102481 102498 d0e7c 102497->102498 102499 d0e93 102497->102499 102600 c8af4 58 API calls __getptd_noexit 102498->102600 102500 d15cb 102499->102500 102504 d0ecd 102499->102504 102616 c8af4 58 API calls __getptd_noexit 102500->102616 102503 d0e81 102601 c8b28 58 API calls __getptd_noexit 102503->102601 102507 d0ed5 102504->102507 102513 d0eec 102504->102513 102505 d15d0 102617 c8b28 58 API calls __getptd_noexit 102505->102617 102602 c8af4 58 API calls __getptd_noexit 102507->102602 102510 d0ee1 102618 c8db6 9 API calls __write_nolock 102510->102618 102511 d0eda 102603 c8b28 58 API calls __getptd_noexit 102511->102603 102514 d0f01 102513->102514 102515 d0f1b 102513->102515 102518 d0f39 102513->102518 102545 d0e88 102513->102545 102604 c8af4 58 API calls __getptd_noexit 102514->102604 102515->102514 102520 d0f26 102515->102520 102605 c881d 58 API calls 2 library calls 102518->102605 102591 d5c6b 102520->102591 102521 d0f49 102524 d0f6c 102521->102524 102525 d0f51 102521->102525 102523 d103a 102526 d10b3 ReadFile 102523->102526 102529 d1050 GetConsoleMode 102523->102529 102608 d18c1 60 API calls 3 library calls 102524->102608 102606 c8b28 58 API calls __getptd_noexit 102525->102606 102530 d10d5 102526->102530 102531 d1593 GetLastError 102526->102531 102533 d1064 102529->102533 102534 d10b0 102529->102534 102530->102531 102538 d10a5 102530->102538 102535 d1093 102531->102535 102536 d15a0 102531->102536 102532 d0f56 102607 c8af4 58 API calls __getptd_noexit 102532->102607 102533->102534 102540 d106a ReadConsoleW 102533->102540 102534->102526 102547 d1099 102535->102547 102609 c8b07 58 API calls 2 library calls 102535->102609 102614 c8b28 58 API calls __getptd_noexit 102536->102614 102538->102547 102549 d110a 102538->102549 102555 d1377 102538->102555 102540->102538 102542 d108d GetLastError 102540->102542 102541 d15a5 102615 c8af4 58 API calls __getptd_noexit 102541->102615 102542->102535 102545->102481 102546 c2d55 _free 58 API calls 102546->102545 102547->102545 102547->102546 102550 d1176 ReadFile 102549->102550 102558 d11f7 102549->102558 102551 d1197 GetLastError 102550->102551 102562 d11a1 102550->102562 102551->102562 102552 d12b4 102559 d1264 MultiByteToWideChar 102552->102559 102612 d18c1 60 API calls 3 library calls 102552->102612 102553 d12a4 102611 c8b28 58 API calls __getptd_noexit 102553->102611 102554 d147d ReadFile 102557 d14a0 GetLastError 102554->102557 102561 d14ae 102554->102561 102555->102547 102555->102554 102557->102561 102558->102547 102558->102552 102558->102553 102558->102559 102559->102542 102559->102547 102561->102555 102613 d18c1 60 API calls 3 library calls 102561->102613 102562->102549 102610 d18c1 60 API calls 3 library calls 102562->102610 102566 d0bb2 102565->102566 102570 d0bc7 102565->102570 102652 c8b28 58 API calls __getptd_noexit 102566->102652 102568 d0bb7 102653 c8db6 9 API calls __write_nolock 102568->102653 102571 d0bfc 102570->102571 102576 d0bc2 102570->102576 102654 d5fe4 58 API calls __malloc_crt 102570->102654 102573 c46e6 __ftell_nolock 58 API calls 102571->102573 102574 d0c10 102573->102574 102619 d0d47 102574->102619 102576->102481 102577 d0c17 102577->102576 102578 c46e6 __ftell_nolock 58 API calls 102577->102578 102579 d0c3a 102578->102579 102579->102576 102580 c46e6 __ftell_nolock 58 API calls 102579->102580 102581 d0c46 102580->102581 102581->102576 102582 c46e6 __ftell_nolock 58 API calls 102581->102582 102583 d0c53 102582->102583 102584 c46e6 __ftell_nolock 58 API calls 102583->102584 102584->102576 102585->102477 102586->102480 102587->102481 102588->102477 102589->102494 102590->102496 102592 d5c76 102591->102592 102593 d5c83 102591->102593 102594 c8b28 __write_nolock 58 API calls 102592->102594 102596 d5c8f 102593->102596 102597 c8b28 __write_nolock 58 API calls 102593->102597 102595 d5c7b 102594->102595 102595->102523 102596->102523 102598 d5cb0 102597->102598 102599 c8db6 __write_nolock 9 API calls 102598->102599 102599->102595 102600->102503 102601->102545 102602->102511 102603->102510 102604->102511 102605->102521 102606->102532 102607->102545 102608->102520 102609->102547 102610->102562 102611->102547 102612->102559 102613->102561 102614->102541 102615->102547 102616->102505 102617->102510 102618->102545 102620 d0d53 __write 102619->102620 102621 d0d77 102620->102621 102622 d0d60 102620->102622 102624 d0e3b 102621->102624 102627 d0d8b 102621->102627 102623 c8af4 __write_nolock 58 API calls 102622->102623 102626 d0d65 102623->102626 102625 c8af4 __write_nolock 58 API calls 102624->102625 102628 d0dae 102625->102628 102629 c8b28 __write_nolock 58 API calls 102626->102629 102630 d0da9 102627->102630 102631 d0db6 102627->102631 102637 c8b28 __write_nolock 58 API calls 102628->102637 102641 d0d6c __write 102629->102641 102632 c8af4 __write_nolock 58 API calls 102630->102632 102633 d0dd8 102631->102633 102634 d0dc3 102631->102634 102632->102628 102636 cd206 ___lock_fhandle 59 API calls 102633->102636 102635 c8af4 __write_nolock 58 API calls 102634->102635 102638 d0dc8 102635->102638 102639 d0dde 102636->102639 102640 d0dd0 102637->102640 102642 c8b28 __write_nolock 58 API calls 102638->102642 102643 d0e04 102639->102643 102644 d0df1 102639->102644 102646 c8db6 __write_nolock 9 API calls 102640->102646 102641->102577 102642->102640 102647 c8b28 __write_nolock 58 API calls 102643->102647 102645 d0e5b __read_nolock 70 API calls 102644->102645 102649 d0dfd 102645->102649 102646->102641 102648 d0e09 102647->102648 102650 c8af4 __write_nolock 58 API calls 102648->102650 102651 d0e33 __read LeaveCriticalSection 102649->102651 102650->102649 102651->102641 102652->102568 102653->102576 102654->102571 102658 c520a GetSystemTimeAsFileTime 102655->102658 102657 108f6e 102657->102250 102659 c5238 __aulldiv 102658->102659 102659->102657 102661 c5c6c __write 102660->102661 102662 c5c7e 102661->102662 102663 c5c93 102661->102663 102674 c8b28 58 API calls __getptd_noexit 102662->102674 102665 c6c11 __lock_file 59 API calls 102663->102665 102667 c5c99 102665->102667 102666 c5c83 102675 c8db6 9 API calls __write_nolock 102666->102675 102676 c58d0 67 API calls 4 library calls 102667->102676 102670 c5ca4 102677 c5cc4 LeaveCriticalSection LeaveCriticalSection __wfsopen 102670->102677 102672 c5cb6 102673 c5c8e __write 102672->102673 102673->102255 102674->102666 102675->102673 102676->102670 102677->102672 102678->102137 102679->102150 102680->102152 102681->102148 102682->102157 102683->102158 102689 109748 __tzset_nolock _wcscmp 102684->102689 102685 a4f0b 74 API calls 102685->102689 102686 1095dc 102686->102168 102686->102195 102687 109109 GetSystemTimeAsFileTime 102687->102689 102688 a4ee5 85 API calls 102688->102689 102689->102685 102689->102686 102689->102687 102689->102688 102691 108b1f 102690->102691 102692 108b11 102690->102692 102694 108b64 102691->102694 102695 c525b 115 API calls 102691->102695 102706 108b28 102691->102706 102693 c525b 115 API calls 102692->102693 102693->102691 102721 108d91 102694->102721 102696 108b49 102695->102696 102696->102694 102699 108b52 102696->102699 102698 108ba8 102700 108bac 102698->102700 102701 108bcd 102698->102701 102703 c53a6 __fcloseall 83 API calls 102699->102703 102699->102706 102702 108bb9 102700->102702 102705 c53a6 __fcloseall 83 API calls 102700->102705 102725 1089a9 102701->102725 102702->102706 102708 c53a6 __fcloseall 83 API calls 102702->102708 102703->102706 102705->102702 102706->102197 102708->102706 102709 108bfb 102734 108c2b 102709->102734 102710 108bdb 102712 108be8 102710->102712 102714 c53a6 __fcloseall 83 API calls 102710->102714 102712->102706 102715 c53a6 __fcloseall 83 API calls 102712->102715 102714->102712 102715->102706 102718 108c16 102718->102706 102720 c53a6 __fcloseall 83 API calls 102718->102720 102720->102706 102722 108db6 102721->102722 102724 108d9f __tzset_nolock _memmove 102721->102724 102723 c55e2 __fread_nolock 74 API calls 102722->102723 102723->102724 102724->102698 102726 c571c _W_store_winword 58 API calls 102725->102726 102727 1089b8 102726->102727 102728 c571c _W_store_winword 58 API calls 102727->102728 102729 1089cc 102728->102729 102730 c571c _W_store_winword 58 API calls 102729->102730 102731 1089e0 102730->102731 102732 108d0d 58 API calls 102731->102732 102733 1089f3 102731->102733 102732->102733 102733->102709 102733->102710 102740 108c40 102734->102740 102735 108cf8 102767 108f35 102735->102767 102737 108a05 74 API calls 102737->102740 102740->102735 102740->102737 102741 108c02 102740->102741 102763 108e12 102740->102763 102771 108aa1 74 API calls 102740->102771 102742 108d0d 102741->102742 102743 108d1a 102742->102743 102746 108d20 102742->102746 102744 c2d55 _free 58 API calls 102743->102744 102744->102746 102745 108d31 102748 108c09 102745->102748 102749 c2d55 _free 58 API calls 102745->102749 102746->102745 102747 c2d55 _free 58 API calls 102746->102747 102747->102745 102748->102718 102750 c53a6 102748->102750 102749->102748 102751 c53b2 __write 102750->102751 102752 c53de 102751->102752 102753 c53c6 102751->102753 102755 c6c11 __lock_file 59 API calls 102752->102755 102760 c53d6 __write 102752->102760 102820 c8b28 58 API calls __getptd_noexit 102753->102820 102757 c53f0 102755->102757 102756 c53cb 102821 c8db6 9 API calls __write_nolock 102756->102821 102804 c533a 102757->102804 102760->102718 102765 108e21 102763->102765 102766 108e61 102763->102766 102765->102740 102766->102765 102772 108ee8 102766->102772 102768 108f42 102767->102768 102770 108f53 102767->102770 102769 c4863 80 API calls 102768->102769 102769->102770 102770->102741 102771->102740 102773 108f14 102772->102773 102774 108f25 102772->102774 102776 c4863 102773->102776 102774->102766 102777 c486f __write 102776->102777 102778 c488d 102777->102778 102779 c48a5 102777->102779 102780 c489d __write 102777->102780 102801 c8b28 58 API calls __getptd_noexit 102778->102801 102782 c6c11 __lock_file 59 API calls 102779->102782 102780->102774 102784 c48ab 102782->102784 102783 c4892 102802 c8db6 9 API calls __write_nolock 102783->102802 102789 c470a 102784->102789 102791 c4719 102789->102791 102796 c4737 102789->102796 102790 c4727 102792 c8b28 __write_nolock 58 API calls 102790->102792 102791->102790 102791->102796 102798 c4751 _memmove 102791->102798 102793 c472c 102792->102793 102794 c8db6 __write_nolock 9 API calls 102793->102794 102794->102796 102795 cae1e __flsbuf 78 API calls 102795->102798 102803 c48dd LeaveCriticalSection LeaveCriticalSection __wfsopen 102796->102803 102797 c4a3d __flush 78 API calls 102797->102798 102798->102795 102798->102796 102798->102797 102799 c46e6 __ftell_nolock 58 API calls 102798->102799 102800 cd886 __write 78 API calls 102798->102800 102799->102798 102800->102798 102801->102783 102802->102780 102803->102780 102805 c535d 102804->102805 102806 c5349 102804->102806 102808 c5359 102805->102808 102823 c4a3d 102805->102823 102859 c8b28 58 API calls __getptd_noexit 102806->102859 102822 c5415 LeaveCriticalSection LeaveCriticalSection __wfsopen 102808->102822 102809 c534e 102860 c8db6 9 API calls __write_nolock 102809->102860 102815 c46e6 __ftell_nolock 58 API calls 102816 c5377 102815->102816 102833 d0a02 102816->102833 102818 c537d 102818->102808 102819 c2d55 _free 58 API calls 102818->102819 102819->102808 102820->102756 102821->102760 102822->102760 102824 c4a50 102823->102824 102828 c4a74 102823->102828 102825 c46e6 __ftell_nolock 58 API calls 102824->102825 102824->102828 102826 c4a6d 102825->102826 102861 cd886 102826->102861 102829 d0b77 102828->102829 102830 d0b84 102829->102830 102832 c5371 102829->102832 102831 c2d55 _free 58 API calls 102830->102831 102830->102832 102831->102832 102832->102815 102834 d0a0e __write 102833->102834 102835 d0a1b 102834->102835 102836 d0a32 102834->102836 102986 c8af4 58 API calls __getptd_noexit 102835->102986 102837 d0abd 102836->102837 102839 d0a42 102836->102839 102991 c8af4 58 API calls __getptd_noexit 102837->102991 102842 d0a6a 102839->102842 102843 d0a60 102839->102843 102841 d0a20 102987 c8b28 58 API calls __getptd_noexit 102841->102987 102847 cd206 ___lock_fhandle 59 API calls 102842->102847 102988 c8af4 58 API calls __getptd_noexit 102843->102988 102844 d0a65 102992 c8b28 58 API calls __getptd_noexit 102844->102992 102849 d0a70 102847->102849 102851 d0a8e 102849->102851 102852 d0a83 102849->102852 102850 d0ac9 102993 c8db6 9 API calls __write_nolock 102850->102993 102989 c8b28 58 API calls __getptd_noexit 102851->102989 102971 d0add 102852->102971 102855 d0a27 __write 102855->102818 102857 d0a89 102990 d0ab5 LeaveCriticalSection __unlock_fhandle 102857->102990 102859->102809 102860->102808 102862 cd892 __write 102861->102862 102863 cd89f 102862->102863 102864 cd8b6 102862->102864 102962 c8af4 58 API calls __getptd_noexit 102863->102962 102866 cd955 102864->102866 102868 cd8ca 102864->102868 102968 c8af4 58 API calls __getptd_noexit 102866->102968 102867 cd8a4 102963 c8b28 58 API calls __getptd_noexit 102867->102963 102871 cd8e8 102868->102871 102872 cd8f2 102868->102872 102964 c8af4 58 API calls __getptd_noexit 102871->102964 102889 cd206 102872->102889 102873 cd8ed 102969 c8b28 58 API calls __getptd_noexit 102873->102969 102876 cd8f8 102878 cd91e 102876->102878 102879 cd90b 102876->102879 102965 c8b28 58 API calls __getptd_noexit 102878->102965 102898 cd975 102879->102898 102880 cd961 102970 c8db6 9 API calls __write_nolock 102880->102970 102884 cd8ab __write 102884->102828 102885 cd917 102967 cd94d LeaveCriticalSection __unlock_fhandle 102885->102967 102886 cd923 102966 c8af4 58 API calls __getptd_noexit 102886->102966 102890 cd212 __write 102889->102890 102891 cd261 EnterCriticalSection 102890->102891 102892 c9c0b __lock 58 API calls 102890->102892 102893 cd287 __write 102891->102893 102895 cd237 102892->102895 102893->102876 102894 cd24f 102897 cd28b ___lock_fhandle LeaveCriticalSection 102894->102897 102895->102894 102896 c9e2b __alloc_osfhnd InitializeCriticalSectionAndSpinCount 102895->102896 102896->102894 102897->102891 102899 cd982 __write_nolock 102898->102899 102900 cd9e0 102899->102900 102901 cd9c1 102899->102901 102929 cd9b6 102899->102929 102905 cda38 102900->102905 102906 cda1c 102900->102906 102903 c8af4 __write_nolock 58 API calls 102901->102903 102902 cc5f6 __write_nolock 6 API calls 102907 ce1d6 102902->102907 102904 cd9c6 102903->102904 102908 c8b28 __write_nolock 58 API calls 102904->102908 102909 cda51 102905->102909 102912 d18c1 __lseeki64_nolock 60 API calls 102905->102912 102910 c8af4 __write_nolock 58 API calls 102906->102910 102907->102885 102911 cd9cd 102908->102911 102913 d5c6b __write_nolock 58 API calls 102909->102913 102914 cda21 102910->102914 102915 c8db6 __write_nolock 9 API calls 102911->102915 102912->102909 102916 cda5f 102913->102916 102917 c8b28 __write_nolock 58 API calls 102914->102917 102915->102929 102918 cddb8 102916->102918 102923 c99ac __write_nolock 58 API calls 102916->102923 102919 cda28 102917->102919 102920 ce14b WriteFile 102918->102920 102921 cddd6 102918->102921 102922 c8db6 __write_nolock 9 API calls 102919->102922 102924 cddab GetLastError 102920->102924 102931 cdd78 102920->102931 102925 cdefa 102921->102925 102934 cddec 102921->102934 102922->102929 102926 cda8b GetConsoleMode 102923->102926 102924->102931 102935 cdf05 102925->102935 102939 cdfef 102925->102939 102926->102918 102928 cdaca 102926->102928 102927 ce184 102927->102929 102930 c8b28 __write_nolock 58 API calls 102927->102930 102928->102918 102932 cdada GetConsoleCP 102928->102932 102929->102902 102937 ce1b2 102930->102937 102931->102927 102931->102929 102938 cded8 102931->102938 102932->102927 102959 cdb09 102932->102959 102933 cde5b WriteFile 102933->102924 102936 cde98 102933->102936 102934->102927 102934->102933 102935->102927 102940 cdf6a WriteFile 102935->102940 102936->102934 102952 cdebc 102936->102952 102941 c8af4 __write_nolock 58 API calls 102937->102941 102942 ce17b 102938->102942 102943 cdee3 102938->102943 102939->102927 102944 ce064 WideCharToMultiByte 102939->102944 102940->102924 102948 cdfb9 102940->102948 102941->102929 102946 c8b07 __dosmaperr 58 API calls 102942->102946 102945 c8b28 __write_nolock 58 API calls 102943->102945 102944->102924 102954 ce0ab 102944->102954 102949 cdee8 102945->102949 102946->102929 102947 ce0b3 WriteFile 102951 ce106 GetLastError 102947->102951 102947->102954 102948->102931 102948->102935 102948->102952 102953 c8af4 __write_nolock 58 API calls 102949->102953 102950 c35f5 __write_nolock 58 API calls 102950->102959 102951->102954 102952->102931 102953->102929 102954->102931 102954->102939 102954->102947 102954->102952 102955 d7a5e WriteConsoleW CreateFileW __putwch_nolock 102960 cdc5f 102955->102960 102956 d62ba 60 API calls __write_nolock 102956->102959 102957 cdbf2 WideCharToMultiByte 102957->102931 102958 cdc2d WriteFile 102957->102958 102958->102924 102958->102960 102959->102931 102959->102950 102959->102956 102959->102957 102959->102960 102960->102924 102960->102931 102960->102955 102960->102959 102961 cdc87 WriteFile 102960->102961 102961->102924 102961->102960 102962->102867 102963->102884 102964->102873 102965->102886 102966->102885 102967->102884 102968->102873 102969->102880 102970->102884 102994 cd4c3 102971->102994 102973 d0aeb 102974 d0b41 102973->102974 102976 d0b1f 102973->102976 102978 cd4c3 __close_nolock 58 API calls 102973->102978 103007 cd43d 59 API calls __write_nolock 102974->103007 102976->102974 102979 cd4c3 __close_nolock 58 API calls 102976->102979 102977 d0b49 102980 d0b6b 102977->102980 103008 c8b07 58 API calls 2 library calls 102977->103008 102981 d0b16 102978->102981 102982 d0b2b CloseHandle 102979->102982 102980->102857 102984 cd4c3 __close_nolock 58 API calls 102981->102984 102982->102974 102985 d0b37 GetLastError 102982->102985 102984->102976 102985->102974 102986->102841 102987->102855 102988->102844 102989->102857 102990->102855 102991->102844 102992->102850 102993->102855 102995 cd4ce 102994->102995 102996 cd4e3 102994->102996 102997 c8af4 __write_nolock 58 API calls 102995->102997 102998 c8af4 __write_nolock 58 API calls 102996->102998 103002 cd508 102996->103002 102999 cd4d3 102997->102999 103000 cd512 102998->103000 103001 c8b28 __write_nolock 58 API calls 102999->103001 103003 c8b28 __write_nolock 58 API calls 103000->103003 103004 cd4db 103001->103004 103002->102973 103005 cd51a 103003->103005 103004->102973 103006 c8db6 __write_nolock 9 API calls 103005->103006 103006->103004 103007->102977 103008->102980 103010 d1940 __write_nolock 103009->103010 103011 c079e GetLongPathNameW 103010->103011 103012 a7bcc 59 API calls 103011->103012 103013 a72bd 103012->103013 103014 a700b 103013->103014 103015 a7667 59 API calls 103014->103015 103016 a701d 103015->103016 103017 a4750 60 API calls 103016->103017 103018 a7028 103017->103018 103019 de885 103018->103019 103020 a7033 103018->103020 103025 de89f 103019->103025 103067 a7908 61 API calls 103019->103067 103021 a3f74 59 API calls 103020->103021 103023 a703f 103021->103023 103061 a34c2 103023->103061 103026 a7052 Mailbox 103026->101986 103028 a4ddd 136 API calls 103027->103028 103029 a688f 103028->103029 103030 de031 103029->103030 103032 a4ddd 136 API calls 103029->103032 103031 10955b 122 API calls 103030->103031 103033 de046 103031->103033 103034 a68a3 103032->103034 103035 de04a 103033->103035 103036 de067 103033->103036 103034->103030 103037 a68ab 103034->103037 103038 a4e4a 84 API calls 103035->103038 103039 c0db6 Mailbox 59 API calls 103036->103039 103040 a68b7 103037->103040 103041 de052 103037->103041 103038->103041 103047 de0ac Mailbox 103039->103047 103068 a6a8c 103040->103068 103175 1042f8 90 API calls _wprintf 103041->103175 103044 de060 103044->103036 103046 de260 103048 c2d55 _free 58 API calls 103046->103048 103047->103046 103055 de271 103047->103055 103058 a7de1 59 API calls 103047->103058 103161 a750f 103047->103161 103169 a735d 103047->103169 103176 ff73d 59 API calls 2 library calls 103047->103176 103177 ff65e 61 API calls 2 library calls 103047->103177 103178 10737f 59 API calls Mailbox 103047->103178 103049 de268 103048->103049 103050 a4e4a 84 API calls 103049->103050 103050->103055 103054 c2d55 _free 58 API calls 103054->103055 103055->103054 103057 a4e4a 84 API calls 103055->103057 103179 ff7a1 89 API calls 4 library calls 103055->103179 103057->103055 103058->103047 103062 a34d4 103061->103062 103066 a34f3 _memmove 103061->103066 103064 c0db6 Mailbox 59 API calls 103062->103064 103063 c0db6 Mailbox 59 API calls 103065 a350a 103063->103065 103064->103066 103065->103026 103066->103063 103067->103019 103069 de41e 103068->103069 103070 a6ab5 103068->103070 103252 ff7a1 89 API calls 4 library calls 103069->103252 103185 a57a6 60 API calls Mailbox 103070->103185 103073 de431 103253 ff7a1 89 API calls 4 library calls 103073->103253 103074 a6ad7 103186 a57f6 67 API calls 103074->103186 103076 a6aec 103076->103073 103078 a6af4 103076->103078 103079 a7667 59 API calls 103078->103079 103081 a6b00 103079->103081 103080 de44d 103112 a6b61 103080->103112 103187 c0957 60 API calls __write_nolock 103081->103187 103083 a6b0c 103086 a7667 59 API calls 103083->103086 103084 a6b6f 103088 a7667 59 API calls 103084->103088 103085 de460 103087 a5c6f CloseHandle 103085->103087 103089 a6b18 103086->103089 103090 de46c 103087->103090 103091 a6b78 103088->103091 103092 a4750 60 API calls 103089->103092 103093 a4ddd 136 API calls 103090->103093 103094 a7667 59 API calls 103091->103094 103096 a6b26 103092->103096 103097 de488 103093->103097 103095 a6b81 103094->103095 103190 a459b 103095->103190 103188 a5850 ReadFile SetFilePointerEx 103096->103188 103100 de4b1 103097->103100 103104 10955b 122 API calls 103097->103104 103254 ff7a1 89 API calls 4 library calls 103100->103254 103101 a6b98 103106 a7b2e 59 API calls 103101->103106 103103 a6b52 103189 a5aee SetFilePointerEx SetFilePointerEx 103103->103189 103105 de4a4 103104->103105 103109 de4cd 103105->103109 103110 de4ac 103105->103110 103111 a6ba9 SetCurrentDirectoryW 103106->103111 103107 de4c8 103139 a6d0c Mailbox 103107->103139 103114 a4e4a 84 API calls 103109->103114 103113 a4e4a 84 API calls 103110->103113 103117 a6bbc Mailbox 103111->103117 103112->103084 103112->103085 103113->103100 103115 de4d2 103114->103115 103116 c0db6 Mailbox 59 API calls 103115->103116 103123 de506 103116->103123 103119 c0db6 Mailbox 59 API calls 103117->103119 103121 a6bcf 103119->103121 103120 a3bbb 103120->101853 103120->101876 103122 a522e 59 API calls 103121->103122 103150 a6bda Mailbox __wsetenvp 103122->103150 103124 a750f 59 API calls 103123->103124 103158 de54f Mailbox 103124->103158 103125 a6ce7 103248 a5c6f 103125->103248 103126 de740 103259 1072df 59 API calls Mailbox 103126->103259 103129 a6cf3 SetCurrentDirectoryW 103129->103139 103132 de762 103260 11fbce 59 API calls 2 library calls 103132->103260 103135 de76f 103137 c2d55 _free 58 API calls 103135->103137 103136 de7d9 103263 ff7a1 89 API calls 4 library calls 103136->103263 103137->103139 103180 a57d4 103139->103180 103141 a750f 59 API calls 103141->103158 103142 de7f2 103142->103125 103144 de7d1 103262 ff5f7 59 API calls 4 library calls 103144->103262 103145 a7de1 59 API calls 103145->103150 103150->103125 103150->103136 103150->103144 103150->103145 103241 a586d 67 API calls _wcscpy 103150->103241 103242 a6f5d GetStringTypeW 103150->103242 103243 a6ecc 60 API calls __wcsnicmp 103150->103243 103244 a6faa GetStringTypeW __wsetenvp 103150->103244 103245 c363d GetStringTypeW _iswctype 103150->103245 103246 a68dc 165 API calls 3 library calls 103150->103246 103247 a7213 59 API calls Mailbox 103150->103247 103151 a7de1 59 API calls 103151->103158 103155 de792 103261 ff7a1 89 API calls 4 library calls 103155->103261 103157 de7ab 103159 c2d55 _free 58 API calls 103157->103159 103158->103126 103158->103141 103158->103151 103158->103155 103255 ff73d 59 API calls 2 library calls 103158->103255 103256 ff65e 61 API calls 2 library calls 103158->103256 103257 10737f 59 API calls Mailbox 103158->103257 103258 a7213 59 API calls Mailbox 103158->103258 103160 de7be 103159->103160 103160->103139 103162 a75af 103161->103162 103165 a7522 _memmove 103161->103165 103164 c0db6 Mailbox 59 API calls 103162->103164 103163 c0db6 Mailbox 59 API calls 103166 a7529 103163->103166 103164->103165 103165->103163 103167 c0db6 Mailbox 59 API calls 103166->103167 103168 a7552 103166->103168 103167->103168 103168->103047 103170 a7370 103169->103170 103173 a741e 103169->103173 103172 c0db6 Mailbox 59 API calls 103170->103172 103174 a73a2 103170->103174 103171 c0db6 59 API calls Mailbox 103171->103174 103172->103174 103173->103047 103174->103171 103174->103173 103175->103044 103176->103047 103177->103047 103178->103047 103179->103055 103181 a5c6f CloseHandle 103180->103181 103182 a57dc Mailbox 103181->103182 103183 a5c6f CloseHandle 103182->103183 103184 a57eb 103183->103184 103184->103120 103185->103074 103186->103076 103187->103083 103188->103103 103189->103112 103191 a7667 59 API calls 103190->103191 103192 a45b1 103191->103192 103193 a7667 59 API calls 103192->103193 103194 a45b9 103193->103194 103195 a7667 59 API calls 103194->103195 103196 a45c1 103195->103196 103197 a7667 59 API calls 103196->103197 103198 a45c9 103197->103198 103199 a45fd 103198->103199 103200 dd4d2 103198->103200 103201 a784b 59 API calls 103199->103201 103202 a8047 59 API calls 103200->103202 103203 a460b 103201->103203 103204 dd4db 103202->103204 103205 a7d2c 59 API calls 103203->103205 103206 a7d8c 59 API calls 103204->103206 103207 a4615 103205->103207 103208 a4640 103206->103208 103207->103208 103209 a784b 59 API calls 103207->103209 103210 a4680 103208->103210 103213 a465f 103208->103213 103223 dd4fb 103208->103223 103212 a4636 103209->103212 103211 a784b 59 API calls 103210->103211 103214 a4691 103211->103214 103215 a7d2c 59 API calls 103212->103215 103217 a79f2 59 API calls 103213->103217 103218 a46a3 103214->103218 103221 a8047 59 API calls 103214->103221 103215->103208 103216 dd5cb 103219 a7bcc 59 API calls 103216->103219 103220 a4669 103217->103220 103222 a46b3 103218->103222 103224 a8047 59 API calls 103218->103224 103236 dd588 103219->103236 103220->103210 103227 a784b 59 API calls 103220->103227 103221->103218 103226 a46ba 103222->103226 103228 a8047 59 API calls 103222->103228 103223->103216 103225 dd5b4 103223->103225 103235 dd532 103223->103235 103224->103222 103225->103216 103231 dd59f 103225->103231 103229 a8047 59 API calls 103226->103229 103238 a46c1 Mailbox 103226->103238 103227->103210 103228->103226 103229->103238 103230 a79f2 59 API calls 103230->103236 103234 a7bcc 59 API calls 103231->103234 103232 dd590 103233 a7bcc 59 API calls 103232->103233 103233->103236 103234->103236 103235->103232 103239 dd57b 103235->103239 103236->103210 103236->103230 103264 a7924 59 API calls 2 library calls 103236->103264 103238->103101 103240 a7bcc 59 API calls 103239->103240 103240->103236 103241->103150 103242->103150 103243->103150 103244->103150 103245->103150 103246->103150 103247->103150 103249 a5c88 103248->103249 103250 a5c79 103248->103250 103249->103250 103251 a5c8d CloseHandle 103249->103251 103250->103129 103251->103250 103252->103073 103253->103080 103254->103107 103255->103158 103256->103158 103257->103158 103258->103158 103259->103132 103260->103135 103261->103157 103262->103136 103263->103142 103264->103236 103266 a6d95 103265->103266 103270 a6ea9 103265->103270 103267 c0db6 Mailbox 59 API calls 103266->103267 103266->103270 103269 a6dbc 103267->103269 103268 c0db6 Mailbox 59 API calls 103271 a6e31 103268->103271 103269->103268 103270->101992 103271->103270 103274 a735d 59 API calls 103271->103274 103275 a750f 59 API calls 103271->103275 103278 a6240 103271->103278 103303 f6553 59 API calls Mailbox 103271->103303 103274->103271 103275->103271 103276->101995 103277->101997 103279 a7a16 59 API calls 103278->103279 103299 a6265 103279->103299 103280 a646a 103281 a750f 59 API calls 103280->103281 103282 a6484 Mailbox 103281->103282 103282->103271 103285 ddff6 103308 ff8aa 91 API calls 4 library calls 103285->103308 103286 a750f 59 API calls 103286->103299 103288 a6799 _memmove 103309 ff8aa 91 API calls 4 library calls 103288->103309 103291 a7d8c 59 API calls 103291->103299 103292 de004 103293 a750f 59 API calls 103292->103293 103294 de01a 103293->103294 103294->103282 103295 ddf92 103296 a8029 59 API calls 103295->103296 103298 ddf9d 103296->103298 103302 c0db6 Mailbox 59 API calls 103298->103302 103299->103280 103299->103285 103299->103286 103299->103288 103299->103291 103299->103295 103300 a7e4f 59 API calls 103299->103300 103304 a5f6c 60 API calls 103299->103304 103305 a5d41 59 API calls Mailbox 103299->103305 103306 a5e72 60 API calls 103299->103306 103307 a7924 59 API calls 2 library calls 103299->103307 103301 a643b CharUpperBuffW 103300->103301 103301->103299 103302->103288 103303->103271 103304->103299 103305->103299 103306->103299 103307->103299 103308->103292 103309->103282 103310->102010 103311->102011 103313 ae6d5 103312->103313 103314 e3aa9 103313->103314 103317 ae73f 103313->103317 103326 ae799 103313->103326 103315 a9ea0 341 API calls 103314->103315 103316 e3abe 103315->103316 103342 ae970 Mailbox 103316->103342 103320 a7667 59 API calls 103317->103320 103317->103326 103318 a7667 59 API calls 103318->103326 103321 c2d40 __cinit 67 API calls 103321->103326 103323 e3b26 103323->102076 103326->103318 103326->103321 103326->103323 103327 ae95a 103326->103327 103326->103342 103327->103342 103344 af4ba 103343->103344 103345 af650 103343->103345 103347 e441e 103344->103347 103348 af4c6 103344->103348 103346 a7de1 59 API calls 103345->103346 103355 af58c Mailbox 103346->103355 103491 11bc6b 341 API calls Mailbox 103347->103491 103489 af290 341 API calls 2 library calls 103348->103489 103352 e442c 103354 af4fd 103354->103352 103354->103355 103363->102076 103364->102076 103365->102076 103366->102018 103368->102076 103369->102028 103370->102028 103371->102028 103372->102076 103373->102076 103374->102076 103375->102076 103376->102076 103377->102076 103378->102075 103379->102075 103380->102075 103381->102075 103382->102075 103383->102075 103384->102075 103489->103354 103491->103352 103618 a1016 103623 a4974 103618->103623 103621 c2d40 __cinit 67 API calls 103622 a1025 103621->103622 103624 c0db6 Mailbox 59 API calls 103623->103624 103625 a497c 103624->103625 103627 a101b 103625->103627 103630 a4936 103625->103630 103627->103621 103631 a493f 103630->103631 103632 a4951 103630->103632 103633 c2d40 __cinit 67 API calls 103631->103633 103634 a49a0 103632->103634 103633->103632 103635 a7667 59 API calls 103634->103635 103636 a49b8 GetVersionExW 103635->103636 103637 a7bcc 59 API calls 103636->103637 103638 a49fb 103637->103638 103639 a7d2c 59 API calls 103638->103639 103642 a4a28 103638->103642 103640 a4a1c 103639->103640 103641 a7726 59 API calls 103640->103641 103641->103642 103643 a4a93 GetCurrentProcess IsWow64Process 103642->103643 103644 dd864 103642->103644 103645 a4aac 103643->103645 103646 a4b2b GetSystemInfo 103645->103646 103647 a4ac2 103645->103647 103648 a4af8 103646->103648 103658 a4b37 103647->103658 103648->103627 103651 a4b1f GetSystemInfo 103654 a4ae9 103651->103654 103652 a4ad4 103653 a4b37 2 API calls 103652->103653 103655 a4adc GetNativeSystemInfo 103653->103655 103654->103648 103656 a4aef FreeLibrary 103654->103656 103655->103654 103656->103648 103659 a4ad0 103658->103659 103660 a4b40 LoadLibraryA 103658->103660 103659->103651 103659->103652 103660->103659 103661 a4b51 GetProcAddress 103660->103661 103661->103659 103662 a1066 103667 af76f 103662->103667 103664 a106c 103665 c2d40 __cinit 67 API calls 103664->103665 103666 a1076 103665->103666 103668 af790 103667->103668 103700 bff03 103668->103700 103672 af7d7 103673 a7667 59 API calls 103672->103673 103674 af7e1 103673->103674 103675 a7667 59 API calls 103674->103675 103676 af7eb 103675->103676 103677 a7667 59 API calls 103676->103677 103678 af7f5 103677->103678 103679 a7667 59 API calls 103678->103679 103680 af833 103679->103680 103681 a7667 59 API calls 103680->103681 103682 af8fe 103681->103682 103710 b5f87 103682->103710 103686 af930 103687 a7667 59 API calls 103686->103687 103688 af93a 103687->103688 103738 bfd9e 103688->103738 103690 af981 103691 af991 GetStdHandle 103690->103691 103692 e45ab 103691->103692 103693 af9dd 103691->103693 103692->103693 103695 e45b4 103692->103695 103694 af9e5 OleInitialize 103693->103694 103694->103664 103745 106b38 64 API calls Mailbox 103695->103745 103697 e45bb 103746 107207 CreateThread 103697->103746 103699 e45c7 CloseHandle 103699->103694 103747 bffdc 103700->103747 103703 bffdc 59 API calls 103704 bff45 103703->103704 103705 a7667 59 API calls 103704->103705 103706 bff51 103705->103706 103707 a7bcc 59 API calls 103706->103707 103708 af796 103707->103708 103709 c0162 6 API calls 103708->103709 103709->103672 103711 a7667 59 API calls 103710->103711 103712 b5f97 103711->103712 103713 a7667 59 API calls 103712->103713 103714 b5f9f 103713->103714 103754 b5a9d 103714->103754 103717 b5a9d 59 API calls 103718 b5faf 103717->103718 103719 a7667 59 API calls 103718->103719 103720 b5fba 103719->103720 103721 c0db6 Mailbox 59 API calls 103720->103721 103722 af908 103721->103722 103723 b60f9 103722->103723 103724 b6107 103723->103724 103725 a7667 59 API calls 103724->103725 103726 b6112 103725->103726 103727 a7667 59 API calls 103726->103727 103728 b611d 103727->103728 103729 a7667 59 API calls 103728->103729 103730 b6128 103729->103730 103731 a7667 59 API calls 103730->103731 103732 b6133 103731->103732 103733 b5a9d 59 API calls 103732->103733 103734 b613e 103733->103734 103735 c0db6 Mailbox 59 API calls 103734->103735 103736 b6145 RegisterWindowMessageW 103735->103736 103736->103686 103739 f576f 103738->103739 103740 bfdae 103738->103740 103757 109ae7 60 API calls 103739->103757 103741 c0db6 Mailbox 59 API calls 103740->103741 103743 bfdb6 103741->103743 103743->103690 103744 f577a 103745->103697 103746->103699 103758 1071ed 65 API calls 103746->103758 103748 a7667 59 API calls 103747->103748 103749 bffe7 103748->103749 103750 a7667 59 API calls 103749->103750 103751 bffef 103750->103751 103752 a7667 59 API calls 103751->103752 103753 bff3b 103752->103753 103753->103703 103755 a7667 59 API calls 103754->103755 103756 b5aa5 103755->103756 103756->103717 103757->103744 103759 a1055 103764 a2649 103759->103764 103762 c2d40 __cinit 67 API calls 103763 a1064 103762->103763 103765 a7667 59 API calls 103764->103765 103766 a26b7 103765->103766 103771 a3582 103766->103771 103769 a2754 103770 a105a 103769->103770 103774 a3416 59 API calls 2 library calls 103769->103774 103770->103762 103775 a35b0 103771->103775 103774->103769 103776 a35a1 103775->103776 103777 a35bd 103775->103777 103776->103769 103777->103776 103778 a35c4 RegOpenKeyExW 103777->103778 103778->103776 103779 a35de RegQueryValueExW 103778->103779 103780 a3614 RegCloseKey 103779->103780 103781 a35ff 103779->103781 103780->103776 103781->103780 103782 1376bd8 103796 1374828 103782->103796 103784 1376cba 103799 1376ac8 103784->103799 103802 1377d08 GetPEB 103796->103802 103798 1374eb3 103798->103784 103800 1376ad1 Sleep 103799->103800 103801 1376adf 103800->103801 103803 1377d32 103802->103803 103803->103798

                                                Executed Functions

                                                Function 000A3B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 000A3B68
                                                • IsDebuggerPresent.KERNEL32 ref: 000A3B7A
                                                • GetFullPathNameW.KERNEL32(00007FFF,?,?,001652F8,001652E0,?,?), ref: 000A3BEB
                                                  • Part of subcall function 000A7BCC: _memmove.LIBCMT ref: 000A7C06
                                                  • Part of subcall function 000B092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,000A3C14,001652F8,?,?,?), ref: 000B096E
                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 000A3C6F
                                                • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00157770,00000010), ref: 000DD281
                                                • SetCurrentDirectoryW.KERNEL32(?,001652F8,?,?,?), ref: 000DD2B9
                                                • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00154260,001652F8,?,?,?), ref: 000DD33F
                                                • ShellExecuteW.SHELL32(00000000,?,?), ref: 000DD346
                                                  • Part of subcall function 000A3A46: GetSysColorBrush.USER32(0000000F), ref: 000A3A50
                                                  • Part of subcall function 000A3A46: LoadCursorW.USER32(00000000,00007F00), ref: 000A3A5F
                                                  • Part of subcall function 000A3A46: LoadIconW.USER32(00000063), ref: 000A3A76
                                                  • Part of subcall function 000A3A46: LoadIconW.USER32(000000A4), ref: 000A3A88
                                                  • Part of subcall function 000A3A46: LoadIconW.USER32(000000A2), ref: 000A3A9A
                                                  • Part of subcall function 000A3A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 000A3AC0
                                                  • Part of subcall function 000A3A46: RegisterClassExW.USER32(?), ref: 000A3B16
                                                  • Part of subcall function 000A39D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 000A3A03
                                                  • Part of subcall function 000A39D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 000A3A24
                                                  • Part of subcall function 000A39D5: ShowWindow.USER32(00000000,?,?), ref: 000A3A38
                                                  • Part of subcall function 000A39D5: ShowWindow.USER32(00000000,?,?), ref: 000A3A41
                                                  • Part of subcall function 000A434A: _memset.LIBCMT ref: 000A4370
                                                  • Part of subcall function 000A434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 000A4415
                                                Strings
                                                • runas, xrefs: 000DD33A
                                                • This is a third-party compiled AutoIt script., xrefs: 000DD279
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                • String ID: This is a third-party compiled AutoIt script.$runas
                                                • API String ID: 529118366-3287110873
                                                • Opcode ID: 452faf5eec896dfca7ddd2642c65fa880ed29cf38fbb0b6b93c0364729b20a1c
                                                • Instruction ID: 88e06f95949a854ccdb531e9cc5a76624fdfb060a6a24240a3838d3cf8028a6b
                                                • Opcode Fuzzy Hash: 452faf5eec896dfca7ddd2642c65fa880ed29cf38fbb0b6b93c0364729b20a1c
                                                • Instruction Fuzzy Hash: 5551E630908208EADB21EBF4EC16EFD7B7AAB56750F00416DF451A61A3CBB04686CB21
                                                Function 000A49A0 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 942 a49a0-a4a00 call a7667 GetVersionExW call a7bcc 947 a4b0b-a4b0d 942->947 948 a4a06 942->948 950 dd767-dd773 947->950 949 a4a09-a4a0e 948->949 952 a4b12-a4b13 949->952 953 a4a14 949->953 951 dd774-dd778 950->951 954 dd77b-dd787 951->954 955 dd77a 951->955 956 a4a15-a4a4c call a7d2c call a7726 952->956 953->956 954->951 957 dd789-dd78e 954->957 955->954 965 a4a52-a4a53 956->965 966 dd864-dd867 956->966 957->949 959 dd794-dd79b 957->959 959->950 961 dd79d 959->961 964 dd7a2-dd7a5 961->964 967 dd7ab-dd7c9 964->967 968 a4a93-a4aaa GetCurrentProcess IsWow64Process 964->968 965->964 969 a4a59-a4a64 965->969 970 dd869 966->970 971 dd880-dd884 966->971 967->968 972 dd7cf-dd7d5 967->972 978 a4aaf-a4ac0 968->978 979 a4aac 968->979 973 a4a6a-a4a6c 969->973 974 dd7ea-dd7f0 969->974 975 dd86c 970->975 976 dd86f-dd878 971->976 977 dd886-dd88f 971->977 982 dd7df-dd7e5 972->982 983 dd7d7-dd7da 972->983 984 dd805-dd811 973->984 985 a4a72-a4a75 973->985 986 dd7fa-dd800 974->986 987 dd7f2-dd7f5 974->987 975->976 976->971 977->975 988 dd891-dd894 977->988 980 a4b2b-a4b35 GetSystemInfo 978->980 981 a4ac2-a4ad2 call a4b37 978->981 979->978 989 a4af8-a4b08 980->989 999 a4b1f-a4b29 GetSystemInfo 981->999 1000 a4ad4-a4ae1 call a4b37 981->1000 982->968 983->968 990 dd81b-dd821 984->990 991 dd813-dd816 984->991 993 a4a7b-a4a8a 985->993 994 dd831-dd834 985->994 986->968 987->968 988->976 990->968 991->968 997 a4a90 993->997 998 dd826-dd82c 993->998 994->968 996 dd83a-dd84f 994->996 1001 dd859-dd85f 996->1001 1002 dd851-dd854 996->1002 997->968 998->968 1004 a4ae9-a4aed 999->1004 1007 a4b18-a4b1d 1000->1007 1008 a4ae3-a4ae7 GetNativeSystemInfo 1000->1008 1001->968 1002->968 1004->989 1006 a4aef-a4af2 FreeLibrary 1004->1006 1006->989 1007->1008 1008->1004
                                                APIs
                                                • GetVersionExW.KERNEL32(?), ref: 000A49CD
                                                  • Part of subcall function 000A7BCC: _memmove.LIBCMT ref: 000A7C06
                                                • GetCurrentProcess.KERNEL32(?,0012FAEC,00000000,00000000,?), ref: 000A4A9A
                                                • IsWow64Process.KERNEL32(00000000), ref: 000A4AA1
                                                • GetNativeSystemInfo.KERNELBASE(00000000), ref: 000A4AE7
                                                • FreeLibrary.KERNEL32(00000000), ref: 000A4AF2
                                                • GetSystemInfo.KERNEL32(00000000), ref: 000A4B23
                                                • GetSystemInfo.KERNEL32(00000000), ref: 000A4B2F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                • String ID:
                                                • API String ID: 1986165174-0
                                                • Opcode ID: 43342384f950c7e02c081df230f34973ac130c746edac7a44b78463aed65fc6b
                                                • Instruction ID: d82f8cd307d62c9429cf342cdb3bbc11a9332263cfa84ec282b8b238882607a3
                                                • Opcode Fuzzy Hash: 43342384f950c7e02c081df230f34973ac130c746edac7a44b78463aed65fc6b
                                                • Instruction Fuzzy Hash: FB91C33598D7C0DEC771DBA884501AABFF5AF7A300F4449AED0CA93B02D660E548D76A
                                                Function 000A4E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1039 a4e89-a4ea1 CreateStreamOnHGlobal 1040 a4ea3-a4eba FindResourceExW 1039->1040 1041 a4ec1-a4ec6 1039->1041 1042 a4ec0 1040->1042 1043 dd933-dd942 LoadResource 1040->1043 1042->1041 1043->1042 1044 dd948-dd956 SizeofResource 1043->1044 1044->1042 1045 dd95c-dd967 LockResource 1044->1045 1045->1042 1046 dd96d-dd98b 1045->1046 1046->1042
                                                APIs
                                                • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,000A4D8E,?,?,00000000,00000000), ref: 000A4E99
                                                • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,000A4D8E,?,?,00000000,00000000), ref: 000A4EB0
                                                • LoadResource.KERNEL32(?,00000000,?,?,000A4D8E,?,?,00000000,00000000,?,?,?,?,?,?,000A4E2F), ref: 000DD937
                                                • SizeofResource.KERNEL32(?,00000000,?,?,000A4D8E,?,?,00000000,00000000,?,?,?,?,?,?,000A4E2F), ref: 000DD94C
                                                • LockResource.KERNEL32(000A4D8E,?,?,000A4D8E,?,?,00000000,00000000,?,?,?,?,?,?,000A4E2F,00000000), ref: 000DD95F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                • String ID: SCRIPT
                                                • API String ID: 3051347437-3967369404
                                                • Opcode ID: 0c31d2af5dc6f80ac771638054f228f1c1653f1dcea3199c31c5a3de12e287ee
                                                • Instruction ID: e869a63633c2a44a47dee79fe092325d5ea516e0f4e15cc277abb24cd08829a5
                                                • Opcode Fuzzy Hash: 0c31d2af5dc6f80ac771638054f228f1c1653f1dcea3199c31c5a3de12e287ee
                                                • Instruction Fuzzy Hash: DA115E75240700BFD7218BA5EC88F677BBAFBC6B11F10427CF40596650DBA1EC528660
                                                Function 0010445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetFileAttributesW.KERNELBASE(?,000DE398), ref: 0010446A
                                                • FindFirstFileW.KERNELBASE(?,?), ref: 0010447B
                                                • FindClose.KERNEL32(00000000), ref: 0010448B
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: FileFind$AttributesCloseFirst
                                                • String ID:
                                                • API String ID: 48322524-0
                                                • Opcode ID: 808d9d9bf45d84319f66fb3a1868b5ce3077505bfa902095cb7b32aa9e148e83
                                                • Instruction ID: 752250c8b938d06a1bd3324d50e2f0769a117cf6adaa0739eaf83a93f46bf213
                                                • Opcode Fuzzy Hash: 808d9d9bf45d84319f66fb3a1868b5ce3077505bfa902095cb7b32aa9e148e83
                                                • Instruction Fuzzy Hash: 66E0D876410500B79220AB38EC4D4E9776C9F06335F10072EF975C10D0E7B49D519595
                                                Function 000B09D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 000B0A5B
                                                • timeGetTime.WINMM ref: 000B0D16
                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 000B0E53
                                                • Sleep.KERNEL32(0000000A), ref: 000B0E61
                                                • LockWindowUpdate.USER32(00000000,?,?), ref: 000B0EFA
                                                • DestroyWindow.USER32 ref: 000B0F06
                                                • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 000B0F20
                                                • Sleep.KERNEL32(0000000A,?,?), ref: 000E4E83
                                                • TranslateMessage.USER32(?), ref: 000E5C60
                                                • DispatchMessageW.USER32(?), ref: 000E5C6E
                                                • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 000E5C82
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                                                • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                • API String ID: 4212290369-3242690629
                                                • Opcode ID: cdd7b6fc4077f1d2e7d80bb5e3ff06d666f00a996f8a551f3cda1e0178db318c
                                                • Instruction ID: 63f756e9e87224a4588443f26d581dbd5d142a9a86c31976afc06c64b78897ec
                                                • Opcode Fuzzy Hash: cdd7b6fc4077f1d2e7d80bb5e3ff06d666f00a996f8a551f3cda1e0178db318c
                                                • Instruction Fuzzy Hash: BEB2B070608781DFD724DF24C894BAFB7E5BF85308F14492DE599A72A2CB71E885CB42
                                                Function 00109155 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                  • Part of subcall function 00108F5F: __time64.LIBCMT ref: 00108F69
                                                  • Part of subcall function 000A4EE5: _fseek.LIBCMT ref: 000A4EFD
                                                • __wsplitpath.LIBCMT ref: 00109234
                                                  • Part of subcall function 000C40FB: __wsplitpath_helper.LIBCMT ref: 000C413B
                                                • _wcscpy.LIBCMT ref: 00109247
                                                • _wcscat.LIBCMT ref: 0010925A
                                                • __wsplitpath.LIBCMT ref: 0010927F
                                                • _wcscat.LIBCMT ref: 00109295
                                                • _wcscat.LIBCMT ref: 001092A8
                                                  • Part of subcall function 00108FA5: _memmove.LIBCMT ref: 00108FDE
                                                  • Part of subcall function 00108FA5: _memmove.LIBCMT ref: 00108FED
                                                • _wcscmp.LIBCMT ref: 001091EF
                                                  • Part of subcall function 00109734: _wcscmp.LIBCMT ref: 00109824
                                                  • Part of subcall function 00109734: _wcscmp.LIBCMT ref: 00109837
                                                • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00109452
                                                • _wcsncpy.LIBCMT ref: 001094C5
                                                • DeleteFileW.KERNEL32(?,?), ref: 001094FB
                                                • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00109511
                                                • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00109522
                                                • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00109534
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                • String ID:
                                                • API String ID: 1500180987-0
                                                • Opcode ID: e5cc0759299bdecc08078c1f474da6c99f97cea3bcaad48bd29592b8885472e0
                                                • Instruction ID: 287885a32076e0c0bb90403ed9b8c6ad9d0a2c96dec8c7d93bc78f78b59fdfdf
                                                • Opcode Fuzzy Hash: e5cc0759299bdecc08078c1f474da6c99f97cea3bcaad48bd29592b8885472e0
                                                • Instruction Fuzzy Hash: CDC14EB1D00119AEDF21DF95CC91EDEB7BDEF95300F0040AAF609E6192EB709A458F61
                                                Function 000A3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 72windowregistryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetSysColorBrush.USER32(0000000F), ref: 000A3074
                                                • RegisterClassExW.USER32(00000030), ref: 000A309E
                                                • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 000A30AF
                                                • InitCommonControlsEx.COMCTL32(?), ref: 000A30CC
                                                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 000A30DC
                                                • LoadIconW.USER32(000000A9), ref: 000A30F2
                                                • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 000A3101
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                • API String ID: 2914291525-1005189915
                                                • Opcode ID: af38ccbd27f998a817764833b02fa06868207a666a4e0d898599a3516b1096f4
                                                • Instruction ID: 8c919822733ba87c35a6901245159a9a8fffafe78ad2723a0f446fba6c6050fc
                                                • Opcode Fuzzy Hash: af38ccbd27f998a817764833b02fa06868207a666a4e0d898599a3516b1096f4
                                                • Instruction Fuzzy Hash: 0F3134B1840309EFDB508FA4EC85AC9BBF6FB09314F14452EE580E6AA1E3B94596CF51
                                                Function 000A3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetSysColorBrush.USER32(0000000F), ref: 000A3074
                                                • RegisterClassExW.USER32(00000030), ref: 000A309E
                                                • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 000A30AF
                                                • InitCommonControlsEx.COMCTL32(?), ref: 000A30CC
                                                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 000A30DC
                                                • LoadIconW.USER32(000000A9), ref: 000A30F2
                                                • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 000A3101
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                • API String ID: 2914291525-1005189915
                                                • Opcode ID: 19eb7f5a2cdf595d6a7371897abe51a6025128aa6acff9727b9ab816c81b0a4e
                                                • Instruction ID: 48c1ab3cfc45620a3c654fc6d1f08fbf388a775c13be0c2f627616504257ec47
                                                • Opcode Fuzzy Hash: 19eb7f5a2cdf595d6a7371897abe51a6025128aa6acff9727b9ab816c81b0a4e
                                                • Instruction Fuzzy Hash: 9C21E3B1900218AFDB10DFA5ED89B9DBBF9FB08700F00412AF910A7AA0D7B14596CF95
                                                Function 000A708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                  • Part of subcall function 000A4706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,001652F8,?,000A37AE,?), ref: 000A4724
                                                  • Part of subcall function 000C050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,000A7165), ref: 000C052D
                                                • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 000A71A8
                                                • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 000DE8C8
                                                • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 000DE909
                                                • RegCloseKey.ADVAPI32(?), ref: 000DE947
                                                • _wcscat.LIBCMT ref: 000DE9A0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                • API String ID: 2673923337-2727554177
                                                • Opcode ID: daa205f2f2e62736d9cecb50d03398bf70148a67c55d613f59ecd34e2e441c96
                                                • Instruction ID: 7e758f36bc059385b6885706be81fd9bdd4ee43b3c7a039096687f092577c86e
                                                • Opcode Fuzzy Hash: daa205f2f2e62736d9cecb50d03398bf70148a67c55d613f59ecd34e2e441c96
                                                • Instruction Fuzzy Hash: 38719E71509301AEC300EFA5EC619AFBBF8FF95350F40452EF445972A1DBB09989CBA2
                                                Function 000A3A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetSysColorBrush.USER32(0000000F), ref: 000A3A50
                                                • LoadCursorW.USER32(00000000,00007F00), ref: 000A3A5F
                                                • LoadIconW.USER32(00000063), ref: 000A3A76
                                                • LoadIconW.USER32(000000A4), ref: 000A3A88
                                                • LoadIconW.USER32(000000A2), ref: 000A3A9A
                                                • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 000A3AC0
                                                • RegisterClassExW.USER32(?), ref: 000A3B16
                                                  • Part of subcall function 000A3041: GetSysColorBrush.USER32(0000000F), ref: 000A3074
                                                  • Part of subcall function 000A3041: RegisterClassExW.USER32(00000030), ref: 000A309E
                                                  • Part of subcall function 000A3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 000A30AF
                                                  • Part of subcall function 000A3041: InitCommonControlsEx.COMCTL32(?), ref: 000A30CC
                                                  • Part of subcall function 000A3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 000A30DC
                                                  • Part of subcall function 000A3041: LoadIconW.USER32(000000A9), ref: 000A30F2
                                                  • Part of subcall function 000A3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 000A3101
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                • String ID: #$0$AutoIt v3
                                                • API String ID: 423443420-4155596026
                                                • Opcode ID: 446dccd67803b0a62b16f8b295dcdfc5bb7ab1be1db773ff4c80cea488b60aef
                                                • Instruction ID: f9abca62349f8fe2d47b74a5f1e00a1f4187ba13bcdb490c3031e6c72fe21e82
                                                • Opcode Fuzzy Hash: 446dccd67803b0a62b16f8b295dcdfc5bb7ab1be1db773ff4c80cea488b60aef
                                                • Instruction Fuzzy Hash: 992135B0D00308EFEB20DFA4EC19BAD7BB6EB08711F00412EF504AA6A1D3F556918F94
                                                Function 000A3633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 767 a3633-a3681 769 a3683-a3686 767->769 770 a36e1-a36e3 767->770 771 a3688-a368f 769->771 772 a36e7 769->772 770->769 773 a36e5 770->773 774 a374b-a3753 PostQuitMessage 771->774 775 a3695-a369a 771->775 777 dd0cc-dd0fa call b1070 call b1093 772->777 778 a36ed-a36f0 772->778 776 a36ca-a36d2 DefWindowProcW 773->776 782 a3711-a3713 774->782 780 dd154-dd168 call 102527 775->780 781 a36a0-a36a2 775->781 783 a36d8-a36de 776->783 812 dd0ff-dd106 777->812 784 a36f2-a36f3 778->784 785 a3715-a373c SetTimer RegisterWindowMessageW 778->785 780->782 806 dd16e 780->806 787 a36a8-a36ad 781->787 788 a3755-a3764 call a44a0 781->788 782->783 791 dd06f-dd072 784->791 792 a36f9-a370c KillTimer call a443a call a3114 784->792 785->782 789 a373e-a3749 CreatePopupMenu 785->789 794 dd139-dd140 787->794 795 a36b3-a36b8 787->795 788->782 789->782 798 dd0a8-dd0c7 MoveWindow 791->798 799 dd074-dd076 791->799 792->782 794->776 802 dd146-dd14f call f7c36 794->802 804 a36be-a36c4 795->804 805 dd124-dd134 call 102d36 795->805 798->782 808 dd078-dd07b 799->808 809 dd097-dd0a3 SetFocus 799->809 802->776 804->776 804->812 805->782 806->776 808->804 813 dd081-dd092 call b1070 808->813 809->782 812->776 816 dd10c-dd11f call a443a call a434a 812->816 813->782 816->776
                                                APIs
                                                • DefWindowProcW.USER32(?,?,?,?), ref: 000A36D2
                                                • KillTimer.USER32(?,00000001), ref: 000A36FC
                                                • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 000A371F
                                                • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 000A372A
                                                • CreatePopupMenu.USER32 ref: 000A373E
                                                • PostQuitMessage.USER32(00000000), ref: 000A374D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                • String ID: TaskbarCreated
                                                • API String ID: 129472671-2362178303
                                                • Opcode ID: 5d85eeebb06b52f6465428ada0fa58d798248716e7c26ba76b384baf8f684946
                                                • Instruction ID: 2cdde2e729f937b6f2b8d6f80c91e7f31751afdb6c4c4e998607a8f26b6b5480
                                                • Opcode Fuzzy Hash: 5d85eeebb06b52f6465428ada0fa58d798248716e7c26ba76b384baf8f684946
                                                • Instruction Fuzzy Hash: 5F415DB1204605FBDB305FE8DC09BBD37EAEB46300F10023EF502966B2CBA09E959761
                                                Function 000A3766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                                • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
                                                • API String ID: 1825951767-3513169116
                                                • Opcode ID: c43557f334653e8ba0f5f42c82ff57e21c88b5b69bfc469901fea42ac5d7dd7c
                                                • Instruction ID: 510bc3f031085b3a813d65fb304f26b8cd6fe854cfa5cec3ad46577b6f128e74
                                                • Opcode Fuzzy Hash: c43557f334653e8ba0f5f42c82ff57e21c88b5b69bfc469901fea42ac5d7dd7c
                                                • Instruction Fuzzy Hash: 9DA12A7591022DAACB14EBE4DC91EEEB779BF16300F44052EF416B7192EF745A09CB60
                                                Function 01375148 Relevance: 10.7, APIs: 7, Instructions: 151fileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1009 1375148-137519a call 1375048 CreateFileW 1012 13751a3-13751b0 1009->1012 1013 137519c-137519e 1009->1013 1016 13751c3-13751da VirtualAlloc 1012->1016 1017 13751b2-13751be 1012->1017 1014 13752fc-1375300 1013->1014 1018 13751e3-1375209 CreateFileW 1016->1018 1019 13751dc-13751de 1016->1019 1017->1014 1021 137522d-1375247 ReadFile 1018->1021 1022 137520b-1375228 1018->1022 1019->1014 1023 137526b-137526f 1021->1023 1024 1375249-1375266 1021->1024 1022->1014 1025 1375271-137528e 1023->1025 1026 1375290-13752a7 WriteFile 1023->1026 1024->1014 1025->1014 1029 13752d2-13752f7 CloseHandle VirtualFree 1026->1029 1030 13752a9-13752d0 1026->1030 1029->1014 1030->1014
                                                APIs
                                                • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0137518D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1436880276.0000000001374000.00000040.00000020.00020000.00000000.sdmp, Offset: 01374000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1374000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: CreateFile
                                                • String ID:
                                                • API String ID: 823142352-0
                                                • Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                                • Instruction ID: 562ce2f71e41a0fc50fab2f2eeae9826647c417c557a81adda7de665f5b0fdb2
                                                • Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                                • Instruction Fuzzy Hash: 4151E875A50209FBEF34DFA4DC49FDE7BB8AF48705F108954F60AEA1C0DA7896448B60
                                                Function 000A39D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1049 a39d5-a3a45 CreateWindowExW * 2 ShowWindow * 2
                                                APIs
                                                • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 000A3A03
                                                • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 000A3A24
                                                • ShowWindow.USER32(00000000,?,?), ref: 000A3A38
                                                • ShowWindow.USER32(00000000,?,?), ref: 000A3A41
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Window$CreateShow
                                                • String ID: AutoIt v3$edit
                                                • API String ID: 1584632944-3779509399
                                                • Opcode ID: 6a487eeb72da34aa9d17266e5ed356489d28827f702abe01b97305eddaf1c8f8
                                                • Instruction ID: 7b1c45a57e6251d564e2b0c973ae3d9271819f3ff21aca36f10384522083a332
                                                • Opcode Fuzzy Hash: 6a487eeb72da34aa9d17266e5ed356489d28827f702abe01b97305eddaf1c8f8
                                                • Instruction Fuzzy Hash: 69F0DA71541690BEEB315B276C59E7B3E7ED7C6F50F00413EFD04A2570C6A11892DAB0
                                                Function 000A407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1050 a407c-a4092 1051 a4098-a40ad call a7a16 1050->1051 1052 a416f-a4173 1050->1052 1055 dd3c8-dd3d7 LoadStringW 1051->1055 1056 a40b3-a40d3 call a7bcc 1051->1056 1059 dd3e2-dd3fa call a7b2e call a6fe3 1055->1059 1056->1059 1060 a40d9-a40dd 1056->1060 1070 a40ed-a416a call c2de0 call a454e call c2dbc Shell_NotifyIconW call a5904 1059->1070 1072 dd400-dd41e call a7cab call a6fe3 call a7cab 1059->1072 1062 a40e3-a40e8 call a7b2e 1060->1062 1063 a4174-a417d call a8047 1060->1063 1062->1070 1063->1070 1070->1052 1072->1070
                                                APIs
                                                • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 000DD3D7
                                                  • Part of subcall function 000A7BCC: _memmove.LIBCMT ref: 000A7C06
                                                • _memset.LIBCMT ref: 000A40FC
                                                • _wcscpy.LIBCMT ref: 000A4150
                                                • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 000A4160
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                • String ID: Line:
                                                • API String ID: 3942752672-1585850449
                                                • Opcode ID: d7fa076649fa95e54696754c2547e4bfd98308756917540542e740b3949a9ced
                                                • Instruction ID: a76e947bc85c16a1c0a2e7c570465b0310efe1d78b704fae87eb33b71c39d000
                                                • Opcode Fuzzy Hash: d7fa076649fa95e54696754c2547e4bfd98308756917540542e740b3949a9ced
                                                • Instruction Fuzzy Hash: 8B31B371008704AFD371EBA0DC46FDB77E8AF95310F10491EF589920A2EBB09689CB92
                                                Function 000C541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1085 c541d-c5436 1086 c5438-c543d 1085->1086 1087 c5453 1085->1087 1086->1087 1088 c543f-c5441 1086->1088 1089 c5455-c545b 1087->1089 1090 c545c-c5461 1088->1090 1091 c5443-c5448 call c8b28 1088->1091 1093 c546f-c5473 1090->1093 1094 c5463-c546d 1090->1094 1102 c544e call c8db6 1091->1102 1097 c5475-c5480 call c2de0 1093->1097 1098 c5483-c5485 1093->1098 1094->1093 1096 c5493-c54a2 1094->1096 1100 c54a9 1096->1100 1101 c54a4-c54a7 1096->1101 1097->1098 1098->1091 1099 c5487-c5491 1098->1099 1099->1091 1099->1096 1105 c54ae-c54b3 1100->1105 1101->1105 1102->1087 1107 c559c-c559f 1105->1107 1108 c54b9-c54c0 1105->1108 1107->1089 1109 c5501-c5503 1108->1109 1110 c54c2-c54ca 1108->1110 1111 c556d-c556e call d0ba7 1109->1111 1112 c5505-c5507 1109->1112 1110->1109 1113 c54cc 1110->1113 1120 c5573-c5577 1111->1120 1115 c5509-c5511 1112->1115 1116 c552b-c5536 1112->1116 1117 c55ca 1113->1117 1118 c54d2-c54d4 1113->1118 1121 c5521-c5525 1115->1121 1122 c5513-c551f 1115->1122 1123 c5538 1116->1123 1124 c553a-c553d 1116->1124 1119 c55ce-c55d7 1117->1119 1125 c54db-c54e0 1118->1125 1126 c54d6-c54d8 1118->1126 1119->1089 1120->1119 1127 c5579-c557e 1120->1127 1128 c5527-c5529 1121->1128 1122->1128 1123->1124 1129 c553f-c554b call c46e6 call d0e5b 1124->1129 1130 c55a4-c55a8 1124->1130 1125->1130 1131 c54e6-c54ff call d0cc8 1125->1131 1126->1125 1127->1130 1132 c5580-c5591 1127->1132 1128->1124 1146 c5550-c5555 1129->1146 1133 c55ba-c55c5 call c8b28 1130->1133 1134 c55aa-c55b7 call c2de0 1130->1134 1142 c5562-c556b 1131->1142 1137 c5594-c5596 1132->1137 1133->1102 1134->1133 1137->1107 1137->1108 1142->1137 1147 c55dc-c55e0 1146->1147 1148 c555b-c555e 1146->1148 1147->1119 1148->1117 1149 c5560 1148->1149 1149->1142
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                • String ID:
                                                • API String ID: 1559183368-0
                                                • Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                                                • Instruction ID: 10f7dc2318ae58d967d589b05ee2bceb15401efbaa3bd294a622f2b306f6a749
                                                • Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                                                • Instruction Fuzzy Hash: 55519378A00F059BDB288F69DC50FAE77E6AF40326F24872DF825962D1D770ADD09B40
                                                Function 000A686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1150 a686a-a6891 call a4ddd 1153 de031-de041 call 10955b 1150->1153 1154 a6897-a68a5 call a4ddd 1150->1154 1157 de046-de048 1153->1157 1154->1153 1161 a68ab-a68b1 1154->1161 1159 de04a-de04d call a4e4a 1157->1159 1160 de067-de0af call c0db6 1157->1160 1165 de052-de061 call 1042f8 1159->1165 1170 de0d4 1160->1170 1171 de0b1-de0bb 1160->1171 1164 a68b7-a68d9 call a6a8c 1161->1164 1161->1165 1165->1160 1173 de0d6-de0e9 1170->1173 1174 de0cf-de0d0 1171->1174 1175 de0ef 1173->1175 1176 de260-de263 call c2d55 1173->1176 1177 de0bd-de0cc 1174->1177 1178 de0d2 1174->1178 1179 de0f6-de0f9 call a7480 1175->1179 1182 de268-de271 call a4e4a 1176->1182 1177->1174 1178->1173 1183 de0fe-de120 call a5db2 call 1073e9 1179->1183 1187 de273-de283 call a7616 call a5d9b 1182->1187 1194 de134-de13e call 1073d3 1183->1194 1195 de122-de12f 1183->1195 1201 de288-de2b8 call ff7a1 call c0e2c call c2d55 call a4e4a 1187->1201 1203 de158-de162 call 1073bd 1194->1203 1204 de140-de153 1194->1204 1197 de227-de237 call a750f 1195->1197 1197->1183 1206 de23d-de247 call a735d 1197->1206 1201->1187 1211 de164-de171 1203->1211 1212 de176-de180 call a5e2a 1203->1212 1204->1197 1214 de24c-de25a 1206->1214 1211->1197 1212->1197 1219 de186-de19e call ff73d 1212->1219 1214->1176 1214->1179 1225 de1c1-de1c4 1219->1225 1226 de1a0-de1bf call a7de1 call a5904 1219->1226 1227 de1c6-de1e1 call a7de1 call a6839 call a5904 1225->1227 1228 de1f2-de1f5 1225->1228 1251 de1e2-de1f0 call a5db2 1226->1251 1227->1251 1232 de215-de218 call 10737f 1228->1232 1233 de1f7-de200 call ff65e 1228->1233 1238 de21d-de226 call c0e2c 1232->1238 1233->1201 1244 de206-de210 call c0e2c 1233->1244 1238->1197 1244->1183 1251->1238
                                                APIs
                                                  • Part of subcall function 000A4DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,001652F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 000A4E0F
                                                • _free.LIBCMT ref: 000DE263
                                                • _free.LIBCMT ref: 000DE2AA
                                                  • Part of subcall function 000A6A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 000A6BAD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: _free$CurrentDirectoryLibraryLoad
                                                • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                • API String ID: 2861923089-1757145024
                                                • Opcode ID: f5e3bbbdff8c68d3f7214ae560a5e6ef88f55ab58c319e5ffa9ca16ce064ffb6
                                                • Instruction ID: a89a2651dd8d55f5b47b0d7f5ee35b7e80899c71aee1a690e3706dc66b62d922
                                                • Opcode Fuzzy Hash: f5e3bbbdff8c68d3f7214ae560a5e6ef88f55ab58c319e5ffa9ca16ce064ffb6
                                                • Instruction Fuzzy Hash: 44919E71900259EFCF14EFA4CC819EDBBB8FF15310F14442AF816AB2A2DB71A955CB60
                                                Function 01376BD8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 01376AC8: Sleep.KERNELBASE(000001F4), ref: 01376AD9
                                                • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01376D26
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1436880276.0000000001374000.00000040.00000020.00020000.00000000.sdmp, Offset: 01374000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1374000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: CreateFileSleep
                                                • String ID: IKBBWBG92HS8E66A5QJC1LQ6R
                                                • API String ID: 2694422964-992681987
                                                • Opcode ID: 8f4f8c1c1fcfd383aa18d775f646b58419287b77186dc09304773f443d54277d
                                                • Instruction ID: 490bb2419ec76786a422051aa3e1dee2b5bb7ec1fd46f2eaf179262c9f386068
                                                • Opcode Fuzzy Hash: 8f4f8c1c1fcfd383aa18d775f646b58419287b77186dc09304773f443d54277d
                                                • Instruction Fuzzy Hash: B8619270D0464CDAEF21DBA8C855BEEBB78AF19304F044598E2487B2C1D7B91B49CBA5
                                                Function 000A35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,000A35A1,SwapMouseButtons,00000004,?), ref: 000A35D4
                                                • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,000A35A1,SwapMouseButtons,00000004,?,?,?,?,000A2754), ref: 000A35F5
                                                • RegCloseKey.KERNELBASE(00000000,?,?,000A35A1,SwapMouseButtons,00000004,?,?,?,?,000A2754), ref: 000A3617
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: CloseOpenQueryValue
                                                • String ID: Control Panel\Mouse
                                                • API String ID: 3677997916-824357125
                                                • Opcode ID: 3e46e910d884fb1da27af28e13eba48bb3fca983e9b5420bf4052c6688c69d91
                                                • Instruction ID: d145170e77fbaaea33a057c230307078330da49ebbf7b18f3673fbd62dc10573
                                                • Opcode Fuzzy Hash: 3e46e910d884fb1da27af28e13eba48bb3fca983e9b5420bf4052c6688c69d91
                                                • Instruction Fuzzy Hash: AD115A75910208BFDB208FA4DC44DEFB7B9EF05740F00856AF805D7210E2719F519B64
                                                Function 0010955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000A4EE5: _fseek.LIBCMT ref: 000A4EFD
                                                  • Part of subcall function 00109734: _wcscmp.LIBCMT ref: 00109824
                                                  • Part of subcall function 00109734: _wcscmp.LIBCMT ref: 00109837
                                                • _free.LIBCMT ref: 001096A2
                                                • _free.LIBCMT ref: 001096A9
                                                • _free.LIBCMT ref: 00109714
                                                  • Part of subcall function 000C2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,000C9A24), ref: 000C2D69
                                                  • Part of subcall function 000C2D55: GetLastError.KERNEL32(00000000,?,000C9A24), ref: 000C2D7B
                                                • _free.LIBCMT ref: 0010971C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                • String ID:
                                                • API String ID: 1552873950-0
                                                • Opcode ID: 464ebd311e0b84417835fdca97f39b05a871d491f27d7685db559b23c3b03983
                                                • Instruction ID: 3524effda7f3e24665f6a4d135bdbd8785199656688c036a5d0e940117743ebe
                                                • Opcode Fuzzy Hash: 464ebd311e0b84417835fdca97f39b05a871d491f27d7685db559b23c3b03983
                                                • Instruction Fuzzy Hash: 705141B5D14258AFDF249FA4DC81ADEBB79EF88300F1044AEF549A3252DB715A80CF58
                                                Function 000C470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                • String ID:
                                                • API String ID: 2782032738-0
                                                • Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                • Instruction ID: 18d033781250fa36440b1302b6349151bf26ddf009b419964777594f76449d90
                                                • Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                • Instruction Fuzzy Hash: BD41C375A047469BDB28CFA9C8A0FAE7BE5FF42360B24827DE815C7680DB70DD458B40
                                                Function 000A7285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 000DEA39
                                                • GetOpenFileNameW.COMDLG32(?), ref: 000DEA83
                                                  • Part of subcall function 000A4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000A4743,?,?,000A37AE,?), ref: 000A4770
                                                  • Part of subcall function 000C0791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 000C07B0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Name$Path$FileFullLongOpen_memset
                                                • String ID: X
                                                • API String ID: 3777226403-3081909835
                                                • Opcode ID: 6d07b3204ed395f4ba2f8df81d5e6e5becbb18558e0fedf21b31e69a20154af3
                                                • Instruction ID: 20d33843290043e5e8c63579c7728b032269e024954663ec678291d9f438f382
                                                • Opcode Fuzzy Hash: 6d07b3204ed395f4ba2f8df81d5e6e5becbb18558e0fedf21b31e69a20154af3
                                                • Instruction Fuzzy Hash: BF21C671A042489BCB519FD4CC45BEE7BFDAF49710F00805AE408BB242DFB45989CFA1
                                                Function 00108D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: __fread_nolock_memmove
                                                • String ID: EA06
                                                • API String ID: 1988441806-3962188686
                                                • Opcode ID: 548ac6ec37c223942e7dbc542f32e7092f2fd176b1ff7a11df1275f90cd164ee
                                                • Instruction ID: d90e12649f767b9631287d4e2d6e00a357847392dc2988d77532f58d2fd92448
                                                • Opcode Fuzzy Hash: 548ac6ec37c223942e7dbc542f32e7092f2fd176b1ff7a11df1275f90cd164ee
                                                • Instruction Fuzzy Hash: 8D01B971904218BEDB18CBE8CC56FEE7BF8DB15311F00459EF592D61C1E9B5E6088760
                                                Function 01375828 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateProcessW.KERNELBASE(?,00000000), ref: 0137586D
                                                • ExitProcess.KERNEL32(00000000), ref: 0137588C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1436880276.0000000001374000.00000040.00000020.00020000.00000000.sdmp, Offset: 01374000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1374000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Process$CreateExit
                                                • String ID: D
                                                • API String ID: 126409537-2746444292
                                                • Opcode ID: 359d21864460d0aa6716f03c0fb9f93045a71ab212c145842ddc1246808d9d7c
                                                • Instruction ID: 2e8d5a01dbbcdf28b2e929da82161f3c2c9e0b33652cac60408821330cdb4910
                                                • Opcode Fuzzy Hash: 359d21864460d0aa6716f03c0fb9f93045a71ab212c145842ddc1246808d9d7c
                                                • Instruction Fuzzy Hash: 68F0F4B254024CABDB64DFE4CD49FEE777CBF04705F408908FB0A9A140DA7895089761
                                                Function 001098E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetTempPathW.KERNEL32(00000104,?), ref: 001098F8
                                                • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0010990F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Temp$FileNamePath
                                                • String ID: aut
                                                • API String ID: 3285503233-3010740371
                                                • Opcode ID: 96029379552a5230effec6e21e142a71032c528808ab9ea545107f14975c0709
                                                • Instruction ID: 907a03535c463b81f545b6744b257bbcdab65d4eb6af10bac1134d961338593b
                                                • Opcode Fuzzy Hash: 96029379552a5230effec6e21e142a71032c528808ab9ea545107f14975c0709
                                                • Instruction Fuzzy Hash: 8CD05E7954030DFBDB60ABA0EC0EF9A773CE704701F0002B1BE54D51A1EAB195AA8BA1
                                                Function 0011CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 75f150b60e0224eaf491880c6ef00b0a449cdd84cbf8d80939431e953767f5e1
                                                • Instruction ID: c75d9b44aff7d6a56a0fc38bb0ae8639cc42ec1e04a19bf026e57a9d229647a1
                                                • Opcode Fuzzy Hash: 75f150b60e0224eaf491880c6ef00b0a449cdd84cbf8d80939431e953767f5e1
                                                • Instruction Fuzzy Hash: D4F13A716083019FCB18DF28C480AAABBE5FF89314F54892DF8999B352D734E945CF92
                                                Function 000AF76F Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000C0162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 000C0193
                                                  • Part of subcall function 000C0162: MapVirtualKeyW.USER32(00000010,00000000), ref: 000C019B
                                                  • Part of subcall function 000C0162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 000C01A6
                                                  • Part of subcall function 000C0162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 000C01B1
                                                  • Part of subcall function 000C0162: MapVirtualKeyW.USER32(00000011,00000000), ref: 000C01B9
                                                  • Part of subcall function 000C0162: MapVirtualKeyW.USER32(00000012,00000000), ref: 000C01C1
                                                  • Part of subcall function 000B60F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,000AF930), ref: 000B6154
                                                • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 000AF9CD
                                                • OleInitialize.OLE32(00000000), ref: 000AFA4A
                                                • CloseHandle.KERNEL32(00000000), ref: 000E45C8
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                • String ID:
                                                • API String ID: 1986988660-0
                                                • Opcode ID: c7975d5a03ead96e93d18f2a034de57ce0da306f3dc8e001fdd1d92de2c8d755
                                                • Instruction ID: ca826a51d16973d83f6afb40ffa0fb35c1e9d6c4499a182441b2fc3bf1f55ff1
                                                • Opcode Fuzzy Hash: c7975d5a03ead96e93d18f2a034de57ce0da306f3dc8e001fdd1d92de2c8d755
                                                • Instruction Fuzzy Hash: 4781BBB0901A408EC394DF69AD446A97BE7FB59346F9081AAD059DBB62FBF044C5CF10
                                                Function 000A434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 000A4370
                                                • Shell_NotifyIconW.SHELL32(00000000,?), ref: 000A4415
                                                • Shell_NotifyIconW.SHELL32(00000001,?), ref: 000A4432
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: IconNotifyShell_$_memset
                                                • String ID:
                                                • API String ID: 1505330794-0
                                                • Opcode ID: d3969a4750c8ecc9e35f6343f12d82cb2db7508df64c7de5614dc38bc6f0b79d
                                                • Instruction ID: 03e3119b6839281afdb854c6e091a1e7060009108ca1f75b33a290f82a72414f
                                                • Opcode Fuzzy Hash: d3969a4750c8ecc9e35f6343f12d82cb2db7508df64c7de5614dc38bc6f0b79d
                                                • Instruction Fuzzy Hash: 5431C375504701DFC760DFA4D88469BBBF8FB99308F00092EF58A86251E7F0AA88CB52
                                                Function 000C571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • __FF_MSGBANNER.LIBCMT ref: 000C5733
                                                  • Part of subcall function 000CA16B: __NMSG_WRITE.LIBCMT ref: 000CA192
                                                  • Part of subcall function 000CA16B: __NMSG_WRITE.LIBCMT ref: 000CA19C
                                                • __NMSG_WRITE.LIBCMT ref: 000C573A
                                                  • Part of subcall function 000CA1C8: GetModuleFileNameW.KERNEL32(00000000,001633BA,00000104,?,00000001,00000000), ref: 000CA25A
                                                  • Part of subcall function 000CA1C8: ___crtMessageBoxW.LIBCMT ref: 000CA308
                                                  • Part of subcall function 000C309F: ___crtCorExitProcess.LIBCMT ref: 000C30A5
                                                  • Part of subcall function 000C309F: ExitProcess.KERNEL32 ref: 000C30AE
                                                  • Part of subcall function 000C8B28: __getptd_noexit.LIBCMT ref: 000C8B28
                                                • RtlAllocateHeap.NTDLL(01160000,00000000,00000001,00000000,?,?,?,000C0DD3,?), ref: 000C575F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                • String ID:
                                                • API String ID: 1372826849-0
                                                • Opcode ID: 9a7b3c0aa408e587827a4313f91bd7859f39d74542a31375deef47fddb3b25f8
                                                • Instruction ID: 8b80405132e1c4c5775a04aeda66ac1ec4a197decfd3c53272403280bf52ef8b
                                                • Opcode Fuzzy Hash: 9a7b3c0aa408e587827a4313f91bd7859f39d74542a31375deef47fddb3b25f8
                                                • Instruction Fuzzy Hash: DB01F539348B11DAD6602774FC56FAE7388CB42763F50022DF415AA1C2DFB0ADC04760
                                                Function 001098A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00109548,?,?,?,?,?,00000004), ref: 001098BB
                                                • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00109548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 001098D1
                                                • CloseHandle.KERNEL32(00000000,?,00109548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 001098D8
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: File$CloseCreateHandleTime
                                                • String ID:
                                                • API String ID: 3397143404-0
                                                • Opcode ID: 9146c0f6e053448e38325bb00733dae63a21e0f7998064ea3cda2edeb05095fd
                                                • Instruction ID: 00cb77b75789b77e432e948b64c5d365b0d05b3c71383291ad578a3f45e75356
                                                • Opcode Fuzzy Hash: 9146c0f6e053448e38325bb00733dae63a21e0f7998064ea3cda2edeb05095fd
                                                • Instruction Fuzzy Hash: EFE08632141218B7D7312B54EC0AFCA7B29AB06760F108234FB54694E087B115739798
                                                Function 00108D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                Download Yara Rule
                                                APIs
                                                • _free.LIBCMT ref: 00108D1B
                                                  • Part of subcall function 000C2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,000C9A24), ref: 000C2D69
                                                  • Part of subcall function 000C2D55: GetLastError.KERNEL32(00000000,?,000C9A24), ref: 000C2D7B
                                                • _free.LIBCMT ref: 00108D2C
                                                • _free.LIBCMT ref: 00108D3E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                • Instruction ID: 2d18795c06cf7f06cbf20726b95781303e9e141fdb3b40986097e36973abf972
                                                • Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                • Instruction Fuzzy Hash: 48E012F161560147CB24A6F8A940FD723DC4F683527140A2DB48ED75C7CFA4F8428228
                                                Function 000AA9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: CALL
                                                • API String ID: 0-4196123274
                                                • Opcode ID: c66492712b6dd274f6634686199cdc36f3055bf5b743c1637c942a4439955b3d
                                                • Instruction ID: daa9716c7476c71fffb672c6aa60b7481a9e374b55f6a740d27788e62937dd9f
                                                • Opcode Fuzzy Hash: c66492712b6dd274f6634686199cdc36f3055bf5b743c1637c942a4439955b3d
                                                • Instruction Fuzzy Hash: CD226970608301DFD724DF64C490B6AB7E1BF46314F14896DE89A9B3A2DB75EC85CB82
                                                Function 000A4C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: _memmove
                                                • String ID: EA06
                                                • API String ID: 4104443479-3962188686
                                                • Opcode ID: 46266b99695c21cc57930404de7af7830abab6daacc2587a7e399042e548215e
                                                • Instruction ID: e28bf6fa97a05e84353d0965e6a73767bedba06c28105880af26c60897ad8474
                                                • Opcode Fuzzy Hash: 46266b99695c21cc57930404de7af7830abab6daacc2587a7e399042e548215e
                                                • Instruction Fuzzy Hash: 04414D39A041586BDF219BE4CC917FE7BA29BC7300F284475FC869B287D6E05D4483A1
                                                Function 000A7A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: _memmove
                                                • String ID:
                                                • API String ID: 4104443479-0
                                                • Opcode ID: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
                                                • Instruction ID: 4b9b8b2cbf9795dce09636fc6c29db893cb49ef9510194d945614ae41dc01c3a
                                                • Opcode Fuzzy Hash: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
                                                • Instruction Fuzzy Hash: 1F3173B1604606AFC714DFA8CCD1E6DB3A9FF99310715C629E519CB691EB30E950CB90
                                                Function 000A47D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                Download Yara Rule
                                                APIs
                                                • IsThemeActive.UXTHEME ref: 000A4834
                                                  • Part of subcall function 000C336C: __lock.LIBCMT ref: 000C3372
                                                  • Part of subcall function 000C336C: DecodePointer.KERNEL32(00000001,?,000A4849,000F7C74), ref: 000C337E
                                                  • Part of subcall function 000C336C: EncodePointer.KERNEL32(?,?,000A4849,000F7C74), ref: 000C3389
                                                  • Part of subcall function 000A48FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 000A4915
                                                  • Part of subcall function 000A48FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 000A492A
                                                  • Part of subcall function 000A3B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 000A3B68
                                                  • Part of subcall function 000A3B3A: IsDebuggerPresent.KERNEL32 ref: 000A3B7A
                                                  • Part of subcall function 000A3B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,001652F8,001652E0,?,?), ref: 000A3BEB
                                                  • Part of subcall function 000A3B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 000A3C6F
                                                • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 000A4874
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                • String ID:
                                                • API String ID: 1438897964-0
                                                • Opcode ID: be6e1fa6f0024b66edb68dced148a71aeeef7d7b8347cb4bfb03ce6e52583186
                                                • Instruction ID: 090d56a133cb83fead6f4f34282afb0bef71587a9db26b0ac7f4ac97eac5322d
                                                • Opcode Fuzzy Hash: be6e1fa6f0024b66edb68dced148a71aeeef7d7b8347cb4bfb03ce6e52583186
                                                • Instruction Fuzzy Hash: 40119D719183419FC700EF68EC0595EBBE8EF85750F10852EF044872B2DFB49689CB92
                                                Function 000C0DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000C571C: __FF_MSGBANNER.LIBCMT ref: 000C5733
                                                  • Part of subcall function 000C571C: __NMSG_WRITE.LIBCMT ref: 000C573A
                                                  • Part of subcall function 000C571C: RtlAllocateHeap.NTDLL(01160000,00000000,00000001,00000000,?,?,?,000C0DD3,?), ref: 000C575F
                                                • std::exception::exception.LIBCMT ref: 000C0DEC
                                                • __CxxThrowException@8.LIBCMT ref: 000C0E01
                                                  • Part of subcall function 000C859B: RaiseException.KERNEL32(?,?,?,00159E78,00000000,?,?,?,?,000C0E06,?,00159E78,?,00000001), ref: 000C85F0
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                • String ID:
                                                • API String ID: 3902256705-0
                                                • Opcode ID: 61ec9d1a8306a2cfc7b2b97917bfff682c09d765cf24b37f2821fa126ea75e29
                                                • Instruction ID: 28d8629940fbb4eb543f1e760a62a4d689ae2fcfcc0c3c2a9c431d9392e0fa26
                                                • Opcode Fuzzy Hash: 61ec9d1a8306a2cfc7b2b97917bfff682c09d765cf24b37f2821fa126ea75e29
                                                • Instruction Fuzzy Hash: 4FF0813150031AE6DB14BBD4ED01FDF77AD9F01311F10442EF908A6182DFB09A80D6D5
                                                Function 000C55FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: __lock_file_memset
                                                • String ID:
                                                • API String ID: 26237723-0
                                                • Opcode ID: cbb0d7c37d6bbe4ceb780bc50000607ffb624429608846e9b82e95c90c388511
                                                • Instruction ID: 06e97f6aa6d8e3ea1c32d4de5f3a6b9e138fc449e3b32814f68426c5f8df7013
                                                • Opcode Fuzzy Hash: cbb0d7c37d6bbe4ceb780bc50000607ffb624429608846e9b82e95c90c388511
                                                • Instruction Fuzzy Hash: 2B01A775800A08EBCF22EF649C02EDF7BA1EF91362F54811DF8241B192DB319A91DF91
                                                Function 000C53A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000C8B28: __getptd_noexit.LIBCMT ref: 000C8B28
                                                • __lock_file.LIBCMT ref: 000C53EB
                                                  • Part of subcall function 000C6C11: __lock.LIBCMT ref: 000C6C34
                                                • __fclose_nolock.LIBCMT ref: 000C53F6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                • String ID:
                                                • API String ID: 2800547568-0
                                                • Opcode ID: 5342343f65012377d35eb1db9462d842a8161f74f23f79f3a7c8497bc6b599fd
                                                • Instruction ID: 08498ed3e9dbbcb24953635c74c4910f8d51218a40577197f475e50519445680
                                                • Opcode Fuzzy Hash: 5342343f65012377d35eb1db9462d842a8161f74f23f79f3a7c8497bc6b599fd
                                                • Instruction Fuzzy Hash: D3F09631910A449AD7206B659C02FED67F0AF41376F25820CA424AB1C3CBFC6A815B55
                                                Function 01375898 Relevance: 1.7, APIs: 1, Instructions: 159COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 01375108: GetFileAttributesW.KERNELBASE(?), ref: 01375113
                                                • CreateDirectoryW.KERNELBASE(?,00000000), ref: 013759D0
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1436880276.0000000001374000.00000040.00000020.00020000.00000000.sdmp, Offset: 01374000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1374000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: AttributesCreateDirectoryFile
                                                • String ID:
                                                • API String ID: 3401506121-0
                                                • Opcode ID: 9f2851fa19a9d041d72417e368fcb997af58b4d558008b591407fe3fb730fd60
                                                • Instruction ID: 63e060c091304ba5598d11c6e535e06f55190ed08a31a7902cf8f2abee50647c
                                                • Opcode Fuzzy Hash: 9f2851fa19a9d041d72417e368fcb997af58b4d558008b591407fe3fb730fd60
                                                • Instruction Fuzzy Hash: C7517531A1120997EF24FFA4D954BEF7339EF58300F0045A9E509E7280EB79AB44CBA5
                                                Function 000C0C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: ProtectVirtual
                                                • String ID:
                                                • API String ID: 544645111-0
                                                • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                • Instruction ID: 73facd27680616ce91d7a4174792ffee224cffbc9e132f89019e4068a5f02592
                                                • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                • Instruction Fuzzy Hash: E831AEB0A00106DBD758DF58C4D5A6DFBA6FB59300B6487A9E80ACB356DA31EDC1DB80
                                                Function 000DFCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: ClearVariant
                                                • String ID:
                                                • API String ID: 1473721057-0
                                                • Opcode ID: 641ef3bfc32bca20c5c0c6f3dfe8d9d43de14617abd8e1251aeb8687d5b2e84f
                                                • Instruction ID: e65bdd374efaa34dab4f4cd9a7c62290de46b948a143e9931a2d260fe45dc108
                                                • Opcode Fuzzy Hash: 641ef3bfc32bca20c5c0c6f3dfe8d9d43de14617abd8e1251aeb8687d5b2e84f
                                                • Instruction Fuzzy Hash: C2412974604341DFDB24DF64C444B5ABBE1BF46314F0988ACE89A8B762C735E845CF52
                                                Function 000A7B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: _memmove
                                                • String ID:
                                                • API String ID: 4104443479-0
                                                • Opcode ID: d977ad1cd1e255dc947590983536309c6e93c03397267fafe124af8635f1003e
                                                • Instruction ID: 721cc74c077d82ed1dbee3e3c1afeebfbfd8633884d589361bd1eb51eb427e01
                                                • Opcode Fuzzy Hash: d977ad1cd1e255dc947590983536309c6e93c03397267fafe124af8635f1003e
                                                • Instruction Fuzzy Hash: 512128B2624B09EBDB249F55EC41BAD7BB4FF14351F21842EE44ACD290EB3091D0D765
                                                Function 000A4DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000A4BB5: FreeLibrary.KERNEL32(00000000,?), ref: 000A4BEF
                                                  • Part of subcall function 000C525B: __wfsopen.LIBCMT ref: 000C5266
                                                • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,001652F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 000A4E0F
                                                  • Part of subcall function 000A4B6A: FreeLibrary.KERNEL32(00000000), ref: 000A4BA4
                                                  • Part of subcall function 000A4C70: _memmove.LIBCMT ref: 000A4CBA
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Library$Free$Load__wfsopen_memmove
                                                • String ID:
                                                • API String ID: 1396898556-0
                                                • Opcode ID: 6c72e28629d56a2e38786cf2f01b54dce2acc1f98fc2c04bb5381a4f46a7506e
                                                • Instruction ID: faa69626b99dc57a90c5f63fab07a8ebddae0cb8a9f023205b879066e0ca09d9
                                                • Opcode Fuzzy Hash: 6c72e28629d56a2e38786cf2f01b54dce2acc1f98fc2c04bb5381a4f46a7506e
                                                • Instruction Fuzzy Hash: E7119439610205ABCF25EFB0C816FAD77A5AFC5710F10842DF541A7182EBF19951AB61
                                                Function 000DFD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: ClearVariant
                                                • String ID:
                                                • API String ID: 1473721057-0
                                                • Opcode ID: e4e6e63a3ea05f8c491e8ea3e853a0cc381189b787199440b872624a9aa4b500
                                                • Instruction ID: 33b92a0915eb0f8949d5a7300f1aa17d1a13909a3e8a3d5eca58f5fcdea834b1
                                                • Opcode Fuzzy Hash: e4e6e63a3ea05f8c491e8ea3e853a0cc381189b787199440b872624a9aa4b500
                                                • Instruction Fuzzy Hash: E9215570A08341DFCB24DFA4C444B5ABBE0BF8A314F04886CF88A97762D731E805CB92
                                                Function 000C4863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                Download Yara Rule
                                                APIs
                                                • __lock_file.LIBCMT ref: 000C48A6
                                                  • Part of subcall function 000C8B28: __getptd_noexit.LIBCMT ref: 000C8B28
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: __getptd_noexit__lock_file
                                                • String ID:
                                                • API String ID: 2597487223-0
                                                • Opcode ID: e7cedccf37411053e6f8e7226782e049d5afdc906ab730963c7284f347f28cd2
                                                • Instruction ID: 9ea78d38b8ca0117b12a1c99fa7aba926992e6e00dd8a772f6ae82af486397d1
                                                • Opcode Fuzzy Hash: e7cedccf37411053e6f8e7226782e049d5afdc906ab730963c7284f347f28cd2
                                                • Instruction Fuzzy Hash: 82F0AF31900609EBDF61AFA48C06FEE36A0BF11325F15851CB8249A1D2CF788955DB55
                                                Function 000A4E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                Download Yara Rule
                                                APIs
                                                • FreeLibrary.KERNEL32(?,?,001652F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 000A4E7E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: FreeLibrary
                                                • String ID:
                                                • API String ID: 3664257935-0
                                                • Opcode ID: d174259adf8f52bd5ff39eb673f460f17b4f549bf5ba688e12aa7744d38338a2
                                                • Instruction ID: 8e429f0d3231673d06537ff244619b99410de60e9d4d88b3103787c97b6340a6
                                                • Opcode Fuzzy Hash: d174259adf8f52bd5ff39eb673f460f17b4f549bf5ba688e12aa7744d38338a2
                                                • Instruction Fuzzy Hash: D6F03079501711CFCB74DFA4D494816B7F1BF95329310893EE1D682610C7B19890DF40
                                                Function 000C0791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 000C07B0
                                                  • Part of subcall function 000A7BCC: _memmove.LIBCMT ref: 000A7C06
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: LongNamePath_memmove
                                                • String ID:
                                                • API String ID: 2514874351-0
                                                • Opcode ID: 68796c99e377626d4fcd476d47834e9b4f946fa38e3c75f45a39f7b891e78d77
                                                • Instruction ID: d94b7b26942de2cb35feb4175e34b03067a4bdd9183bd6a543e94640d92f4db4
                                                • Opcode Fuzzy Hash: 68796c99e377626d4fcd476d47834e9b4f946fa38e3c75f45a39f7b891e78d77
                                                • Instruction Fuzzy Hash: 02E0867690422867C72196989C05FEAB7ADDB896A0F0441B6FC0CD7205D9609C9186A0
                                                Function 00108E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: __fread_nolock
                                                • String ID:
                                                • API String ID: 2638373210-0
                                                • Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                                                • Instruction ID: 0e1a89ff798ae0a31bd84de40e36193586669f0a18486e3296780bfe5b1d33a3
                                                • Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                                                • Instruction Fuzzy Hash: 1EE092B0108B005BD7388E24D811BE373E1AB05305F00081DF2EA83242EBA278418759
                                                Function 01375108 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetFileAttributesW.KERNELBASE(?), ref: 01375113
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1436880276.0000000001374000.00000040.00000020.00020000.00000000.sdmp, Offset: 01374000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1374000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: AttributesFile
                                                • String ID:
                                                • API String ID: 3188754299-0
                                                • Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                                • Instruction ID: 651ee080644b1fe1b2f8465489295a2761e921908f67dd2426f4ee85b7b7343a
                                                • Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                                • Instruction Fuzzy Hash: C1E0C230A0620CEBDF38CBBCED18AAD77A8EB09326F004664E916C72C0D5798A00DB50
                                                Function 013750D8 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetFileAttributesW.KERNELBASE(?), ref: 013750E3
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1436880276.0000000001374000.00000040.00000020.00020000.00000000.sdmp, Offset: 01374000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1374000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: AttributesFile
                                                • String ID:
                                                • API String ID: 3188754299-0
                                                • Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                                • Instruction ID: c08772348a1cf55e426453cf624acb247a6606746e1b2b4e347fd70e58bd1a6c
                                                • Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                                • Instruction Fuzzy Hash: 33D05E3090520CEBCB20CAA899089D977A8AB05364F004754E915D32C0D53699049790
                                                Function 000C525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: __wfsopen
                                                • String ID:
                                                • API String ID: 197181222-0
                                                • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                • Instruction ID: 79fc7c8b5094c04bb3d01e0bce02cdaabf0a287aa46b062146e50137f8bb9baa
                                                • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                • Instruction Fuzzy Hash: 85B0927A44020C77CE012A82EC02F897B599B467A4F408020FB0C18162A673A6A49A89
                                                Function 01376AC4 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Sleep.KERNELBASE(000001F4), ref: 01376AD9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1436880276.0000000001374000.00000040.00000020.00020000.00000000.sdmp, Offset: 01374000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1374000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Sleep
                                                • String ID:
                                                • API String ID: 3472027048-0
                                                • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                • Instruction ID: f81d3fc1e9c98102ca67fe130104fcc812f9dfbaf8eda27b1599cafa7e2eda6a
                                                • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                • Instruction Fuzzy Hash: A0E0BF7494010EEFDB10EFA4D5496DD7BB4EF04301F1045A1FD05D7681DB709E548A62
                                                Function 01376AC8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Sleep.KERNELBASE(000001F4), ref: 01376AD9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1436880276.0000000001374000.00000040.00000020.00020000.00000000.sdmp, Offset: 01374000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1374000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Sleep
                                                • String ID:
                                                • API String ID: 3472027048-0
                                                • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                • Instruction ID: e5d1d4c39a55d6c7af63697a5e21d63cde055db19e69eb720ec50d1f2fac9993
                                                • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                • Instruction Fuzzy Hash: D2E0E67494010EDFDB00EFB4D5496DD7BB4EF04301F104161FD01D2281DB709D508A62

                                                Non-executed Functions

                                                Function 0012CABC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000A2612: GetWindowLongW.USER32(?,000000EB), ref: 000A2623
                                                • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0012CB37
                                                • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0012CB95
                                                • GetWindowLongW.USER32(?,000000F0), ref: 0012CBD6
                                                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0012CC00
                                                • SendMessageW.USER32 ref: 0012CC29
                                                • _wcsncpy.LIBCMT ref: 0012CC95
                                                • GetKeyState.USER32(00000011), ref: 0012CCB6
                                                • GetKeyState.USER32(00000009), ref: 0012CCC3
                                                • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0012CCD9
                                                • GetKeyState.USER32(00000010), ref: 0012CCE3
                                                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0012CD0C
                                                • SendMessageW.USER32 ref: 0012CD33
                                                • SendMessageW.USER32(?,00001030,?,0012B348), ref: 0012CE37
                                                • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0012CE4D
                                                • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0012CE60
                                                • SetCapture.USER32(?), ref: 0012CE69
                                                • ClientToScreen.USER32(?,?), ref: 0012CECE
                                                • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0012CEDB
                                                • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0012CEF5
                                                • ReleaseCapture.USER32 ref: 0012CF00
                                                • GetCursorPos.USER32(?), ref: 0012CF3A
                                                • ScreenToClient.USER32(?,?), ref: 0012CF47
                                                • SendMessageW.USER32(?,00001012,00000000,?), ref: 0012CFA3
                                                • SendMessageW.USER32 ref: 0012CFD1
                                                • SendMessageW.USER32(?,00001111,00000000,?), ref: 0012D00E
                                                • SendMessageW.USER32 ref: 0012D03D
                                                • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0012D05E
                                                • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0012D06D
                                                • GetCursorPos.USER32(?), ref: 0012D08D
                                                • ScreenToClient.USER32(?,?), ref: 0012D09A
                                                • GetParent.USER32(?), ref: 0012D0BA
                                                • SendMessageW.USER32(?,00001012,00000000,?), ref: 0012D123
                                                • SendMessageW.USER32 ref: 0012D154
                                                • ClientToScreen.USER32(?,?), ref: 0012D1B2
                                                • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0012D1E2
                                                • SendMessageW.USER32(?,00001111,00000000,?), ref: 0012D20C
                                                • SendMessageW.USER32 ref: 0012D22F
                                                • ClientToScreen.USER32(?,?), ref: 0012D281
                                                • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0012D2B5
                                                  • Part of subcall function 000A25DB: GetWindowLongW.USER32(?,000000EB), ref: 000A25EC
                                                • GetWindowLongW.USER32(?,000000F0), ref: 0012D351
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                • String ID: @GUI_DRAGID$F
                                                • API String ID: 3977979337-4164748364
                                                • Opcode ID: 4dcb4f751e00d7624f985500c68239a5fbc68051c3312206ecd0ba88354df108
                                                • Instruction ID: 205474e86beb1f7b46aad5d7c43b2bdb60cc993470c47da2f8de426e37469521
                                                • Opcode Fuzzy Hash: 4dcb4f751e00d7624f985500c68239a5fbc68051c3312206ecd0ba88354df108
                                                • Instruction Fuzzy Hash: 4442BB78204290AFD724CF28E844EAABBF6FF49350F14052DF695876A1C731D8A5DB92
                                                Function 000B6F9E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5018COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: _memmove$_memset
                                                • String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                                                • API String ID: 1357608183-1798697756
                                                • Opcode ID: dc08cfaa5ec3cf425feb0da69614b75307364c593bb591f8b008d2e706239b1b
                                                • Instruction ID: d733d03c6cf22d27948ed5663daf13e379bc09a1a361f2bf0e7ed6dfb5189d7b
                                                • Opcode Fuzzy Hash: dc08cfaa5ec3cf425feb0da69614b75307364c593bb591f8b008d2e706239b1b
                                                • Instruction Fuzzy Hash: 6D939371A04219DBDB24CF58C881BFDB7F1FF48710F25816AEA49AB691E7709E81DB40
                                                Function 000A48D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetForegroundWindow.USER32(00000000,?), ref: 000A48DF
                                                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 000DD665
                                                • IsIconic.USER32(?), ref: 000DD66E
                                                • ShowWindow.USER32(?,00000009), ref: 000DD67B
                                                • SetForegroundWindow.USER32(?), ref: 000DD685
                                                • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 000DD69B
                                                • GetCurrentThreadId.KERNEL32 ref: 000DD6A2
                                                • GetWindowThreadProcessId.USER32(?,00000000), ref: 000DD6AE
                                                • AttachThreadInput.USER32(?,00000000,00000001), ref: 000DD6BF
                                                • AttachThreadInput.USER32(?,00000000,00000001), ref: 000DD6C7
                                                • AttachThreadInput.USER32(00000000,?,00000001), ref: 000DD6CF
                                                • SetForegroundWindow.USER32(?), ref: 000DD6D2
                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 000DD6E7
                                                • keybd_event.USER32(00000012,00000000), ref: 000DD6F2
                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 000DD6FC
                                                • keybd_event.USER32(00000012,00000000), ref: 000DD701
                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 000DD70A
                                                • keybd_event.USER32(00000012,00000000), ref: 000DD70F
                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 000DD719
                                                • keybd_event.USER32(00000012,00000000), ref: 000DD71E
                                                • SetForegroundWindow.USER32(?), ref: 000DD721
                                                • AttachThreadInput.USER32(?,?,00000000), ref: 000DD748
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                • String ID: Shell_TrayWnd
                                                • API String ID: 4125248594-2988720461
                                                • Opcode ID: 4a9d35db9c7924c9560f03eb59a3298b85b5c33892e6959e9b5ff08cda7c4abb
                                                • Instruction ID: 3520ac04ace02de6f8100b92f5b49d9fda90f3374a5f078f4f62f735c40fa498
                                                • Opcode Fuzzy Hash: 4a9d35db9c7924c9560f03eb59a3298b85b5c33892e6959e9b5ff08cda7c4abb
                                                • Instruction Fuzzy Hash: F6317371A40318BAEB306F619C49F7F7E7CEB44B50F10407AFA04EA1D1D6B05952AAA0
                                                Function 000F8310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000F87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 000F882B
                                                  • Part of subcall function 000F87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 000F8858
                                                  • Part of subcall function 000F87E1: GetLastError.KERNEL32 ref: 000F8865
                                                • _memset.LIBCMT ref: 000F8353
                                                • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 000F83A5
                                                • CloseHandle.KERNEL32(?), ref: 000F83B6
                                                • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 000F83CD
                                                • GetProcessWindowStation.USER32 ref: 000F83E6
                                                • SetProcessWindowStation.USER32(00000000), ref: 000F83F0
                                                • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 000F840A
                                                  • Part of subcall function 000F81CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,000F8309), ref: 000F81E0
                                                  • Part of subcall function 000F81CB: CloseHandle.KERNEL32(?,?,000F8309), ref: 000F81F2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                • String ID: $default$winsta0
                                                • API String ID: 2063423040-1027155976
                                                • Opcode ID: ecf8f3acef57b6029f8525e903b06bcbf983a0a48827cc9d1bc15978d7627daa
                                                • Instruction ID: c8883bfcea839df721e8d323ca5813b80351361a51332bc9947fbfb6d8571b8e
                                                • Opcode Fuzzy Hash: ecf8f3acef57b6029f8525e903b06bcbf983a0a48827cc9d1bc15978d7627daa
                                                • Instruction Fuzzy Hash: F881477180020DBFDF61DFA4DC45AFE7BB9EF04704F148169FA10A6661DB319A5AEB20
                                                Function 0010C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileW.KERNEL32(?,?), ref: 0010C78D
                                                • FindClose.KERNEL32(00000000), ref: 0010C7E1
                                                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0010C806
                                                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0010C81D
                                                • FileTimeToSystemTime.KERNEL32(?,?), ref: 0010C844
                                                • __swprintf.LIBCMT ref: 0010C890
                                                • __swprintf.LIBCMT ref: 0010C8D3
                                                  • Part of subcall function 000A7DE1: _memmove.LIBCMT ref: 000A7E22
                                                • __swprintf.LIBCMT ref: 0010C927
                                                  • Part of subcall function 000C3698: __woutput_l.LIBCMT ref: 000C36F1
                                                • __swprintf.LIBCMT ref: 0010C975
                                                  • Part of subcall function 000C3698: __flsbuf.LIBCMT ref: 000C3713
                                                  • Part of subcall function 000C3698: __flsbuf.LIBCMT ref: 000C372B
                                                • __swprintf.LIBCMT ref: 0010C9C4
                                                • __swprintf.LIBCMT ref: 0010CA13
                                                • __swprintf.LIBCMT ref: 0010CA62
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                • API String ID: 3953360268-2428617273
                                                • Opcode ID: 04379960b9ebe0f0d4b4448d7fa6473cfa7f12052b81fa1c462e5b5316c61e95
                                                • Instruction ID: 10c65735e99426d7c21e78a207fc0033d63cdedb763c409ee5bc016f8e5c3d13
                                                • Opcode Fuzzy Hash: 04379960b9ebe0f0d4b4448d7fa6473cfa7f12052b81fa1c462e5b5316c61e95
                                                • Instruction Fuzzy Hash: D1A11BB1508304ABC714EFA4C885EEFB7ECBF95704F40492DF59586192EB34DA49CBA2
                                                Function 0010EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 0010EFB6
                                                • _wcscmp.LIBCMT ref: 0010EFCB
                                                • _wcscmp.LIBCMT ref: 0010EFE2
                                                • GetFileAttributesW.KERNEL32(?), ref: 0010EFF4
                                                • SetFileAttributesW.KERNEL32(?,?), ref: 0010F00E
                                                • FindNextFileW.KERNEL32(00000000,?), ref: 0010F026
                                                • FindClose.KERNEL32(00000000), ref: 0010F031
                                                • FindFirstFileW.KERNEL32(*.*,?), ref: 0010F04D
                                                • _wcscmp.LIBCMT ref: 0010F074
                                                • _wcscmp.LIBCMT ref: 0010F08B
                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 0010F09D
                                                • SetCurrentDirectoryW.KERNEL32(00158920), ref: 0010F0BB
                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 0010F0C5
                                                • FindClose.KERNEL32(00000000), ref: 0010F0D2
                                                • FindClose.KERNEL32(00000000), ref: 0010F0E4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                • String ID: *.*
                                                • API String ID: 1803514871-438819550
                                                • Opcode ID: 9220c0595c408df891f30750fe2bcbbf2ba49d13c6e21ed8f41e60d2b6bff9db
                                                • Instruction ID: b9c35c9530647fc240f92b466d06eb6a603843f6b965585d04625c819738289c
                                                • Opcode Fuzzy Hash: 9220c0595c408df891f30750fe2bcbbf2ba49d13c6e21ed8f41e60d2b6bff9db
                                                • Instruction Fuzzy Hash: 9F31E532500219BACB34EFA4DC49EEE77ADAF45360F10417DF840E24D1DBB0DA96CA51
                                                Function 00120857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00120953
                                                • RegCreateKeyExW.ADVAPI32(?,?,00000000,0012F910,00000000,?,00000000,?,?), ref: 001209C1
                                                • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00120A09
                                                • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00120A92
                                                • RegCloseKey.ADVAPI32(?), ref: 00120DB2
                                                • RegCloseKey.ADVAPI32(00000000), ref: 00120DBF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Close$ConnectCreateRegistryValue
                                                • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                • API String ID: 536824911-966354055
                                                • Opcode ID: e4668c824737272edda7d58ba8cf10700d813ed7cad9626a572d9da46757acff
                                                • Instruction ID: 2ceaa1aa7235d837f086b1eb09f11b0c869dc129abe775060d05e91abad832b2
                                                • Opcode Fuzzy Hash: e4668c824737272edda7d58ba8cf10700d813ed7cad9626a572d9da46757acff
                                                • Instruction Fuzzy Hash: 30028A756006119FCB15EF64D881E6AB7E5FF8A710F04895CF88A9B7A2CB34EC51CB81
                                                Function 0010F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 0010F113
                                                • _wcscmp.LIBCMT ref: 0010F128
                                                • _wcscmp.LIBCMT ref: 0010F13F
                                                  • Part of subcall function 00104385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 001043A0
                                                • FindNextFileW.KERNEL32(00000000,?), ref: 0010F16E
                                                • FindClose.KERNEL32(00000000), ref: 0010F179
                                                • FindFirstFileW.KERNEL32(*.*,?), ref: 0010F195
                                                • _wcscmp.LIBCMT ref: 0010F1BC
                                                • _wcscmp.LIBCMT ref: 0010F1D3
                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 0010F1E5
                                                • SetCurrentDirectoryW.KERNEL32(00158920), ref: 0010F203
                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 0010F20D
                                                • FindClose.KERNEL32(00000000), ref: 0010F21A
                                                • FindClose.KERNEL32(00000000), ref: 0010F22C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                • String ID: *.*
                                                • API String ID: 1824444939-438819550
                                                • Opcode ID: 53145d07fe1e814827adfdd209701f9e43d3eec4d0f153cac5551e46cc955732
                                                • Instruction ID: 62b3728151950138e5f7d1ba2c3b8865e1e97ca1752441598d3c92cdc73b2e43
                                                • Opcode Fuzzy Hash: 53145d07fe1e814827adfdd209701f9e43d3eec4d0f153cac5551e46cc955732
                                                • Instruction Fuzzy Hash: 5131C236500219BADB30AFA4EC4AEEE77BCAF45360F14417DE850A24E1DB70DA97CA54
                                                Function 0010A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0010A20F
                                                • __swprintf.LIBCMT ref: 0010A231
                                                • CreateDirectoryW.KERNEL32(?,00000000), ref: 0010A26E
                                                • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0010A293
                                                • _memset.LIBCMT ref: 0010A2B2
                                                • _wcsncpy.LIBCMT ref: 0010A2EE
                                                • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0010A323
                                                • CloseHandle.KERNEL32(00000000), ref: 0010A32E
                                                • RemoveDirectoryW.KERNEL32(?), ref: 0010A337
                                                • CloseHandle.KERNEL32(00000000), ref: 0010A341
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                • String ID: :$\$\??\%s
                                                • API String ID: 2733774712-3457252023
                                                • Opcode ID: fa6013f0fdf4142c922a24b7807e89978cc870212254a878642e5c887c5a9e5c
                                                • Instruction ID: 6ef63c7b5f714530ca7b8d0d17f9f7878a20bca45cf9bcb84401690bfc85cb2c
                                                • Opcode Fuzzy Hash: fa6013f0fdf4142c922a24b7807e89978cc870212254a878642e5c887c5a9e5c
                                                • Instruction Fuzzy Hash: 3231A075500209ABDB20DFA0DC49FEB37BCFF89740F5041BAF509D61A1EB7096968B25
                                                Function 000F7CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000F8202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 000F821E
                                                  • Part of subcall function 000F8202: GetLastError.KERNEL32(?,000F7CE2,?,?,?), ref: 000F8228
                                                  • Part of subcall function 000F8202: GetProcessHeap.KERNEL32(00000008,?,?,000F7CE2,?,?,?), ref: 000F8237
                                                  • Part of subcall function 000F8202: HeapAlloc.KERNEL32(00000000,?,000F7CE2,?,?,?), ref: 000F823E
                                                  • Part of subcall function 000F8202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 000F8255
                                                  • Part of subcall function 000F829F: GetProcessHeap.KERNEL32(00000008,000F7CF8,00000000,00000000,?,000F7CF8,?), ref: 000F82AB
                                                  • Part of subcall function 000F829F: HeapAlloc.KERNEL32(00000000,?,000F7CF8,?), ref: 000F82B2
                                                  • Part of subcall function 000F829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,000F7CF8,?), ref: 000F82C3
                                                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 000F7D13
                                                • _memset.LIBCMT ref: 000F7D28
                                                • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 000F7D47
                                                • GetLengthSid.ADVAPI32(?), ref: 000F7D58
                                                • GetAce.ADVAPI32(?,00000000,?), ref: 000F7D95
                                                • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 000F7DB1
                                                • GetLengthSid.ADVAPI32(?), ref: 000F7DCE
                                                • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 000F7DDD
                                                • HeapAlloc.KERNEL32(00000000), ref: 000F7DE4
                                                • GetLengthSid.ADVAPI32(?,00000008,?), ref: 000F7E05
                                                • CopySid.ADVAPI32(00000000), ref: 000F7E0C
                                                • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 000F7E3D
                                                • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 000F7E63
                                                • SetUserObjectSecurity.USER32(?,00000004,?), ref: 000F7E77
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                • String ID:
                                                • API String ID: 3996160137-0
                                                • Opcode ID: a2d456be6964b525baad2de7101dc617b8c557cde0ff8c30cfbb9ba622b90170
                                                • Instruction ID: 39f0ee950ead71acad7d5baac1c2734aa0494d9eaa17ca96b579493f657d73ea
                                                • Opcode Fuzzy Hash: a2d456be6964b525baad2de7101dc617b8c557cde0ff8c30cfbb9ba622b90170
                                                • Instruction Fuzzy Hash: D9615C71900109AFDF108FA0DC44EFEBBBAFF08300F04816EF915A6691DB319A16DB61
                                                Function 000B66E1 Relevance: 18.4, Strings: 14, Instructions: 889COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                                                • API String ID: 0-4052911093
                                                • Opcode ID: 9b208c9b77af1ee7d76a7f6ff931609cf7f6a25597bca6f86b55b41e0f518b66
                                                • Instruction ID: b9ec638008235cad03d62d521700c0c9564821c32a802ea071ffb82ff36b8c73
                                                • Opcode Fuzzy Hash: 9b208c9b77af1ee7d76a7f6ff931609cf7f6a25597bca6f86b55b41e0f518b66
                                                • Instruction Fuzzy Hash: 91725C71E00219DBDB64CF58C880BFEB7F5EF44710F14816AE909EB691EB359A81DB90
                                                Function 0010001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetKeyboardState.USER32(?), ref: 00100097
                                                • SetKeyboardState.USER32(?), ref: 00100102
                                                • GetAsyncKeyState.USER32(000000A0), ref: 00100122
                                                • GetKeyState.USER32(000000A0), ref: 00100139
                                                • GetAsyncKeyState.USER32(000000A1), ref: 00100168
                                                • GetKeyState.USER32(000000A1), ref: 00100179
                                                • GetAsyncKeyState.USER32(00000011), ref: 001001A5
                                                • GetKeyState.USER32(00000011), ref: 001001B3
                                                • GetAsyncKeyState.USER32(00000012), ref: 001001DC
                                                • GetKeyState.USER32(00000012), ref: 001001EA
                                                • GetAsyncKeyState.USER32(0000005B), ref: 00100213
                                                • GetKeyState.USER32(0000005B), ref: 00100221
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: State$Async$Keyboard
                                                • String ID:
                                                • API String ID: 541375521-0
                                                • Opcode ID: ec5c7b734beead219239852d874e9b7a4b4616eda44504ceb64dfb172709df93
                                                • Instruction ID: 5d89068efea53e897070c371b72b07cbf311b847ad10fbaaf7e4df28d8426f52
                                                • Opcode Fuzzy Hash: ec5c7b734beead219239852d874e9b7a4b4616eda44504ceb64dfb172709df93
                                                • Instruction Fuzzy Hash: 9851DA3090478829FB36DBA089547EABFB49F16380F08459ED9C65A5C3DBE4DB8CC761
                                                Function 001203DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00120E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0011FDAD,?,?), ref: 00120E31
                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001204AC
                                                  • Part of subcall function 000A9837: __itow.LIBCMT ref: 000A9862
                                                  • Part of subcall function 000A9837: __swprintf.LIBCMT ref: 000A98AC
                                                • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0012054B
                                                • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 001205E3
                                                • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00120822
                                                • RegCloseKey.ADVAPI32(00000000), ref: 0012082F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                • String ID:
                                                • API String ID: 1240663315-0
                                                • Opcode ID: ae1e7a7e73be0e404926d738e88d4371e07ea088f22ded8fa9fd84ff8c9f5044
                                                • Instruction ID: cb8d0d65ecf08438f2e9c59bea6e320ef525eb8b14526f709d305a28b49ef643
                                                • Opcode Fuzzy Hash: ae1e7a7e73be0e404926d738e88d4371e07ea088f22ded8fa9fd84ff8c9f5044
                                                • Instruction Fuzzy Hash: 46E16B30604214AFCB15DF28D891E6BBBE5EF89714F04896DF84ADB262DB30ED11CB91
                                                Function 00114164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                • String ID:
                                                • API String ID: 1737998785-0
                                                • Opcode ID: 2e0b2c5b486374593c6170fffb42b2971c59a377ad068c1b1ae10f0b7e15228a
                                                • Instruction ID: 2a042398e30bca425458c08fb1f65ee3eb39967d14a98a01c4782602f33a0c1b
                                                • Opcode Fuzzy Hash: 2e0b2c5b486374593c6170fffb42b2971c59a377ad068c1b1ae10f0b7e15228a
                                                • Instruction Fuzzy Hash: CF21A335700210AFDB14AF64EC19BAD7BB8EF05B10F148039F946DB6A2DB74AC92CB54
                                                Function 001037EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000A4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000A4743,?,?,000A37AE,?), ref: 000A4770
                                                  • Part of subcall function 00104A31: GetFileAttributesW.KERNEL32(?,0010370B), ref: 00104A32
                                                • FindFirstFileW.KERNEL32(?,?), ref: 001038A3
                                                • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 0010394B
                                                • MoveFileW.KERNEL32(?,?), ref: 0010395E
                                                • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 0010397B
                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 0010399D
                                                • FindClose.KERNEL32(00000000,?,?,?,?), ref: 001039B9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                • String ID: \*.*
                                                • API String ID: 4002782344-1173974218
                                                • Opcode ID: ea3fada14cb67c6f79aabd7c206428d1a9d02f6fbda9e6afc98e41ed1daa6042
                                                • Instruction ID: c12cc7cba50047ab064635cde0872412482bba6ec27730997c5b75140f654532
                                                • Opcode Fuzzy Hash: ea3fada14cb67c6f79aabd7c206428d1a9d02f6fbda9e6afc98e41ed1daa6042
                                                • Instruction Fuzzy Hash: F551AD3180414CAACF15EBE0CE929EEB779AF16305F604069E456B71D2EFB06F09CB60
                                                Function 0010F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000A7DE1: _memmove.LIBCMT ref: 000A7E22
                                                • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0010F440
                                                • Sleep.KERNEL32(0000000A), ref: 0010F470
                                                • _wcscmp.LIBCMT ref: 0010F484
                                                • _wcscmp.LIBCMT ref: 0010F49F
                                                • FindNextFileW.KERNEL32(?,?), ref: 0010F53D
                                                • FindClose.KERNEL32(00000000), ref: 0010F553
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                • String ID: *.*
                                                • API String ID: 713712311-438819550
                                                • Opcode ID: 0df0721185851826e1442974232cd39aee44bc5e55b87269c9d6afe203646959
                                                • Instruction ID: 33f7bd9061cdc92a3c989d356cee1d8c4eb75e9ed624da8c797bf36fe85b9011
                                                • Opcode Fuzzy Hash: 0df0721185851826e1442974232cd39aee44bc5e55b87269c9d6afe203646959
                                                • Instruction Fuzzy Hash: DB417F71900219AFCF24DFA4DC4AAEEBBB4FF05310F10846AE855A75D1DB709A96CB50
                                                Function 000B5760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: _memmove
                                                • String ID:
                                                • API String ID: 4104443479-0
                                                • Opcode ID: 7aab678def570969ed66b4975e033b80a2a909673eb0dde8ae19e32f4bdb0fb8
                                                • Instruction ID: 683505eb2e22e9882b20a463c059e41f37d2e3e224788b12c755729d11e30815
                                                • Opcode Fuzzy Hash: 7aab678def570969ed66b4975e033b80a2a909673eb0dde8ae19e32f4bdb0fb8
                                                • Instruction Fuzzy Hash: 4D12A970A00A09DFDF14DFA4D981AEEB7F5FF48301F108569E846E7292EB36A910CB50
                                                Function 00103B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000A4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000A4743,?,?,000A37AE,?), ref: 000A4770
                                                  • Part of subcall function 00104A31: GetFileAttributesW.KERNEL32(?,0010370B), ref: 00104A32
                                                • FindFirstFileW.KERNEL32(?,?), ref: 00103B89
                                                • DeleteFileW.KERNEL32(?,?,?,?), ref: 00103BD9
                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 00103BEA
                                                • FindClose.KERNEL32(00000000), ref: 00103C01
                                                • FindClose.KERNEL32(00000000), ref: 00103C0A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                • String ID: \*.*
                                                • API String ID: 2649000838-1173974218
                                                • Opcode ID: 84091ac8776dd736b0fa3b5e03e435613a32e754e885fa77b008e2d99b434814
                                                • Instruction ID: 0337001aa5229c1c47bece9717a54c107bec3505c6ffd978c67a2bb8f8da2a94
                                                • Opcode Fuzzy Hash: 84091ac8776dd736b0fa3b5e03e435613a32e754e885fa77b008e2d99b434814
                                                • Instruction Fuzzy Hash: ED316D31008385ABC305EF64C9919EFB7ACBF96315F404D2EF4E592192EB61DA09C763
                                                Function 001051BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000F87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 000F882B
                                                  • Part of subcall function 000F87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 000F8858
                                                  • Part of subcall function 000F87E1: GetLastError.KERNEL32 ref: 000F8865
                                                • ExitWindowsEx.USER32(?,00000000), ref: 001051F9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                • String ID: $@$SeShutdownPrivilege
                                                • API String ID: 2234035333-194228
                                                • Opcode ID: c530ff0f6d2904aa7f9765eb474869ee0156d86d16bb8f6cbe98ddc4e3822db4
                                                • Instruction ID: 37eb5fdb8bda11da06ed03a210ea1fb6f9297fc9f375b8981da266e9f2b40c0b
                                                • Opcode Fuzzy Hash: c530ff0f6d2904aa7f9765eb474869ee0156d86d16bb8f6cbe98ddc4e3822db4
                                                • Instruction Fuzzy Hash: 8301F735691615FBE73C62689C8AFFB726AEF05740F204534F993E24D3DBD15C428990
                                                Function 00116283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 001162DC
                                                • WSAGetLastError.WSOCK32(00000000), ref: 001162EB
                                                • bind.WSOCK32(00000000,?,00000010), ref: 00116307
                                                • listen.WSOCK32(00000000,00000005), ref: 00116316
                                                • WSAGetLastError.WSOCK32(00000000), ref: 00116330
                                                • closesocket.WSOCK32(00000000,00000000), ref: 00116344
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: ErrorLast$bindclosesocketlistensocket
                                                • String ID:
                                                • API String ID: 1279440585-0
                                                • Opcode ID: 8bb2400dbf97be2cd4aec68968187e5b6874e5d62e0aa7c364b1a27938d516b7
                                                • Instruction ID: 7dc5e1540538ba062753a14df2d3847bc9391dfecea56cee43861f43bdd8b8c1
                                                • Opcode Fuzzy Hash: 8bb2400dbf97be2cd4aec68968187e5b6874e5d62e0aa7c364b1a27938d516b7
                                                • Instruction Fuzzy Hash: BE21D534600204AFCB14EF64C945BAEB7B9EF45710F14416CE916A7392CB70AC82CB61
                                                Function 000B5520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000C0DB6: std::exception::exception.LIBCMT ref: 000C0DEC
                                                  • Part of subcall function 000C0DB6: __CxxThrowException@8.LIBCMT ref: 000C0E01
                                                • _memmove.LIBCMT ref: 000F0258
                                                • _memmove.LIBCMT ref: 000F036D
                                                • _memmove.LIBCMT ref: 000F0414
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                • String ID:
                                                • API String ID: 1300846289-0
                                                • Opcode ID: 7b35a496ab183d2b5992669b8533332b46a03bc0df75bfb814710ac3f9128df5
                                                • Instruction ID: 0ecf445945182d8afba60e13d9aa2276c51ad2ce9969de3cef10f954b723a012
                                                • Opcode Fuzzy Hash: 7b35a496ab183d2b5992669b8533332b46a03bc0df75bfb814710ac3f9128df5
                                                • Instruction Fuzzy Hash: 3A029FB0A00209DBCF14DF64D981ABEBBF5FF44300F1480A9E90ADB256EB35DA54DB91
                                                Function 000A1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000A2612: GetWindowLongW.USER32(?,000000EB), ref: 000A2623
                                                • DefDlgProcW.USER32(?,?,?,?,?), ref: 000A19FA
                                                • GetSysColor.USER32(0000000F), ref: 000A1A4E
                                                • SetBkColor.GDI32(?,00000000), ref: 000A1A61
                                                  • Part of subcall function 000A1290: DefDlgProcW.USER32(?,00000020,?), ref: 000A12D8
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: ColorProc$LongWindow
                                                • String ID:
                                                • API String ID: 3744519093-0
                                                • Opcode ID: 17e6d33b9ba8876dbbf85b915e1674e701072bac9442f29088e426dc8307c7f9
                                                • Instruction ID: 68ac22870946b65c35a23ad13c41867a6ac9da8bca02bfd957c7554854e5ea69
                                                • Opcode Fuzzy Hash: 17e6d33b9ba8876dbbf85b915e1674e701072bac9442f29088e426dc8307c7f9
                                                • Instruction Fuzzy Hash: ADA17870106694FAEB38ABA99C54EFF35DDDF67341F15021AF102D6692CB208D51D2B3
                                                Function 0010BCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileW.KERNEL32(?,?), ref: 0010BCE6
                                                • _wcscmp.LIBCMT ref: 0010BD16
                                                • _wcscmp.LIBCMT ref: 0010BD2B
                                                • FindNextFileW.KERNEL32(00000000,?), ref: 0010BD3C
                                                • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0010BD6C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Find$File_wcscmp$CloseFirstNext
                                                • String ID:
                                                • API String ID: 2387731787-0
                                                • Opcode ID: e352f3c0aa3e7d32738951f5ae16983b5d02e50923708b54366fbf57aff32912
                                                • Instruction ID: 6c438e3204830086cb202b08813790e7ad8f927d228ccfadc91c8ba55b8be89f
                                                • Opcode Fuzzy Hash: e352f3c0aa3e7d32738951f5ae16983b5d02e50923708b54366fbf57aff32912
                                                • Instruction Fuzzy Hash: 93515E356086019FC718DFA8C4D0E9AB3E4EF49314F10462DE996873A2DB70ED05CB91
                                                Function 00116747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00117D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00117DB6
                                                • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0011679E
                                                • WSAGetLastError.WSOCK32(00000000), ref: 001167C7
                                                • bind.WSOCK32(00000000,?,00000010), ref: 00116800
                                                • WSAGetLastError.WSOCK32(00000000), ref: 0011680D
                                                • closesocket.WSOCK32(00000000,00000000), ref: 00116821
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                • String ID:
                                                • API String ID: 99427753-0
                                                • Opcode ID: 9e2b5483dd7676de230afb08356ed42cbabc3834929e1a3db8b3b003f1988133
                                                • Instruction ID: ba69bfe317ffd7b74da3f337b960589a89af805e68fd3da55a240050934df0bf
                                                • Opcode Fuzzy Hash: 9e2b5483dd7676de230afb08356ed42cbabc3834929e1a3db8b3b003f1988133
                                                • Instruction Fuzzy Hash: 6441C275B00210AFDB14AFA48C86FAE77A89B06B14F04856CF915AB3D3CB749D4187A1
                                                Function 00125376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                • String ID:
                                                • API String ID: 292994002-0
                                                • Opcode ID: e3812b28f3d60630d05b92e6f7681c2f6b16cc273df1538e6aa968e2d036ca1a
                                                • Instruction ID: 258cdd526eedf400695325b1fe32c138869f48a4dbaee3f27ac98b02a3dfa642
                                                • Opcode Fuzzy Hash: e3812b28f3d60630d05b92e6f7681c2f6b16cc273df1538e6aa968e2d036ca1a
                                                • Instruction Fuzzy Hash: 3711C8317009216FD721AF26AC84A6EBBAAFF457A1F41403CF845D3242DB74DC6386A0
                                                Function 000F80A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 000F80C0
                                                • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 000F80CA
                                                • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 000F80D9
                                                • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 000F80E0
                                                • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 000F80F6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: HeapInformationToken$AllocErrorLastProcess
                                                • String ID:
                                                • API String ID: 44706859-0
                                                • Opcode ID: 406f409ee556390b64a012a85a02e37a00717c8ac68e7ab88b4dee4efe901cfd
                                                • Instruction ID: f626b4362b8d86dddf93aae4adddac20f6b69aa825831d3bcf81cf267f52fdf2
                                                • Opcode Fuzzy Hash: 406f409ee556390b64a012a85a02e37a00717c8ac68e7ab88b4dee4efe901cfd
                                                • Instruction Fuzzy Hash: F5F03C35240208BFEB204FA5EC89EB73BADFF49755F504139FA4586550CB619C93EB60
                                                Function 0010C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CoInitialize.OLE32(00000000), ref: 0010C432
                                                • CoCreateInstance.OLE32(00132D6C,00000000,00000001,00132BDC,?), ref: 0010C44A
                                                  • Part of subcall function 000A7DE1: _memmove.LIBCMT ref: 000A7E22
                                                • CoUninitialize.OLE32 ref: 0010C6B7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: CreateInitializeInstanceUninitialize_memmove
                                                • String ID: .lnk
                                                • API String ID: 2683427295-24824748
                                                • Opcode ID: e20d660c559b5250fec9e40e2ebcf09aa68535d51a1be9f560fe31e0b6473221
                                                • Instruction ID: 901dd1ac92cd183b71291b989ace9cb0396ab777f20f33c4f0ca8ff5b3d68654
                                                • Opcode Fuzzy Hash: e20d660c559b5250fec9e40e2ebcf09aa68535d51a1be9f560fe31e0b6473221
                                                • Instruction Fuzzy Hash: 3FA12B71204205AFD700EF94CC81EABB7E8FF95354F00492DF5959B1A2DB71EA49CB62
                                                Function 000A4B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryA.KERNEL32(kernel32.dll,?,000A4AD0), ref: 000A4B45
                                                • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 000A4B57
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: AddressLibraryLoadProc
                                                • String ID: GetNativeSystemInfo$kernel32.dll
                                                • API String ID: 2574300362-192647395
                                                • Opcode ID: b69cb3464d1ae1104106cd3a6e954355440f31bb72c1c9bd6f3fbd40567f4eee
                                                • Instruction ID: dbea9d3e8c441ddedae786154ecd998a7aae15d51b2f64f58b5e045ef4d8af95
                                                • Opcode Fuzzy Hash: b69cb3464d1ae1104106cd3a6e954355440f31bb72c1c9bd6f3fbd40567f4eee
                                                • Instruction Fuzzy Hash: E5D01234A10723DFD7209F71E818B06B6F4AF45751F11883D9485D6550D7B0D4E1C664
                                                Function 000B3030 Relevance: 6.6, APIs: 4, Instructions: 587COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: __itow__swprintf
                                                • String ID:
                                                • API String ID: 674341424-0
                                                • Opcode ID: cfb9da426b90a2512ff278d537e0acebabe200b4f493da63249ded2256d13ab5
                                                • Instruction ID: 447cee5c011a2e962d570d6a41d3fa10c39ec50250330422062d10ab94146a84
                                                • Opcode Fuzzy Hash: cfb9da426b90a2512ff278d537e0acebabe200b4f493da63249ded2256d13ab5
                                                • Instruction Fuzzy Hash: 7F22AB716083409FC724DF64D891BAFB7E4AF85710F14492DF89AA7292DB71EA04CB92
                                                Function 0011EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateToolhelp32Snapshot.KERNEL32 ref: 0011EE3D
                                                • Process32FirstW.KERNEL32(00000000,?), ref: 0011EE4B
                                                  • Part of subcall function 000A7DE1: _memmove.LIBCMT ref: 000A7E22
                                                • Process32NextW.KERNEL32(00000000,?), ref: 0011EF0B
                                                • CloseHandle.KERNEL32(00000000,?,?,?), ref: 0011EF1A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                • String ID:
                                                • API String ID: 2576544623-0
                                                • Opcode ID: 22edfd2a02d11d981512746580a9cc55aa657390e679739e8342d59dbc8e29d5
                                                • Instruction ID: dd210cc4e94cd060da7a7be99b1c798e3f9e7af28f304888af57d17fbb465a93
                                                • Opcode Fuzzy Hash: 22edfd2a02d11d981512746580a9cc55aa657390e679739e8342d59dbc8e29d5
                                                • Instruction Fuzzy Hash: 6B51A071504301AFD324EF60DC81EABB7E8FF95700F40482DF895972A2EB70A949CB92
                                                Function 000AFCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: BuffCharUpper
                                                • String ID:
                                                • API String ID: 3964851224-0
                                                • Opcode ID: aad7ff25bcd4effc8b411b9a1ba0c8e035c22baa4ca021e18f405aa91cc20ff7
                                                • Instruction ID: 6fdab96c1ece53bd488bbbc861cd93ec4802d7e969108c4b764ff09983bbf464
                                                • Opcode Fuzzy Hash: aad7ff25bcd4effc8b411b9a1ba0c8e035c22baa4ca021e18f405aa91cc20ff7
                                                • Instruction Fuzzy Hash: F2926970A083418FD764DF24C480BABB7E5BF85304F14896DE98A9B362D775EC45CB92
                                                Function 000FE616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrlenW.KERNEL32(?,?,?,00000000), ref: 000FE628
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: lstrlen
                                                • String ID: ($|
                                                • API String ID: 1659193697-1631851259
                                                • Opcode ID: a0226b0488c534f0113590f734022ef272cbd7bbea38ee84fed4decff9e3ea67
                                                • Instruction ID: ba49bb11306aae3db3ff449f7e80ffab1d46260076a586a9f0dd4c687da1e2ac
                                                • Opcode Fuzzy Hash: a0226b0488c534f0113590f734022ef272cbd7bbea38ee84fed4decff9e3ea67
                                                • Instruction Fuzzy Hash: 11323575A047099FD728DF19C4819AAB7F0FF48310B15C46EE99ADB7A2E770E941CB40
                                                Function 001122EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0011180A,00000000), ref: 001123E1
                                                • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00112418
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Internet$AvailableDataFileQueryRead
                                                • String ID:
                                                • API String ID: 599397726-0
                                                • Opcode ID: 9a285fe5fbd22cd5f0f6ceab9307444d0e5706a6d9a6f3b37a4e239e8516bef3
                                                • Instruction ID: 52b5e7cc0488f5feb5f46e869617420a2092106a18485fe44f1c271dca979a86
                                                • Opcode Fuzzy Hash: 9a285fe5fbd22cd5f0f6ceab9307444d0e5706a6d9a6f3b37a4e239e8516bef3
                                                • Instruction Fuzzy Hash: DF41D071A04209BFEB289B95DC81FFFB7ACEB44314F10403EF611A6541EB749EA19660
                                                Function 0010B333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetErrorMode.KERNEL32(00000001), ref: 0010B343
                                                • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0010B39D
                                                • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0010B3EA
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: ErrorMode$DiskFreeSpace
                                                • String ID:
                                                • API String ID: 1682464887-0
                                                • Opcode ID: 44e1a71091bb02eff737026fee64d0ecca8dc041dd49ae0e8b9c5509779d24a9
                                                • Instruction ID: 2666c3a5c8050af1ea03e9b95241b178d06548e3dae76b9c50600c0617460710
                                                • Opcode Fuzzy Hash: 44e1a71091bb02eff737026fee64d0ecca8dc041dd49ae0e8b9c5509779d24a9
                                                • Instruction Fuzzy Hash: 4E217135A00508EFCB00EFA5D881AEEBBB8FF49310F1480A9E905AB351DB359956CB51
                                                Function 000F87E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000C0DB6: std::exception::exception.LIBCMT ref: 000C0DEC
                                                  • Part of subcall function 000C0DB6: __CxxThrowException@8.LIBCMT ref: 000C0E01
                                                • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 000F882B
                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 000F8858
                                                • GetLastError.KERNEL32 ref: 000F8865
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                • String ID:
                                                • API String ID: 1922334811-0
                                                • Opcode ID: 088dbe30f6c8327fb6c640c047ca32790013177996251dd3680bf088c001dd3d
                                                • Instruction ID: aa2d7bfa52939b1e2e918df40b58ab953f4ec8baf7631dae7529633034ac0139
                                                • Opcode Fuzzy Hash: 088dbe30f6c8327fb6c640c047ca32790013177996251dd3680bf088c001dd3d
                                                • Instruction Fuzzy Hash: 941160B1414205AFD728DF54DC85D6BB7FDEB44750B10852EF45697641DE30AC42CB60
                                                Function 000F874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 000F8774
                                                • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 000F878B
                                                • FreeSid.ADVAPI32(?), ref: 000F879B
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: AllocateCheckFreeInitializeMembershipToken
                                                • String ID:
                                                • API String ID: 3429775523-0
                                                • Opcode ID: 71b84890bf0aa180825bff28fa1da21bce211eb9f63beb81bbf8ce94c27bd6fd
                                                • Instruction ID: 4a917b7c1154f715a3d05c7ef1355a186421682f409134e2198f31b761957107
                                                • Opcode Fuzzy Hash: 71b84890bf0aa180825bff28fa1da21bce211eb9f63beb81bbf8ce94c27bd6fd
                                                • Instruction Fuzzy Hash: 62F08735A0030CBFDB00DFE09C89AAEBBB8EF08200F1044A8AA01E2581E6306A558B14
                                                Function 0010C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileW.KERNEL32(?,?), ref: 0010C6FB
                                                • FindClose.KERNEL32(00000000), ref: 0010C72B
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Find$CloseFileFirst
                                                • String ID:
                                                • API String ID: 2295610775-0
                                                • Opcode ID: d281fcd31415dc5d4469dd2affffe5ae5c0ee2cb4417efa529b103b95daa2f11
                                                • Instruction ID: 42a1b917df81a09edcd566896d533cd99c8a0763b1aa47fd76f094eac01b8078
                                                • Opcode Fuzzy Hash: d281fcd31415dc5d4469dd2affffe5ae5c0ee2cb4417efa529b103b95daa2f11
                                                • Instruction Fuzzy Hash: 4E118E726006049FDB10DF29C845A6AF7E9FF85320F00861DF9A997291DB74A801CF91
                                                Function 0010A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00119468,?,0012FB84,?), ref: 0010A097
                                                • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00119468,?,0012FB84,?), ref: 0010A0A9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: ErrorFormatLastMessage
                                                • String ID:
                                                • API String ID: 3479602957-0
                                                • Opcode ID: d4d37b5042e0304680ec22ce0aed8ced3b2aa20131ab6730324313c431c9f149
                                                • Instruction ID: bdc0dc247c53af7fd31ab49784b4aa22d4de382dc5b66155fce13b6495627ba9
                                                • Opcode Fuzzy Hash: d4d37b5042e0304680ec22ce0aed8ced3b2aa20131ab6730324313c431c9f149
                                                • Instruction Fuzzy Hash: 0BF0823510532DBBDB219FA4CC48FEA776CFF09761F00826AF909D6181DB709951CBA1
                                                Function 000F81CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                Download Yara Rule
                                                APIs
                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,000F8309), ref: 000F81E0
                                                • CloseHandle.KERNEL32(?,?,000F8309), ref: 000F81F2
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: AdjustCloseHandlePrivilegesToken
                                                • String ID:
                                                • API String ID: 81990902-0
                                                • Opcode ID: ac2e0ba8ee4481f1f28bff263fd2418f22521601de8572de267fa77262d83eee
                                                • Instruction ID: 40b45cbec82e083f8eccd95b566506588d4aa01ebf4076e3eaea7cd1af2801ca
                                                • Opcode Fuzzy Hash: ac2e0ba8ee4481f1f28bff263fd2418f22521601de8572de267fa77262d83eee
                                                • Instruction Fuzzy Hash: 54E0BF71010510EEE7252B60EC09EB777EEEB04310B14892DB955C4871DB616CA2DB10
                                                Function 000CA155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,000C8D57,?,?,?,00000001), ref: 000CA15A
                                                • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 000CA163
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: ExceptionFilterUnhandled
                                                • String ID:
                                                • API String ID: 3192549508-0
                                                • Opcode ID: 09c53ce8244f9851f3ebc410f9e7a298fac6fc12438f8b146647062e039faecf
                                                • Instruction ID: 539286daa2931981b77e3187fdbeee35fbb815963bb2fd5f7aab3b5d1bfcf05f
                                                • Opcode Fuzzy Hash: 09c53ce8244f9851f3ebc410f9e7a298fac6fc12438f8b146647062e039faecf
                                                • Instruction Fuzzy Hash: E3B09231054208FBCA106B91EC09B883F78FB44AA2F404034F60D84860CB6254A3CA91
                                                Function 000AE6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
                                                Download Yara Rule
                                                Strings
                                                • Variable must be of type 'Object'., xrefs: 000E3E62
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Variable must be of type 'Object'.
                                                • API String ID: 0-109567571
                                                • Opcode ID: 9fe877ccff2e8018f51b9ae0d2445344eccaac67af1eca7a020fe712ca9b55e5
                                                • Instruction ID: 7967339fbd802ffa7d8e93d4c4e13b9c061bf86f446b66ef6e6782477ff6aac3
                                                • Opcode Fuzzy Hash: 9fe877ccff2e8018f51b9ae0d2445344eccaac67af1eca7a020fe712ca9b55e5
                                                • Instruction Fuzzy Hash: FBA27D74A00245CFCB64CF94C894AAEB7F2FF5A310F248469E905AB352D775ED82CB91
                                                Function 000CF1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 894644d06617243525ca60abfbe0adb4c6169343bb577e4226f9282e88ea3c57
                                                • Instruction ID: 06606186e2d4a6786112f03876bcccd3703c46df195638be5124c02dabbb23c6
                                                • Opcode Fuzzy Hash: 894644d06617243525ca60abfbe0adb4c6169343bb577e4226f9282e88ea3c57
                                                • Instruction Fuzzy Hash: CD321361D29F064DDB639634D83233AA299AFB73C4F15D73BE819B5DA9EB28C4C34101
                                                Function 000D242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f464c8f24513ee355db6628f7b617bf26d89feeb59fafadc4c104d1a2fb40881
                                                • Instruction ID: 54fa4fedd3d044c08b1f46860ec7bc1b0a4321093a07603250bd72a7dd402141
                                                • Opcode Fuzzy Hash: f464c8f24513ee355db6628f7b617bf26d89feeb59fafadc4c104d1a2fb40881
                                                • Instruction Fuzzy Hash: 98B1DE21E2AF414DD22396398835336BA5CAFBB2C5F91D71BFC6674D62EB2285C34141
                                                Function 00108889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                Download Yara Rule
                                                APIs
                                                • __time64.LIBCMT ref: 0010889B
                                                  • Part of subcall function 000C520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00108F6E,00000000,?,?,?,?,0010911F,00000000,?), ref: 000C5213
                                                  • Part of subcall function 000C520A: __aulldiv.LIBCMT ref: 000C5233
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Time$FileSystem__aulldiv__time64
                                                • String ID:
                                                • API String ID: 2893107130-0
                                                • Opcode ID: c6ecb052af9ad8bf240a57d3cad7689426f1611f928e4a50989ab2ec7a33f1b9
                                                • Instruction ID: 0d781f6e770b34f8e128c05ab0eb3f430f0fc3d4d9e4bca91e66381a8de4e525
                                                • Opcode Fuzzy Hash: c6ecb052af9ad8bf240a57d3cad7689426f1611f928e4a50989ab2ec7a33f1b9
                                                • Instruction Fuzzy Hash: 7521AF326256108BC729CF29D841A52B3E1EBA5311B688E6DD1F6CB2C0CBB4B945CB94
                                                Function 00104C27 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                Download Yara Rule
                                                APIs
                                                • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00104C4A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: mouse_event
                                                • String ID:
                                                • API String ID: 2434400541-0
                                                • Opcode ID: 1c0acd617303be076d22b7a6e3181422a300ae09bdcb857731609c6a256985e7
                                                • Instruction ID: 778efa1e14abdd85cc9034b2c67e60a03f9dd6333767744475a7a834fcc435c2
                                                • Opcode Fuzzy Hash: 1c0acd617303be076d22b7a6e3181422a300ae09bdcb857731609c6a256985e7
                                                • Instruction Fuzzy Hash: A6D05EF51652093BFE2C07209F8FF7A1108E380782FD1818973818A0C1EEC49C415030
                                                Function 000F87B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                Download Yara Rule
                                                APIs
                                                • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,000F8389), ref: 000F87D1
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: LogonUser
                                                • String ID:
                                                • API String ID: 1244722697-0
                                                • Opcode ID: f6bb94e645288441d946848c008bf250f33dfaf9ab9f721fa06e06de7f8c4814
                                                • Instruction ID: c18100f5a29489a876633678cd6ca5a6c2a1161ec1717a8ccc306b9613ce20e0
                                                • Opcode Fuzzy Hash: f6bb94e645288441d946848c008bf250f33dfaf9ab9f721fa06e06de7f8c4814
                                                • Instruction Fuzzy Hash: 9ED05E3226050EBBEF018EA4ED05EAE3B6AEB04B01F408121FE15D50A1C775D836AB60
                                                Function 000CA124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetUnhandledExceptionFilter.KERNEL32(?), ref: 000CA12A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: ExceptionFilterUnhandled
                                                • String ID:
                                                • API String ID: 3192549508-0
                                                • Opcode ID: 1c61813b8144847544b520543a7fd12e33e2775919bd966ce3e2992117090436
                                                • Instruction ID: 20679b9e9d9756be118a43633f1d84b71541986935c51ab28831a09cb6e9ca96
                                                • Opcode Fuzzy Hash: 1c61813b8144847544b520543a7fd12e33e2775919bd966ce3e2992117090436
                                                • Instruction Fuzzy Hash: 86A0113000020CFB8A002B82EC08888BFACEB002A0B008030F80C808228B32A8A28A80
                                                Function 000B8808 Relevance: .6, Instructions: 590COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b70fb4a8e2df2238ab5c76b6e3d5d0f0108cdd4e57007300d18b842ca80ecbab
                                                • Instruction ID: 7d07aeb7adc467f0bb94b678c91ef5b23ee4820a0192a46649c2602c72333a49
                                                • Opcode Fuzzy Hash: b70fb4a8e2df2238ab5c76b6e3d5d0f0108cdd4e57007300d18b842ca80ecbab
                                                • Instruction Fuzzy Hash: 8A22363050460ACBEF788A64C8947BD77E5FB41305F28C06BDB468B9B2DB74AD91E742
                                                Function 000C21C5 Relevance: .3, Instructions: 345COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                • Instruction ID: 60e427fca34c55f6ef2a07ed9d7c811bdc8ac4e7ba2c41a8dc56239506f2e35d
                                                • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                • Instruction Fuzzy Hash: 32C193322050930AEBAD47398434A7EFAE15FA37B131A076DD8B3CB5D5EE20C975D660
                                                Function 000C25FA Relevance: .3, Instructions: 341COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                • Instruction ID: bf8ccc6340ada184a719e41f1ee1d8f1c56e0077548bd694bcb9b557ed25036c
                                                • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                • Instruction Fuzzy Hash: 25C1D4322051930AEFAD47398474A7EBAE15FA37B131A036DD4B3DB4D5EE20C974D660
                                                Function 000C1978 Relevance: .3, Instructions: 323COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                • Instruction ID: ba13be34c23054be7148481fa2eb852543c45b4815cad543e35bf314f19a8992
                                                • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                • Instruction Fuzzy Hash: 19C1A43220509309EFAD47398474ABEBAE15FA37B131A075DE4B3CB1C6EE20C975D660
                                                Function 01377E78 Relevance: .1, Instructions: 92COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1436880276.0000000001374000.00000040.00000020.00020000.00000000.sdmp, Offset: 01374000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1374000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                • Instruction ID: 50218eea3f70240b767f058b1913b33675476883c05541da86710e27417a8093
                                                • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                • Instruction Fuzzy Hash: A541C171D1051CEBCF48CFADC991AAEBBF2AF88201F548299D516AB345D734AB41DB80
                                                Function 000B8C74 Relevance: .1, Instructions: 58COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a0b96d2019149ad045e2fab9f7ce87151d33c874815b8ca7d8b37dc5c546f561
                                                • Instruction ID: 9038406eb8812c421809f57402a0d7c6efdd8a64357c833ff4db4b6114bc33b6
                                                • Opcode Fuzzy Hash: a0b96d2019149ad045e2fab9f7ce87151d33c874815b8ca7d8b37dc5c546f561
                                                • Instruction Fuzzy Hash: F511E1385051088FCB619F7DC8905F5BBF9EFA6320B95C1ABD881CB1A2EA344D86C711
                                                Function 01377D08 Relevance: .0, Instructions: 35COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1436880276.0000000001374000.00000040.00000020.00020000.00000000.sdmp, Offset: 01374000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1374000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                • Instruction ID: 26e4a7c1ece0dd61e26772e8546e76355e4683f7f5daf8110b0a6c07bed60687
                                                • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                • Instruction Fuzzy Hash: DD019D79E00209EFCB58DF98C5949AEF7B5FB48314F20859AE819A7701D734AE42DB80
                                                Function 01377D68 Relevance: .0, Instructions: 35COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1436880276.0000000001374000.00000040.00000020.00020000.00000000.sdmp, Offset: 01374000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1374000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                • Instruction ID: 131d846ad2e030f8e429ab198ee29250ba91fa255c0f6e1cb8f3065b69fe7cb2
                                                • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                • Instruction Fuzzy Hash: 44019279A10109EFCB54DF98C5949AEF7F5FB48314F208599D819A7701D734AE41DB80
                                                Function 01376698 Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1436880276.0000000001374000.00000040.00000020.00020000.00000000.sdmp, Offset: 01374000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1374000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                                • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                                Function 00117806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • DeleteObject.GDI32(00000000), ref: 0011785B
                                                • DeleteObject.GDI32(00000000), ref: 0011786D
                                                • DestroyWindow.USER32 ref: 0011787B
                                                • GetDesktopWindow.USER32 ref: 00117895
                                                • GetWindowRect.USER32(00000000), ref: 0011789C
                                                • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 001179DD
                                                • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 001179ED
                                                • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00117A35
                                                • GetClientRect.USER32(00000000,?), ref: 00117A41
                                                • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00117A7B
                                                • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00117A9D
                                                • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00117AB0
                                                • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00117ABB
                                                • GlobalLock.KERNEL32(00000000), ref: 00117AC4
                                                • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00117AD3
                                                • GlobalUnlock.KERNEL32(00000000), ref: 00117ADC
                                                • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00117AE3
                                                • GlobalFree.KERNEL32(00000000), ref: 00117AEE
                                                • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00117B00
                                                • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00132CAC,00000000), ref: 00117B16
                                                • GlobalFree.KERNEL32(00000000), ref: 00117B26
                                                • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00117B4C
                                                • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00117B6B
                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00117B8D
                                                • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00117D7A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                • String ID: $AutoIt v3$DISPLAY$static
                                                • API String ID: 2211948467-2373415609
                                                • Opcode ID: e9e7f0fed7ac5bc69b802c6011be145d0a579b5e4bce215684e075d1367fdaf6
                                                • Instruction ID: 5fb5211ab7ef8adb10d8006a3809794a02bfc54f1f28d78b4f8acd37a48693c4
                                                • Opcode Fuzzy Hash: e9e7f0fed7ac5bc69b802c6011be145d0a579b5e4bce215684e075d1367fdaf6
                                                • Instruction Fuzzy Hash: 08026F71900119EFDB14DFA4DD89EEE7BB9EF49710F104168F915AB2A1C7709D82CB60
                                                Function 0012356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CharUpperBuffW.USER32(?,?,0012F910), ref: 00123627
                                                • IsWindowVisible.USER32(?), ref: 0012364B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: BuffCharUpperVisibleWindow
                                                • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                • API String ID: 4105515805-45149045
                                                • Opcode ID: ce8c927f54b4f28cd57dfcb782ce30221f00d11bb16a1cb5fdc2dda03264e88b
                                                • Instruction ID: 953d6bbd996f2d732cd5186656654afbace0521e793345917b326c4d2b0a0c94
                                                • Opcode Fuzzy Hash: ce8c927f54b4f28cd57dfcb782ce30221f00d11bb16a1cb5fdc2dda03264e88b
                                                • Instruction Fuzzy Hash: D0D19F30208311DBCB04EF10D551EAEB7A5AF95344F05446CF8A2AB3A3DB35EE5ACB52
                                                Function 0012A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetTextColor.GDI32(?,00000000), ref: 0012A630
                                                • GetSysColorBrush.USER32(0000000F), ref: 0012A661
                                                • GetSysColor.USER32(0000000F), ref: 0012A66D
                                                • SetBkColor.GDI32(?,000000FF), ref: 0012A687
                                                • SelectObject.GDI32(?,00000000), ref: 0012A696
                                                • InflateRect.USER32(?,000000FF,000000FF), ref: 0012A6C1
                                                • GetSysColor.USER32(00000010), ref: 0012A6C9
                                                • CreateSolidBrush.GDI32(00000000), ref: 0012A6D0
                                                • FrameRect.USER32(?,?,00000000), ref: 0012A6DF
                                                • DeleteObject.GDI32(00000000), ref: 0012A6E6
                                                • InflateRect.USER32(?,000000FE,000000FE), ref: 0012A731
                                                • FillRect.USER32(?,?,00000000), ref: 0012A763
                                                • GetWindowLongW.USER32(?,000000F0), ref: 0012A78E
                                                  • Part of subcall function 0012A8CA: GetSysColor.USER32(00000012), ref: 0012A903
                                                  • Part of subcall function 0012A8CA: SetTextColor.GDI32(?,?), ref: 0012A907
                                                  • Part of subcall function 0012A8CA: GetSysColorBrush.USER32(0000000F), ref: 0012A91D
                                                  • Part of subcall function 0012A8CA: GetSysColor.USER32(0000000F), ref: 0012A928
                                                  • Part of subcall function 0012A8CA: GetSysColor.USER32(00000011), ref: 0012A945
                                                  • Part of subcall function 0012A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0012A953
                                                  • Part of subcall function 0012A8CA: SelectObject.GDI32(?,00000000), ref: 0012A964
                                                  • Part of subcall function 0012A8CA: SetBkColor.GDI32(?,00000000), ref: 0012A96D
                                                  • Part of subcall function 0012A8CA: SelectObject.GDI32(?,?), ref: 0012A97A
                                                  • Part of subcall function 0012A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 0012A999
                                                  • Part of subcall function 0012A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0012A9B0
                                                  • Part of subcall function 0012A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 0012A9C5
                                                  • Part of subcall function 0012A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0012A9ED
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                • String ID:
                                                • API String ID: 3521893082-0
                                                • Opcode ID: dfe9b696cff523329149e5392853ec1e86777a5cca52e1e07917c29f0e96dcfd
                                                • Instruction ID: e2e3476aa5a84020ffe350524ae14c2af635c5e0b19a81b613fb9d8beb847eea
                                                • Opcode Fuzzy Hash: dfe9b696cff523329149e5392853ec1e86777a5cca52e1e07917c29f0e96dcfd
                                                • Instruction Fuzzy Hash: F8916B72408311BFC7209F64EC08E5B7BB9FF88321F500A2DF962961A1D771D9A6CB52
                                                Function 000A2C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • DestroyWindow.USER32(?,?,?), ref: 000A2CA2
                                                • DeleteObject.GDI32(00000000), ref: 000A2CE8
                                                • DeleteObject.GDI32(00000000), ref: 000A2CF3
                                                • DestroyIcon.USER32(00000000,?,?,?), ref: 000A2CFE
                                                • DestroyWindow.USER32(00000000,?,?,?), ref: 000A2D09
                                                • SendMessageW.USER32(?,00001308,?,00000000), ref: 000DC43B
                                                • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 000DC474
                                                • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 000DC89D
                                                  • Part of subcall function 000A1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,000A2036,?,00000000,?,?,?,?,000A16CB,00000000,?), ref: 000A1B9A
                                                • SendMessageW.USER32(?,00001053), ref: 000DC8DA
                                                • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 000DC8F1
                                                • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 000DC907
                                                • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 000DC912
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                • String ID: 0
                                                • API String ID: 464785882-4108050209
                                                • Opcode ID: e67344c2d1a99b480b1adef6527ea7d1a59b0c357674671735a472a4e7fb57d8
                                                • Instruction ID: 6ccc12c06790ff6834b26b6430a0ca49e9fb23113a13ba3cde1057e54678f9ee
                                                • Opcode Fuzzy Hash: e67344c2d1a99b480b1adef6527ea7d1a59b0c357674671735a472a4e7fb57d8
                                                • Instruction Fuzzy Hash: 7D125C30604602AFEB658F28C884FA9B7E5BF45310F54457AF495CB662CB31E892DBA1
                                                Function 001174AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • DestroyWindow.USER32(00000000), ref: 001174DE
                                                • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0011759D
                                                • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 001175DB
                                                • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 001175ED
                                                • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00117633
                                                • GetClientRect.USER32(00000000,?), ref: 0011763F
                                                • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00117683
                                                • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00117692
                                                • GetStockObject.GDI32(00000011), ref: 001176A2
                                                • SelectObject.GDI32(00000000,00000000), ref: 001176A6
                                                • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 001176B6
                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 001176BF
                                                • DeleteDC.GDI32(00000000), ref: 001176C8
                                                • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 001176F4
                                                • SendMessageW.USER32(00000030,00000000,00000001), ref: 0011770B
                                                • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00117746
                                                • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0011775A
                                                • SendMessageW.USER32(00000404,00000001,00000000), ref: 0011776B
                                                • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0011779B
                                                • GetStockObject.GDI32(00000011), ref: 001177A6
                                                • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 001177B1
                                                • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 001177BB
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                • API String ID: 2910397461-517079104
                                                • Opcode ID: 50f885e84086e0e06f65dc22121bed5a1d064ab41b50cdadf86dd22c7eddf8ad
                                                • Instruction ID: 9bd9d24d5519cd67d6f5aacc47e65b30aeb933ccb7753907b2f994a2b9ed628e
                                                • Opcode Fuzzy Hash: 50f885e84086e0e06f65dc22121bed5a1d064ab41b50cdadf86dd22c7eddf8ad
                                                • Instruction Fuzzy Hash: E2A18471A00615BFEB14DBA4DC4AFAF7B7AEB05710F004128FA14A76E1C7B0AD51CB60
                                                Function 0010AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetErrorMode.KERNEL32(00000001), ref: 0010AD1E
                                                • GetDriveTypeW.KERNEL32(?,0012FAC0,?,\\.\,0012F910), ref: 0010ADFB
                                                • SetErrorMode.KERNEL32(00000000,0012FAC0,?,\\.\,0012F910), ref: 0010AF59
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: ErrorMode$DriveType
                                                • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                • API String ID: 2907320926-4222207086
                                                • Opcode ID: 6e019c72dc0639dc406cbee27707ea2f34052c73e639d8fc463455001f755353
                                                • Instruction ID: a6b898d564b5b313cecff11d9c09d449ec58886e10a5b3de5d909a8855d1154d
                                                • Opcode Fuzzy Hash: 6e019c72dc0639dc406cbee27707ea2f34052c73e639d8fc463455001f755353
                                                • Instruction Fuzzy Hash: 1B51B2B0644306EBCB14EB60C942CBD73A5EF09701BA08066E897BB2D1DFB09D45DB53
                                                Function 000A68DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: __wcsnicmp
                                                • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                • API String ID: 1038674560-86951937
                                                • Opcode ID: 771e34d85954e8f9dec05b4cb23a8ef6d7a5e4a3bf1d58a42642e6d9e92505f0
                                                • Instruction ID: 7456fc570bb30308fa2d236fc28756fdaae367797c5aec9ed62d86998dd01a4b
                                                • Opcode Fuzzy Hash: 771e34d85954e8f9dec05b4cb23a8ef6d7a5e4a3bf1d58a42642e6d9e92505f0
                                                • Instruction Fuzzy Hash: 2D81EBB1644305AACB21BBA0EC47FFF37B8AF16700F084029F905AB197EB71DA55D661
                                                Function 00129A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00129AD2
                                                • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00129B8B
                                                • SendMessageW.USER32(?,00001102,00000002,?), ref: 00129BA7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: MessageSend$Window
                                                • String ID: 0
                                                • API String ID: 2326795674-4108050209
                                                • Opcode ID: 955c259e31a7094110de7a553448b2e2ede6d25a73fd322e9e691d76502dfb4e
                                                • Instruction ID: 213cff6e459b1c8d25e429476d5d5da3a5f4055e8e16efd62c7f104db359642d
                                                • Opcode Fuzzy Hash: 955c259e31a7094110de7a553448b2e2ede6d25a73fd322e9e691d76502dfb4e
                                                • Instruction Fuzzy Hash: BD020270104321AFD725CF28ED48BAABBE5FF49310F04852CF999D62A1C734D9A5CB52
                                                Function 0012A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetSysColor.USER32(00000012), ref: 0012A903
                                                • SetTextColor.GDI32(?,?), ref: 0012A907
                                                • GetSysColorBrush.USER32(0000000F), ref: 0012A91D
                                                • GetSysColor.USER32(0000000F), ref: 0012A928
                                                • CreateSolidBrush.GDI32(?), ref: 0012A92D
                                                • GetSysColor.USER32(00000011), ref: 0012A945
                                                • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0012A953
                                                • SelectObject.GDI32(?,00000000), ref: 0012A964
                                                • SetBkColor.GDI32(?,00000000), ref: 0012A96D
                                                • SelectObject.GDI32(?,?), ref: 0012A97A
                                                • InflateRect.USER32(?,000000FF,000000FF), ref: 0012A999
                                                • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0012A9B0
                                                • GetWindowLongW.USER32(00000000,000000F0), ref: 0012A9C5
                                                • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0012A9ED
                                                • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0012AA14
                                                • InflateRect.USER32(?,000000FD,000000FD), ref: 0012AA32
                                                • DrawFocusRect.USER32(?,?), ref: 0012AA3D
                                                • GetSysColor.USER32(00000011), ref: 0012AA4B
                                                • SetTextColor.GDI32(?,00000000), ref: 0012AA53
                                                • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0012AA67
                                                • SelectObject.GDI32(?,0012A5FA), ref: 0012AA7E
                                                • DeleteObject.GDI32(?), ref: 0012AA89
                                                • SelectObject.GDI32(?,?), ref: 0012AA8F
                                                • DeleteObject.GDI32(?), ref: 0012AA94
                                                • SetTextColor.GDI32(?,?), ref: 0012AA9A
                                                • SetBkColor.GDI32(?,?), ref: 0012AAA4
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                • String ID:
                                                • API String ID: 1996641542-0
                                                • Opcode ID: 13b68abdbfd25a4a6b1e62e919b0213fe8f84e8b2d042b9fb3c5178cced9f6f9
                                                • Instruction ID: 43d03b29df357984cceb55e4686f28223a3fd51c3f141045deecf81f6798f7e2
                                                • Opcode Fuzzy Hash: 13b68abdbfd25a4a6b1e62e919b0213fe8f84e8b2d042b9fb3c5178cced9f6f9
                                                • Instruction Fuzzy Hash: 6B513E71900218FFDF119FA4DC48EAE7B79EF08320F114129F911AB2A1D77599A2DF90
                                                Function 001289D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00128AC1
                                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00128AD2
                                                • CharNextW.USER32(0000014E), ref: 00128B01
                                                • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00128B42
                                                • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00128B58
                                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00128B69
                                                • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00128B86
                                                • SetWindowTextW.USER32(?,0000014E), ref: 00128BD8
                                                • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00128BEE
                                                • SendMessageW.USER32(?,00001002,00000000,?), ref: 00128C1F
                                                • _memset.LIBCMT ref: 00128C44
                                                • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00128C8D
                                                • _memset.LIBCMT ref: 00128CEC
                                                • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00128D16
                                                • SendMessageW.USER32(?,00001074,?,00000001), ref: 00128D6E
                                                • SendMessageW.USER32(?,0000133D,?,?), ref: 00128E1B
                                                • InvalidateRect.USER32(?,00000000,00000001), ref: 00128E3D
                                                • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00128E87
                                                • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00128EB4
                                                • DrawMenuBar.USER32(?), ref: 00128EC3
                                                • SetWindowTextW.USER32(?,0000014E), ref: 00128EEB
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                • String ID: 0
                                                • API String ID: 1073566785-4108050209
                                                • Opcode ID: 0058aa89dab298ae59606fc20557c13db3bd02deb591933aa3af662bb5b11bc4
                                                • Instruction ID: 73c223538c3b99f00d279494f24e1090eb3d246464f652cf7d542b7b18d7afa3
                                                • Opcode Fuzzy Hash: 0058aa89dab298ae59606fc20557c13db3bd02deb591933aa3af662bb5b11bc4
                                                • Instruction Fuzzy Hash: D7E17170901228AFDF209F64DC84EEE7B79EF05710F10815AF915AB291DF709AA6DF60
                                                Function 0012488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCursorPos.USER32(?), ref: 001249CA
                                                • GetDesktopWindow.USER32 ref: 001249DF
                                                • GetWindowRect.USER32(00000000), ref: 001249E6
                                                • GetWindowLongW.USER32(?,000000F0), ref: 00124A48
                                                • DestroyWindow.USER32(?), ref: 00124A74
                                                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00124A9D
                                                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00124ABB
                                                • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00124AE1
                                                • SendMessageW.USER32(?,00000421,?,?), ref: 00124AF6
                                                • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00124B09
                                                • IsWindowVisible.USER32(?), ref: 00124B29
                                                • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00124B44
                                                • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00124B58
                                                • GetWindowRect.USER32(?,?), ref: 00124B70
                                                • MonitorFromPoint.USER32(?,?,00000002), ref: 00124B96
                                                • GetMonitorInfoW.USER32(00000000,?), ref: 00124BB0
                                                • CopyRect.USER32(?,?), ref: 00124BC7
                                                • SendMessageW.USER32(?,00000412,00000000), ref: 00124C32
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                • String ID: ($0$tooltips_class32
                                                • API String ID: 698492251-4156429822
                                                • Opcode ID: 557c3ad461d27e16ad1f52f137c50abf09956c1408a270e9dd9528d91bdff076
                                                • Instruction ID: 36c5f422a495e10f4b97f3170e36950e067b4f4f9e5e2efa271c0d62ea22eba5
                                                • Opcode Fuzzy Hash: 557c3ad461d27e16ad1f52f137c50abf09956c1408a270e9dd9528d91bdff076
                                                • Instruction Fuzzy Hash: 14B1AA70604350AFDB14DF64D848B6ABBE4FF89310F00892CF99A9B2A1D770EC55CB96
                                                Function 0010449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetFileVersionInfoSizeW.VERSION(?,?), ref: 001044AC
                                                • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 001044D2
                                                • _wcscpy.LIBCMT ref: 00104500
                                                • _wcscmp.LIBCMT ref: 0010450B
                                                • _wcscat.LIBCMT ref: 00104521
                                                • _wcsstr.LIBCMT ref: 0010452C
                                                • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00104548
                                                • _wcscat.LIBCMT ref: 00104591
                                                • _wcscat.LIBCMT ref: 00104598
                                                • _wcsncpy.LIBCMT ref: 001045C3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                • API String ID: 699586101-1459072770
                                                • Opcode ID: e71906a44d00bcc4aa9458f261e15cce41b18bb645a7c74c64dcf97298f7201e
                                                • Instruction ID: ff445a8042c571babb88234755e5edc1ef3e8d328312b63308538583b0062235
                                                • Opcode Fuzzy Hash: e71906a44d00bcc4aa9458f261e15cce41b18bb645a7c74c64dcf97298f7201e
                                                • Instruction Fuzzy Hash: 3D41AF72A40200BBDB14AB649C47FFF77ACDF45710F04406EFA05A61C3EB75AA1296A9
                                                Function 000A27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 000A28BC
                                                • GetSystemMetrics.USER32(00000007), ref: 000A28C4
                                                • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 000A28EF
                                                • GetSystemMetrics.USER32(00000008), ref: 000A28F7
                                                • GetSystemMetrics.USER32(00000004), ref: 000A291C
                                                • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 000A2939
                                                • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 000A2949
                                                • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 000A297C
                                                • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 000A2990
                                                • GetClientRect.USER32(00000000,000000FF), ref: 000A29AE
                                                • GetStockObject.GDI32(00000011), ref: 000A29CA
                                                • SendMessageW.USER32(00000000,00000030,00000000), ref: 000A29D5
                                                  • Part of subcall function 000A2344: GetCursorPos.USER32(?), ref: 000A2357
                                                  • Part of subcall function 000A2344: ScreenToClient.USER32(001657B0,?), ref: 000A2374
                                                  • Part of subcall function 000A2344: GetAsyncKeyState.USER32(00000001), ref: 000A2399
                                                  • Part of subcall function 000A2344: GetAsyncKeyState.USER32(00000002), ref: 000A23A7
                                                • SetTimer.USER32(00000000,00000000,00000028,000A1256), ref: 000A29FC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                • String ID: AutoIt v3 GUI
                                                • API String ID: 1458621304-248962490
                                                • Opcode ID: dcaa87aac8ce0aed26ee9fd783ca3772f9a29cb6722ce1b6a081cdcabf2f454e
                                                • Instruction ID: 6ee010205c04bfd8856bb293c24d9b4a13a8ec1c8deb02a42f4d9b5cbe15efa7
                                                • Opcode Fuzzy Hash: dcaa87aac8ce0aed26ee9fd783ca3772f9a29cb6722ce1b6a081cdcabf2f454e
                                                • Instruction Fuzzy Hash: C9B15C71A0020AEFDB24DFA8DD45BAE7BB5FB09311F104239FA15E76A0DB749851CB50
                                                Function 000FA439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetClassNameW.USER32(?,?,00000100), ref: 000FA47A
                                                • __swprintf.LIBCMT ref: 000FA51B
                                                • _wcscmp.LIBCMT ref: 000FA52E
                                                • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 000FA583
                                                • _wcscmp.LIBCMT ref: 000FA5BF
                                                • GetClassNameW.USER32(?,?,00000400), ref: 000FA5F6
                                                • GetDlgCtrlID.USER32(?), ref: 000FA648
                                                • GetWindowRect.USER32(?,?), ref: 000FA67E
                                                • GetParent.USER32(?), ref: 000FA69C
                                                • ScreenToClient.USER32(00000000), ref: 000FA6A3
                                                • GetClassNameW.USER32(?,?,00000100), ref: 000FA71D
                                                • _wcscmp.LIBCMT ref: 000FA731
                                                • GetWindowTextW.USER32(?,?,00000400), ref: 000FA757
                                                • _wcscmp.LIBCMT ref: 000FA76B
                                                  • Part of subcall function 000C362C: _iswctype.LIBCMT ref: 000C3634
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                • String ID: %s%u
                                                • API String ID: 3744389584-679674701
                                                • Opcode ID: cf8a824cc0c21ebd85a32e39beafd4dbcf35ea3bcec5df6f9b8226b7f9663f5d
                                                • Instruction ID: b3e6ab80a528795f6c14662530ca6856c8382d8a2b51465eb91fe7951be5fd71
                                                • Opcode Fuzzy Hash: cf8a824cc0c21ebd85a32e39beafd4dbcf35ea3bcec5df6f9b8226b7f9663f5d
                                                • Instruction Fuzzy Hash: 63A1BEB130470AABD714EF60C884FBAB7E8FF45314F008529EA9DC2591DB34E956DB92
                                                Function 000FAED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetClassNameW.USER32(00000008,?,00000400), ref: 000FAF18
                                                • _wcscmp.LIBCMT ref: 000FAF29
                                                • GetWindowTextW.USER32(00000001,?,00000400), ref: 000FAF51
                                                • CharUpperBuffW.USER32(?,00000000), ref: 000FAF6E
                                                • _wcscmp.LIBCMT ref: 000FAF8C
                                                • _wcsstr.LIBCMT ref: 000FAF9D
                                                • GetClassNameW.USER32(00000018,?,00000400), ref: 000FAFD5
                                                • _wcscmp.LIBCMT ref: 000FAFE5
                                                • GetWindowTextW.USER32(00000002,?,00000400), ref: 000FB00C
                                                • GetClassNameW.USER32(00000018,?,00000400), ref: 000FB055
                                                • _wcscmp.LIBCMT ref: 000FB065
                                                • GetClassNameW.USER32(00000010,?,00000400), ref: 000FB08D
                                                • GetWindowRect.USER32(00000004,?), ref: 000FB0F6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                • String ID: @$ThumbnailClass
                                                • API String ID: 1788623398-1539354611
                                                • Opcode ID: 1859d7c31e132ec6df607e601d6cbeb77245cdf44db08b38bbc2046cc7768d10
                                                • Instruction ID: 8ce968471b599967963991b7166da179c9d2486941742d68c9c4d2af16b68b1f
                                                • Opcode Fuzzy Hash: 1859d7c31e132ec6df607e601d6cbeb77245cdf44db08b38bbc2046cc7768d10
                                                • Instruction Fuzzy Hash: AA81BF711082099FDB14DF50C881FBA7BE8FF45314F148469FE898A492DB34DE8ADB61
                                                Function 000FABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: __wcsnicmp
                                                • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                • API String ID: 1038674560-1810252412
                                                • Opcode ID: 9ee33da5f747c7e53f49ccf36db91c679074da3b0249e610b37488d9b5b6dfd7
                                                • Instruction ID: 8bddbd528f7cc7e93d18503f47a57304967d5e359326be6f01ab21f7c495a0aa
                                                • Opcode Fuzzy Hash: 9ee33da5f747c7e53f49ccf36db91c679074da3b0249e610b37488d9b5b6dfd7
                                                • Instruction Fuzzy Hash: 8F31B271A48209E6DA14EBA0EE43FFE77A4AB11712F244018B91A764D2EB516F089692
                                                Function 00114FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadCursorW.USER32(00000000,00007F8A), ref: 00115013
                                                • LoadCursorW.USER32(00000000,00007F00), ref: 0011501E
                                                • LoadCursorW.USER32(00000000,00007F03), ref: 00115029
                                                • LoadCursorW.USER32(00000000,00007F8B), ref: 00115034
                                                • LoadCursorW.USER32(00000000,00007F01), ref: 0011503F
                                                • LoadCursorW.USER32(00000000,00007F81), ref: 0011504A
                                                • LoadCursorW.USER32(00000000,00007F88), ref: 00115055
                                                • LoadCursorW.USER32(00000000,00007F80), ref: 00115060
                                                • LoadCursorW.USER32(00000000,00007F86), ref: 0011506B
                                                • LoadCursorW.USER32(00000000,00007F83), ref: 00115076
                                                • LoadCursorW.USER32(00000000,00007F85), ref: 00115081
                                                • LoadCursorW.USER32(00000000,00007F82), ref: 0011508C
                                                • LoadCursorW.USER32(00000000,00007F84), ref: 00115097
                                                • LoadCursorW.USER32(00000000,00007F04), ref: 001150A2
                                                • LoadCursorW.USER32(00000000,00007F02), ref: 001150AD
                                                • LoadCursorW.USER32(00000000,00007F89), ref: 001150B8
                                                • GetCursorInfo.USER32(?), ref: 001150C8
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Cursor$Load$Info
                                                • String ID:
                                                • API String ID: 2577412497-0
                                                • Opcode ID: 287845cd556143aea1be6d442c90948587be05d70a53d61791b370fe59bd4280
                                                • Instruction ID: 2389b825f77e04fd0c612a890c776c31f0abb2de5a440766ee6a031e1e1b284e
                                                • Opcode Fuzzy Hash: 287845cd556143aea1be6d442c90948587be05d70a53d61791b370fe59bd4280
                                                • Instruction Fuzzy Hash: 3F3114B1D08319AADF109FB68C8999EBFE9FF08750F50453AA50CE7280DB7865418FA1
                                                Function 0012A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 0012A259
                                                • DestroyWindow.USER32(?,?), ref: 0012A2D3
                                                  • Part of subcall function 000A7BCC: _memmove.LIBCMT ref: 000A7C06
                                                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0012A34D
                                                • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0012A36F
                                                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0012A382
                                                • DestroyWindow.USER32(00000000), ref: 0012A3A4
                                                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,000A0000,00000000), ref: 0012A3DB
                                                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0012A3F4
                                                • GetDesktopWindow.USER32 ref: 0012A40D
                                                • GetWindowRect.USER32(00000000), ref: 0012A414
                                                • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0012A42C
                                                • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0012A444
                                                  • Part of subcall function 000A25DB: GetWindowLongW.USER32(?,000000EB), ref: 000A25EC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                • String ID: 0$tooltips_class32
                                                • API String ID: 1297703922-3619404913
                                                • Opcode ID: dd97495f4c5a43ed5cdad150b5566bb6f5065c0fae559dc41cf84e03e29c733c
                                                • Instruction ID: e77bf7342aae11859fe3a579ef33633dc6aaa4b43b8ce1b164c61c07c0102d1c
                                                • Opcode Fuzzy Hash: dd97495f4c5a43ed5cdad150b5566bb6f5065c0fae559dc41cf84e03e29c733c
                                                • Instruction Fuzzy Hash: 7071BC74140245AFD721DF28DC48FAA7BFAFB88700F48452CF985876A1C7B0E966CB52
                                                Function 0012C5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000A2612: GetWindowLongW.USER32(?,000000EB), ref: 000A2623
                                                • DragQueryPoint.SHELL32(?,?), ref: 0012C627
                                                  • Part of subcall function 0012AB37: ClientToScreen.USER32(?,?), ref: 0012AB60
                                                  • Part of subcall function 0012AB37: GetWindowRect.USER32(?,?), ref: 0012ABD6
                                                  • Part of subcall function 0012AB37: PtInRect.USER32(?,?,0012C014), ref: 0012ABE6
                                                • SendMessageW.USER32(?,000000B0,?,?), ref: 0012C690
                                                • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0012C69B
                                                • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0012C6BE
                                                • _wcscat.LIBCMT ref: 0012C6EE
                                                • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0012C705
                                                • SendMessageW.USER32(?,000000B0,?,?), ref: 0012C71E
                                                • SendMessageW.USER32(?,000000B1,?,?), ref: 0012C735
                                                • SendMessageW.USER32(?,000000B1,?,?), ref: 0012C757
                                                • DragFinish.SHELL32(?), ref: 0012C75E
                                                • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0012C851
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                • API String ID: 169749273-3440237614
                                                • Opcode ID: 73e234e72c1ed1b46347a881dd150b28aa0b6ba8c0bf4d6f9c5902feffe09d1d
                                                • Instruction ID: 53e398dfe3ae870e1078013a50e30bcf1e52a9f290a71e1023af37064488bd38
                                                • Opcode Fuzzy Hash: 73e234e72c1ed1b46347a881dd150b28aa0b6ba8c0bf4d6f9c5902feffe09d1d
                                                • Instruction Fuzzy Hash: C1618D71108300AFC711EFA4DC85DAFBBF8EF89310F40492EF695961A1DB709959CB92
                                                Function 00107D1A Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 378timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VariantInit.OLEAUT32(00000000), ref: 00107D5F
                                                • VariantCopy.OLEAUT32(00000000,?), ref: 00107D68
                                                • VariantClear.OLEAUT32(00000000), ref: 00107D74
                                                • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00107E62
                                                • __swprintf.LIBCMT ref: 00107E92
                                                • VarR8FromDec.OLEAUT32(?,?), ref: 00107EBE
                                                • VariantInit.OLEAUT32(?), ref: 00107F6F
                                                • SysFreeString.OLEAUT32(00000016), ref: 00108003
                                                • VariantClear.OLEAUT32(?), ref: 0010805D
                                                • VariantClear.OLEAUT32(?), ref: 0010806C
                                                • VariantInit.OLEAUT32(00000000), ref: 001080AA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                                                • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                • API String ID: 3730832054-3931177956
                                                • Opcode ID: 1ac365acecc6e8f692f88a6683cacf427b283e2f9ce425a61a0520959ee47c8d
                                                • Instruction ID: e14a28a98bce60bfbebb117a5d359922b7c4b6cdc1d367fa93f6ba8492904017
                                                • Opcode Fuzzy Hash: 1ac365acecc6e8f692f88a6683cacf427b283e2f9ce425a61a0520959ee47c8d
                                                • Instruction Fuzzy Hash: 29D1F270A08616EBCF14AFA5D844BBAB7B5BF05300F218469F4859B2C5CBB4FC54DBA1
                                                Function 00124392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CharUpperBuffW.USER32(?,?), ref: 00124424
                                                • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0012446F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: BuffCharMessageSendUpper
                                                • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                • API String ID: 3974292440-4258414348
                                                • Opcode ID: fc11054ec2d8635ebaca2fb280f0c1de48f1f7db79b870668191bf7c5dce97c5
                                                • Instruction ID: a4ba3643fbcc7556ecda599032bdff2cabf702c4b71fb8084010e24fd8d10542
                                                • Opcode Fuzzy Hash: fc11054ec2d8635ebaca2fb280f0c1de48f1f7db79b870668191bf7c5dce97c5
                                                • Instruction Fuzzy Hash: 80916E702043119FCB04EF10C451AAEB7A1AF96750F05486CF8A66B7A3CB35ED59CB92
                                                Function 0012B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0012B8B4
                                                • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,001291C2), ref: 0012B910
                                                • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0012B949
                                                • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0012B98C
                                                • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0012B9C3
                                                • FreeLibrary.KERNEL32(?), ref: 0012B9CF
                                                • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0012B9DF
                                                • DestroyIcon.USER32(?,?,?,?,?,001291C2), ref: 0012B9EE
                                                • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0012BA0B
                                                • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0012BA17
                                                  • Part of subcall function 000C2EFD: __wcsicmp_l.LIBCMT ref: 000C2F86
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                • String ID: .dll$.exe$.icl
                                                • API String ID: 1212759294-1154884017
                                                • Opcode ID: 4bb3c9de79fd44b7e08b930182080fa1aad6306de032d165d672546677cccdf5
                                                • Instruction ID: 185a61b46cbf9b830fc00b198dfe17a30669e59a1876609e3de399a7022ab0b6
                                                • Opcode Fuzzy Hash: 4bb3c9de79fd44b7e08b930182080fa1aad6306de032d165d672546677cccdf5
                                                • Instruction Fuzzy Hash: 7161FFB1904229BAEF14DF64DC81FFE7BB8EB08710F104129FA15D61C1DB74A9A1DBA0
                                                Function 0010DC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLocalTime.KERNEL32(?), ref: 0010DCDC
                                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 0010DCEC
                                                • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0010DCF8
                                                • __wsplitpath.LIBCMT ref: 0010DD56
                                                • _wcscat.LIBCMT ref: 0010DD6E
                                                • _wcscat.LIBCMT ref: 0010DD80
                                                • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0010DD95
                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 0010DDA9
                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 0010DDDB
                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 0010DDFC
                                                • _wcscpy.LIBCMT ref: 0010DE08
                                                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0010DE47
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                • String ID: *.*
                                                • API String ID: 3566783562-438819550
                                                • Opcode ID: dc06fe671bacfbda44ebc30ac69cb30ced820ba9439580deefb6fc1f0ae9df14
                                                • Instruction ID: c7bd7d352d135cae011112c0748f8cdec1aa27add8e5eb2d8b2ff821cf2bd5a1
                                                • Opcode Fuzzy Hash: dc06fe671bacfbda44ebc30ac69cb30ced820ba9439580deefb6fc1f0ae9df14
                                                • Instruction Fuzzy Hash: 316159725042059FDB10EFA0D845AAEB3E8FF89314F04492DF98987292EB75E945CB92
                                                Function 00109C38 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00109C7F
                                                  • Part of subcall function 000A7DE1: _memmove.LIBCMT ref: 000A7E22
                                                • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00109CA0
                                                • __swprintf.LIBCMT ref: 00109CF9
                                                • __swprintf.LIBCMT ref: 00109D12
                                                • _wprintf.LIBCMT ref: 00109DB9
                                                • _wprintf.LIBCMT ref: 00109DD7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: LoadString__swprintf_wprintf$_memmove
                                                • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                • API String ID: 311963372-3080491070
                                                • Opcode ID: 2a47396b83c7aa28fa3d4c5820603e40ba7146b5cca90c895c020eba13e2f5ca
                                                • Instruction ID: ffab24e38739dbcdb3b580af0d9e0388eba7c00589d946bba21f799558e2047f
                                                • Opcode Fuzzy Hash: 2a47396b83c7aa28fa3d4c5820603e40ba7146b5cca90c895c020eba13e2f5ca
                                                • Instruction Fuzzy Hash: 7151BE7190060AAACF14EBE0DD56EEEB779EF05300F504069F509760A3EB712F99DB60
                                                Function 0010A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000A9837: __itow.LIBCMT ref: 000A9862
                                                  • Part of subcall function 000A9837: __swprintf.LIBCMT ref: 000A98AC
                                                • CharLowerBuffW.USER32(?,?), ref: 0010A3CB
                                                • GetDriveTypeW.KERNEL32 ref: 0010A418
                                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0010A460
                                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0010A497
                                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0010A4C5
                                                  • Part of subcall function 000A7BCC: _memmove.LIBCMT ref: 000A7C06
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                • API String ID: 2698844021-4113822522
                                                • Opcode ID: 4ae3b45dff311637614e30778e7d04100de9e5ff8f1662a94be013ac11651b62
                                                • Instruction ID: e5554c91ea38c17608a58b6df2463a2104b6a8236d59cf2d4e8347a93f0c3e32
                                                • Opcode Fuzzy Hash: 4ae3b45dff311637614e30778e7d04100de9e5ff8f1662a94be013ac11651b62
                                                • Instruction Fuzzy Hash: 675150751143059FC700EF10C8819ABB3E4FF85718F44886DF899AB292DB71ED0ACB52
                                                Function 000FF8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,000DE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 000FF8DF
                                                • LoadStringW.USER32(00000000,?,000DE029,00000001), ref: 000FF8E8
                                                  • Part of subcall function 000A7DE1: _memmove.LIBCMT ref: 000A7E22
                                                • GetModuleHandleW.KERNEL32(00000000,00165310,?,00000FFF,?,?,000DE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 000FF90A
                                                • LoadStringW.USER32(00000000,?,000DE029,00000001), ref: 000FF90D
                                                • __swprintf.LIBCMT ref: 000FF95D
                                                • __swprintf.LIBCMT ref: 000FF96E
                                                • _wprintf.LIBCMT ref: 000FFA17
                                                • MessageBoxW.USER32(00000000,?,?,00011010), ref: 000FFA2E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                • API String ID: 984253442-2268648507
                                                • Opcode ID: 7909fd7ac80a7bf826794926781a05e33e434ede5197f604e7a5d5308ae94524
                                                • Instruction ID: 712b17380dcd327aeb209d5a187caab9a88dde111e0819f6e58d6673383644d2
                                                • Opcode Fuzzy Hash: 7909fd7ac80a7bf826794926781a05e33e434ede5197f604e7a5d5308ae94524
                                                • Instruction Fuzzy Hash: FB413D7280420DAACB14FBE0DD96EFEB778AF15311F504069B609B6093EB316F49CB61
                                                Function 0012BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00129207,?,?), ref: 0012BA56
                                                • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00129207,?,?,00000000,?), ref: 0012BA6D
                                                • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00129207,?,?,00000000,?), ref: 0012BA78
                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,00129207,?,?,00000000,?), ref: 0012BA85
                                                • GlobalLock.KERNEL32(00000000), ref: 0012BA8E
                                                • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00129207,?,?,00000000,?), ref: 0012BA9D
                                                • GlobalUnlock.KERNEL32(00000000), ref: 0012BAA6
                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,00129207,?,?,00000000,?), ref: 0012BAAD
                                                • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00129207,?,?,00000000,?), ref: 0012BABE
                                                • OleLoadPicture.OLEAUT32(?,00000000,00000000,00132CAC,?), ref: 0012BAD7
                                                • GlobalFree.KERNEL32(00000000), ref: 0012BAE7
                                                • GetObjectW.GDI32(00000000,00000018,?), ref: 0012BB0B
                                                • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0012BB36
                                                • DeleteObject.GDI32(00000000), ref: 0012BB5E
                                                • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0012BB74
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                • String ID:
                                                • API String ID: 3840717409-0
                                                • Opcode ID: 954f5e37d8614f0e5d8d140751b2447547713d771a314d459c3e80f7d743aa2e
                                                • Instruction ID: 4540c7613e88475eb3f81a10286301855cf25d8f96b1cd7597f4d5b6a9f3b6e8
                                                • Opcode Fuzzy Hash: 954f5e37d8614f0e5d8d140751b2447547713d771a314d459c3e80f7d743aa2e
                                                • Instruction Fuzzy Hash: E1411975600218FFDB219F65EC88EAABBB9FF89B11F104068F905D7260D7709D62DB60
                                                Function 0010D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                Download Yara Rule
                                                APIs
                                                • __wsplitpath.LIBCMT ref: 0010DA10
                                                • _wcscat.LIBCMT ref: 0010DA28
                                                • _wcscat.LIBCMT ref: 0010DA3A
                                                • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0010DA4F
                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 0010DA63
                                                • GetFileAttributesW.KERNEL32(?), ref: 0010DA7B
                                                • SetFileAttributesW.KERNEL32(?,00000000), ref: 0010DA95
                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 0010DAA7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                • String ID: *.*
                                                • API String ID: 34673085-438819550
                                                • Opcode ID: 78ac2291ef70d6a0600ed6e236faa9d03a9f505c92f962e6e958a59562d3c874
                                                • Instruction ID: b4f60a8d8025756e823ec91c276a70a428f7e5ec26038053120ae25694a189e5
                                                • Opcode Fuzzy Hash: 78ac2291ef70d6a0600ed6e236faa9d03a9f505c92f962e6e958a59562d3c874
                                                • Instruction Fuzzy Hash: 688192716043419FCB24DFA4D841AAEB7E4BF89314F15882EF8C9C7291EBB0D945CB52
                                                Function 0012C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000A2612: GetWindowLongW.USER32(?,000000EB), ref: 000A2623
                                                • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0012C1FC
                                                • GetFocus.USER32 ref: 0012C20C
                                                • GetDlgCtrlID.USER32(00000000), ref: 0012C217
                                                • _memset.LIBCMT ref: 0012C342
                                                • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0012C36D
                                                • GetMenuItemCount.USER32(?), ref: 0012C38D
                                                • GetMenuItemID.USER32(?,00000000), ref: 0012C3A0
                                                • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0012C3D4
                                                • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0012C41C
                                                • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0012C454
                                                • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0012C489
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                • String ID: 0
                                                • API String ID: 1296962147-4108050209
                                                • Opcode ID: 9753629ce2138381710d41da4ba767745aebf718b6b9218eb04dd8353b63795f
                                                • Instruction ID: d06eb7d21d80e3fe9ef9c4c72179cc55d8ec4fe09c74b344849f7cdc9fec42b6
                                                • Opcode Fuzzy Hash: 9753629ce2138381710d41da4ba767745aebf718b6b9218eb04dd8353b63795f
                                                • Instruction Fuzzy Hash: 9381B270108361AFD720DF14E884AAFBBE9FF88314F104A2DFA8597291D770D965CB92
                                                Function 0011731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDC.USER32(00000000), ref: 0011738F
                                                • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0011739B
                                                • CreateCompatibleDC.GDI32(?), ref: 001173A7
                                                • SelectObject.GDI32(00000000,?), ref: 001173B4
                                                • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00117408
                                                • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00117444
                                                • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00117468
                                                • SelectObject.GDI32(00000006,?), ref: 00117470
                                                • DeleteObject.GDI32(?), ref: 00117479
                                                • DeleteDC.GDI32(00000006), ref: 00117480
                                                • ReleaseDC.USER32(00000000,?), ref: 0011748B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                • String ID: (
                                                • API String ID: 2598888154-3887548279
                                                • Opcode ID: 3438678f079d6df4a45beeca81a3fb391ce0836e96a8174d0511ff6f669e9b03
                                                • Instruction ID: d6d0ac40154b46df30f3108fe9dafacf3fc1656b5086306cad7c682c388b21fa
                                                • Opcode Fuzzy Hash: 3438678f079d6df4a45beeca81a3fb391ce0836e96a8174d0511ff6f669e9b03
                                                • Instruction Fuzzy Hash: 53513875904209EFCB25CFA8CC84EAEBBB9FF48310F14852DF95A97251C731A981CB50
                                                Function 000A6A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000C0957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,000A6B0C,?,00008000), ref: 000C0973
                                                  • Part of subcall function 000A4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000A4743,?,?,000A37AE,?), ref: 000A4770
                                                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 000A6BAD
                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 000A6CFA
                                                  • Part of subcall function 000A586D: _wcscpy.LIBCMT ref: 000A58A5
                                                  • Part of subcall function 000C363D: _iswctype.LIBCMT ref: 000C3645
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                • API String ID: 537147316-1018226102
                                                • Opcode ID: d03ecf474d5b63497e48a781bbf69895e2fe0bda03c21aa76c68bd18165621f6
                                                • Instruction ID: 337f6a65c6d8ede5caa82822476ff35c6c84cede9496f814d663fa415a80d2b7
                                                • Opcode Fuzzy Hash: d03ecf474d5b63497e48a781bbf69895e2fe0bda03c21aa76c68bd18165621f6
                                                • Instruction Fuzzy Hash: BA029D305083419FC724EF60C881AAFBBF5BF96354F14491EF49A9B2A2DB31D949CB52
                                                Function 00102D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 00102D50
                                                • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00102DDD
                                                • GetMenuItemCount.USER32(00165890), ref: 00102E66
                                                • DeleteMenu.USER32(00165890,00000005,00000000,000000F5,?,?), ref: 00102EF6
                                                • DeleteMenu.USER32(00165890,00000004,00000000), ref: 00102EFE
                                                • DeleteMenu.USER32(00165890,00000006,00000000), ref: 00102F06
                                                • DeleteMenu.USER32(00165890,00000003,00000000), ref: 00102F0E
                                                • GetMenuItemCount.USER32(00165890), ref: 00102F16
                                                • SetMenuItemInfoW.USER32(00165890,00000004,00000000,00000030), ref: 00102F4C
                                                • GetCursorPos.USER32(?), ref: 00102F56
                                                • SetForegroundWindow.USER32(00000000), ref: 00102F5F
                                                • TrackPopupMenuEx.USER32(00165890,00000000,?,00000000,00000000,00000000), ref: 00102F72
                                                • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00102F7E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                • String ID:
                                                • API String ID: 3993528054-0
                                                • Opcode ID: 1d249204cabf6183c7c08de46d35fc009cfea22ee74eb5cafd69634c893440a8
                                                • Instruction ID: 061a1f6bfa98ff3151b7aef97e14a971347db33cc7efd164bb76b4091040e145
                                                • Opcode Fuzzy Hash: 1d249204cabf6183c7c08de46d35fc009cfea22ee74eb5cafd69634c893440a8
                                                • Instruction Fuzzy Hash: D071F370640216BEEB258F54DC8DFAABF64FF05764F20022AF655AA1E1C7F16C60DB90
                                                Function 000F77DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000A7BCC: _memmove.LIBCMT ref: 000A7C06
                                                • _memset.LIBCMT ref: 000F786B
                                                • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 000F78A0
                                                • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 000F78BC
                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 000F78D8
                                                • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 000F7902
                                                • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 000F792A
                                                • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 000F7935
                                                • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 000F793A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                                • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                • API String ID: 1411258926-22481851
                                                • Opcode ID: 324f7ef6063766643cceb2889a49f64f8fe9088840815b4b312d80f4f974786f
                                                • Instruction ID: 448700385ef3c118e93f88aef12d67913edc358f6472700f5a5988a794d04751
                                                • Opcode Fuzzy Hash: 324f7ef6063766643cceb2889a49f64f8fe9088840815b4b312d80f4f974786f
                                                • Instruction Fuzzy Hash: 24410872C1422DABCB21EBA4EC85DEEB7B9BF08750F444029F919A71A2DB705D15CB90
                                                Function 00120E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                Download Yara Rule
                                                APIs
                                                • CharUpperBuffW.USER32(?,?,?,?,?,?,?,0011FDAD,?,?), ref: 00120E31
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: BuffCharUpper
                                                • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                • API String ID: 3964851224-909552448
                                                • Opcode ID: 34d7a43fb21796379853a16937075cef095be0968e0d8d4cf5b53167c7480623
                                                • Instruction ID: e661cd11e6e3fd4d923f470549f0098b2de99be0f1203e8ee2c0f6f0fe2cd223
                                                • Opcode Fuzzy Hash: 34d7a43fb21796379853a16937075cef095be0968e0d8d4cf5b53167c7480623
                                                • Instruction Fuzzy Hash: 2B41793214426ACBCF15EF10EE65AEF3760AF19300F154518FC652B293DB349D6ACBA2
                                                Function 000FF7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,000DE2A0,00000010,?,Bad directive syntax error,0012F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 000FF7C2
                                                • LoadStringW.USER32(00000000,?,000DE2A0,00000010), ref: 000FF7C9
                                                  • Part of subcall function 000A7DE1: _memmove.LIBCMT ref: 000A7E22
                                                • _wprintf.LIBCMT ref: 000FF7FC
                                                • __swprintf.LIBCMT ref: 000FF81E
                                                • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 000FF88D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                                                • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                • API String ID: 1506413516-4153970271
                                                • Opcode ID: 3823331b64f84f99b1cab5322b3412fee30d7948f0fe2b91b234c7e71da6a74b
                                                • Instruction ID: 4123be66f87af716f1654935bc0e29e1c2d017594187643e80a4372c775db969
                                                • Opcode Fuzzy Hash: 3823331b64f84f99b1cab5322b3412fee30d7948f0fe2b91b234c7e71da6a74b
                                                • Instruction Fuzzy Hash: 12216D3290021EFBCF11EF90CC4AEFE7779BF18311F044469B5196A0A2EB719669DB50
                                                Function 001052C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000A7BCC: _memmove.LIBCMT ref: 000A7C06
                                                  • Part of subcall function 000A7924: _memmove.LIBCMT ref: 000A79AD
                                                • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00105330
                                                • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00105346
                                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00105357
                                                • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00105369
                                                • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0010537A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: SendString$_memmove
                                                • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                • API String ID: 2279737902-1007645807
                                                • Opcode ID: df8d44407615cac530ca50055e72f4a8b6402644c1a70a742f91b51456f1b628
                                                • Instruction ID: f4331249e8898fcda2030241517d96a5de8826613066d87abb231d14012d0120
                                                • Opcode Fuzzy Hash: df8d44407615cac530ca50055e72f4a8b6402644c1a70a742f91b51456f1b628
                                                • Instruction Fuzzy Hash: 74119431A5012DB9D724B7A5CC4ADFF7B7CFB96B41F400429B815AA0D2DFA01D49C9B0
                                                Function 001046B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                • String ID: 0.0.0.0
                                                • API String ID: 208665112-3771769585
                                                • Opcode ID: ea7a4a70ccb914de5c623bde32278029bd1045d0f8910273c9d64e317aca94f2
                                                • Instruction ID: 4e53868eb56182d6f8b37a048c8b333e5cffd81cb2e1f083df5c3b365f8a53b4
                                                • Opcode Fuzzy Hash: ea7a4a70ccb914de5c623bde32278029bd1045d0f8910273c9d64e317aca94f2
                                                • Instruction Fuzzy Hash: F711A571500114BBDB24AB74AC86FDE77BCEB51711F0401BEF58596092EFB19AC28A50
                                                Function 00104F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • timeGetTime.WINMM ref: 00104F7A
                                                  • Part of subcall function 000C049F: timeGetTime.WINMM(?,76C1B400,000B0E7B), ref: 000C04A3
                                                • Sleep.KERNEL32(0000000A), ref: 00104FA6
                                                • EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00104FCA
                                                • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00104FEC
                                                • SetActiveWindow.USER32 ref: 0010500B
                                                • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00105019
                                                • SendMessageW.USER32(00000010,00000000,00000000), ref: 00105038
                                                • Sleep.KERNEL32(000000FA), ref: 00105043
                                                • IsWindow.USER32 ref: 0010504F
                                                • EndDialog.USER32(00000000), ref: 00105060
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                • String ID: BUTTON
                                                • API String ID: 1194449130-3405671355
                                                • Opcode ID: ee6755c651abf27b0cc0badef8a1da2989dc4c383142f2557047b618b6f88489
                                                • Instruction ID: b94304b88facbfbbb58b7791d579cd34cb489f8e4b4d15b29cfa4fa9501792b8
                                                • Opcode Fuzzy Hash: ee6755c651abf27b0cc0badef8a1da2989dc4c383142f2557047b618b6f88489
                                                • Instruction Fuzzy Hash: DF2165B0204605FFE7205F20EC89E2A776AEB4978AF141038F542819F5DBE14DE68A71
                                                Function 0010D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000A9837: __itow.LIBCMT ref: 000A9862
                                                  • Part of subcall function 000A9837: __swprintf.LIBCMT ref: 000A98AC
                                                • CoInitialize.OLE32(00000000), ref: 0010D5EA
                                                • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0010D67D
                                                • SHGetDesktopFolder.SHELL32(?), ref: 0010D691
                                                • CoCreateInstance.OLE32(00132D7C,00000000,00000001,00158C1C,?), ref: 0010D6DD
                                                • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0010D74C
                                                • CoTaskMemFree.OLE32(?,?), ref: 0010D7A4
                                                • _memset.LIBCMT ref: 0010D7E1
                                                • SHBrowseForFolderW.SHELL32(?), ref: 0010D81D
                                                • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0010D840
                                                • CoTaskMemFree.OLE32(00000000), ref: 0010D847
                                                • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0010D87E
                                                • CoUninitialize.OLE32(00000001,00000000), ref: 0010D880
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                • String ID:
                                                • API String ID: 1246142700-0
                                                • Opcode ID: aae2800fb87f7b75c683bc71fa351b6a4807b38184d3fc59b56aedd1eae5cbe1
                                                • Instruction ID: fd62f07dcb02f694826d756319bf6050d918d79f586bdbe344556300785a6e60
                                                • Opcode Fuzzy Hash: aae2800fb87f7b75c683bc71fa351b6a4807b38184d3fc59b56aedd1eae5cbe1
                                                • Instruction Fuzzy Hash: 86B11C75A00109AFDB14DFA4D884DAEBBB9FF49314F048469F909EB261DB70ED45CB50
                                                Function 000FC267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDlgItem.USER32(?,00000001), ref: 000FC283
                                                • GetWindowRect.USER32(00000000,?), ref: 000FC295
                                                • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 000FC2F3
                                                • GetDlgItem.USER32(?,00000002), ref: 000FC2FE
                                                • GetWindowRect.USER32(00000000,?), ref: 000FC310
                                                • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 000FC364
                                                • GetDlgItem.USER32(?,000003E9), ref: 000FC372
                                                • GetWindowRect.USER32(00000000,?), ref: 000FC383
                                                • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 000FC3C6
                                                • GetDlgItem.USER32(?,000003EA), ref: 000FC3D4
                                                • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 000FC3F1
                                                • InvalidateRect.USER32(?,00000000,00000001), ref: 000FC3FE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Window$ItemMoveRect$Invalidate
                                                • String ID:
                                                • API String ID: 3096461208-0
                                                • Opcode ID: cc173e7b36e97399f70413ba6251eefc9b6311ccbdaf19c663a632e862c1791e
                                                • Instruction ID: 61679cca9c7cd3917ca6b5c10b1dc4c4c730610b5be3ca481a905b3ce08b4e4d
                                                • Opcode Fuzzy Hash: cc173e7b36e97399f70413ba6251eefc9b6311ccbdaf19c663a632e862c1791e
                                                • Instruction Fuzzy Hash: 17513F71B00209BBDB18CFA9DD8AEAEBBB6EB88710F14813DF615D6690D7709D418B10
                                                Function 000A201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000A1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,000A2036,?,00000000,?,?,?,?,000A16CB,00000000,?), ref: 000A1B9A
                                                • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 000A20D3
                                                • KillTimer.USER32(-00000001,?,?,?,?,000A16CB,00000000,?,?,000A1AE2,?,?), ref: 000A216E
                                                • DestroyAcceleratorTable.USER32(00000000), ref: 000DBCA6
                                                • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,000A16CB,00000000,?,?,000A1AE2,?,?), ref: 000DBCD7
                                                • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,000A16CB,00000000,?,?,000A1AE2,?,?), ref: 000DBCEE
                                                • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,000A16CB,00000000,?,?,000A1AE2,?,?), ref: 000DBD0A
                                                • DeleteObject.GDI32(00000000), ref: 000DBD1C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                • String ID:
                                                • API String ID: 641708696-0
                                                • Opcode ID: 23d9ef9078c05fa811ac6ee96515fe4ecbed2bd613d094ec655a209f4bc080ed
                                                • Instruction ID: 52a3a70ebd2bbbffafa931efbda3c90aac77e08b0dced674bd5b1df2b327d66d
                                                • Opcode Fuzzy Hash: 23d9ef9078c05fa811ac6ee96515fe4ecbed2bd613d094ec655a209f4bc080ed
                                                • Instruction Fuzzy Hash: 0E615831510B01EFCB359F59DD48B29B7F2FB51312F508539E5828BE61C7B1A8A2DBA0
                                                Function 000A21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000A25DB: GetWindowLongW.USER32(?,000000EB), ref: 000A25EC
                                                • GetSysColor.USER32(0000000F), ref: 000A21D3
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: ColorLongWindow
                                                • String ID:
                                                • API String ID: 259745315-0
                                                • Opcode ID: 1621ef8ae38ca4c11c92c2b7cef4783d0cf02ca1c9df272a313da0071df7c4a8
                                                • Instruction ID: 042db7b04dcaf795e9ebaf6ebfc0a721bf73a761a5faa1d50354144e8de0cc91
                                                • Opcode Fuzzy Hash: 1621ef8ae38ca4c11c92c2b7cef4783d0cf02ca1c9df272a313da0071df7c4a8
                                                • Instruction Fuzzy Hash: 6E417031100540FADB255F6CDC88BB93BA6EB47321F554279FE658A1E6C7318C92DB21
                                                Function 0010A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                                Download Yara Rule
                                                APIs
                                                • CharLowerBuffW.USER32(?,?,0012F910), ref: 0010A90B
                                                • GetDriveTypeW.KERNEL32(00000061,001589A0,00000061), ref: 0010A9D5
                                                • _wcscpy.LIBCMT ref: 0010A9FF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: BuffCharDriveLowerType_wcscpy
                                                • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                • API String ID: 2820617543-1000479233
                                                • Opcode ID: 21d53c18131d25f8767269fbe94abcdb144b2f5c665b17157cf1646cdfa2fe09
                                                • Instruction ID: 7b3c9e4c94c09c852851fde01dbc6e97f286096ec48ae2f64e3360189eb3209c
                                                • Opcode Fuzzy Hash: 21d53c18131d25f8767269fbe94abcdb144b2f5c665b17157cf1646cdfa2fe09
                                                • Instruction Fuzzy Hash: EC51B031218301DBC704EF14C992AAFB7A5EF95708F91482DF8D56B2E2DB719909CB53
                                                Function 000A9837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: __i64tow__itow__swprintf
                                                • String ID: %.15g$0x%p$False$True
                                                • API String ID: 421087845-2263619337
                                                • Opcode ID: efa8fa8e2c7a1b6802e91c4c15f1d580f3d3b942c1e311da2252c56af8fd5d81
                                                • Instruction ID: ef0e35ae0e23e211e8d9dd6270bd28a4a363ca6a849a45f06a83406d0e39a46b
                                                • Opcode Fuzzy Hash: efa8fa8e2c7a1b6802e91c4c15f1d580f3d3b942c1e311da2252c56af8fd5d81
                                                • Instruction Fuzzy Hash: FF41A5716007069BDB249F74D842FBA73E8EF46300F20846EE54ADB296EE3599418B20
                                                Function 00127152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 0012716A
                                                • CreateMenu.USER32 ref: 00127185
                                                • SetMenu.USER32(?,00000000), ref: 00127194
                                                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00127221
                                                • IsMenu.USER32(?), ref: 00127237
                                                • CreatePopupMenu.USER32 ref: 00127241
                                                • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0012726E
                                                • DrawMenuBar.USER32 ref: 00127276
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                • String ID: 0$F
                                                • API String ID: 176399719-3044882817
                                                • Opcode ID: 02e93f889dc568de060812bcc5282c43e56a2ee61a2e1a1d32a8e866c1e825a9
                                                • Instruction ID: 94683301008c28e0a67e8f8bf5ef8a32a3502cd0f1433de52bc2c2be432bac1c
                                                • Opcode Fuzzy Hash: 02e93f889dc568de060812bcc5282c43e56a2ee61a2e1a1d32a8e866c1e825a9
                                                • Instruction Fuzzy Hash: 4F416A74A01219EFDB20DFA4E984E9A7BF9FF49350F144028F945A73A1D731A921CFA0
                                                Function 001274BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0012755E
                                                • CreateCompatibleDC.GDI32(00000000), ref: 00127565
                                                • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00127578
                                                • SelectObject.GDI32(00000000,00000000), ref: 00127580
                                                • GetPixel.GDI32(00000000,00000000,00000000), ref: 0012758B
                                                • DeleteDC.GDI32(00000000), ref: 00127594
                                                • GetWindowLongW.USER32(?,000000EC), ref: 0012759E
                                                • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 001275B2
                                                • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 001275BE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                • String ID: static
                                                • API String ID: 2559357485-2160076837
                                                • Opcode ID: bc396b03013c1c7e3148ebd5c026db61c1cfa67e96ec34c093881fc64a91cbd5
                                                • Instruction ID: fc8fea71e338f6ce555630de288dacda4a34cc498184d57689330e26e479c091
                                                • Opcode Fuzzy Hash: bc396b03013c1c7e3148ebd5c026db61c1cfa67e96ec34c093881fc64a91cbd5
                                                • Instruction Fuzzy Hash: 1F315A72105225BBDF219F64EC49FEB7BB9EF09720F110228FA15960E0C731D862DBA4
                                                Function 000C6E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 000C6E3E
                                                  • Part of subcall function 000C8B28: __getptd_noexit.LIBCMT ref: 000C8B28
                                                • __gmtime64_s.LIBCMT ref: 000C6ED7
                                                • __gmtime64_s.LIBCMT ref: 000C6F0D
                                                • __gmtime64_s.LIBCMT ref: 000C6F2A
                                                • __allrem.LIBCMT ref: 000C6F80
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000C6F9C
                                                • __allrem.LIBCMT ref: 000C6FB3
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000C6FD1
                                                • __allrem.LIBCMT ref: 000C6FE8
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000C7006
                                                • __invoke_watson.LIBCMT ref: 000C7077
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                • String ID:
                                                • API String ID: 384356119-0
                                                • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                • Instruction ID: 73e0c48f54f28f8f61d629fcd5394d9b3caf968e59f9f30ae3968025cc55f52f
                                                • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                • Instruction Fuzzy Hash: 8571B376A00B17ABD724AF68DC41F9EB7E8AF04724F14823EF514D6282E771DD408B91
                                                Function 00102527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 00102542
                                                • GetMenuItemInfoW.USER32(00165890,000000FF,00000000,00000030), ref: 001025A3
                                                • SetMenuItemInfoW.USER32(00165890,00000004,00000000,00000030), ref: 001025D9
                                                • Sleep.KERNEL32(000001F4), ref: 001025EB
                                                • GetMenuItemCount.USER32(?), ref: 0010262F
                                                • GetMenuItemID.USER32(?,00000000), ref: 0010264B
                                                • GetMenuItemID.USER32(?,-00000001), ref: 00102675
                                                • GetMenuItemID.USER32(?,?), ref: 001026BA
                                                • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00102700
                                                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00102714
                                                • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00102735
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                • String ID:
                                                • API String ID: 4176008265-0
                                                • Opcode ID: 935ffa856b0bc9f6b8a817593c6f50dfab27b932e9a3b5c7e5d02b67294dc7b6
                                                • Instruction ID: fda630814fb1ae3bfbebf8e4a7087d88ca2c12c3be72a2d40b59c4b00ddbcfa4
                                                • Opcode Fuzzy Hash: 935ffa856b0bc9f6b8a817593c6f50dfab27b932e9a3b5c7e5d02b67294dc7b6
                                                • Instruction Fuzzy Hash: A6619F70900249EFDB21CF64CC8CEBE7BB9EB55304F140169F881A7291DBB2AD56DB21
                                                Function 00126F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00126FA5
                                                • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00126FA8
                                                • GetWindowLongW.USER32(?,000000F0), ref: 00126FCC
                                                • _memset.LIBCMT ref: 00126FDD
                                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00126FEF
                                                • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00127067
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: MessageSend$LongWindow_memset
                                                • String ID:
                                                • API String ID: 830647256-0
                                                • Opcode ID: 1e819145b4b63f4d436c82ced363bcdd687d577eaea747960be432a0bb17bd45
                                                • Instruction ID: 405f9b4c18e218d18f16852522ef3e903ccf5e6a4df41383b1ae63909e7b5b41
                                                • Opcode Fuzzy Hash: 1e819145b4b63f4d436c82ced363bcdd687d577eaea747960be432a0bb17bd45
                                                • Instruction Fuzzy Hash: 17617971A00218AFDB11DFA4DC81EEE77B9EF09710F104169FA14AB2E1C771AD65DBA0
                                                Function 000F6B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 000F6BBF
                                                • SafeArrayAllocData.OLEAUT32(?), ref: 000F6C18
                                                • VariantInit.OLEAUT32(?), ref: 000F6C2A
                                                • SafeArrayAccessData.OLEAUT32(?,?), ref: 000F6C4A
                                                • VariantCopy.OLEAUT32(?,?), ref: 000F6C9D
                                                • SafeArrayUnaccessData.OLEAUT32(?), ref: 000F6CB1
                                                • VariantClear.OLEAUT32(?), ref: 000F6CC6
                                                • SafeArrayDestroyData.OLEAUT32(?), ref: 000F6CD3
                                                • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 000F6CDC
                                                • VariantClear.OLEAUT32(?), ref: 000F6CEE
                                                • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 000F6CF9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                • String ID:
                                                • API String ID: 2706829360-0
                                                • Opcode ID: 1495625a2ded752bc7becf8ca481ea7aa2c04472b2dbad14ab80926a7307ee8f
                                                • Instruction ID: 06d8619a997e6847deb8d474df52c1a652ce27a42010c65191f8fe21fcc8f9f2
                                                • Opcode Fuzzy Hash: 1495625a2ded752bc7becf8ca481ea7aa2c04472b2dbad14ab80926a7307ee8f
                                                • Instruction Fuzzy Hash: 0F415435A0011DAFCF10EFA4D8449FEBBB9EF08350F008079E955D7661CB75AA46DBA0
                                                Function 000FFD09 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetKeyboardState.USER32(?), ref: 000FFD31
                                                • GetAsyncKeyState.USER32(000000A0), ref: 000FFDB2
                                                • GetKeyState.USER32(000000A0), ref: 000FFDCD
                                                • GetAsyncKeyState.USER32(000000A1), ref: 000FFDE7
                                                • GetKeyState.USER32(000000A1), ref: 000FFDFC
                                                • GetAsyncKeyState.USER32(00000011), ref: 000FFE14
                                                • GetKeyState.USER32(00000011), ref: 000FFE26
                                                • GetAsyncKeyState.USER32(00000012), ref: 000FFE3E
                                                • GetKeyState.USER32(00000012), ref: 000FFE50
                                                • GetAsyncKeyState.USER32(0000005B), ref: 000FFE68
                                                • GetKeyState.USER32(0000005B), ref: 000FFE7A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: State$Async$Keyboard
                                                • String ID:
                                                • API String ID: 541375521-0
                                                • Opcode ID: 3d1e1c5eb5726f47ce639767bed1d0cccc7d7dcb494e1109e2b6fd6c6281015c
                                                • Instruction ID: 5f730da66d8ec9a9e8b4ee3d04ee285c4a79dc7914f592770fea6d4cfde5e775
                                                • Opcode Fuzzy Hash: 3d1e1c5eb5726f47ce639767bed1d0cccc7d7dcb494e1109e2b6fd6c6281015c
                                                • Instruction Fuzzy Hash: 0A41D8245047CF69FFB09A6488043B5BEE16F21344F0841BDD7C5879D2EBE499D8D7A2
                                                Function 001183BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000A9837: __itow.LIBCMT ref: 000A9862
                                                  • Part of subcall function 000A9837: __swprintf.LIBCMT ref: 000A98AC
                                                • CoInitialize.OLE32 ref: 00118403
                                                • CoUninitialize.OLE32 ref: 0011840E
                                                • CoCreateInstance.OLE32(?,00000000,00000017,00132BEC,?), ref: 0011846E
                                                • IIDFromString.OLE32(?,?), ref: 001184E1
                                                • VariantInit.OLEAUT32(?), ref: 0011857B
                                                • VariantClear.OLEAUT32(?), ref: 001185DC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                • API String ID: 834269672-1287834457
                                                • Opcode ID: 3608f67b277ac87a2ec43afcf3a85bceaf73a300936c5ffa8ba983d233f122f7
                                                • Instruction ID: faf53d41f9a8663d1e3c49456099a44e225030b74b3c442a80c85a77a97b5e49
                                                • Opcode Fuzzy Hash: 3608f67b277ac87a2ec43afcf3a85bceaf73a300936c5ffa8ba983d233f122f7
                                                • Instruction Fuzzy Hash: EB61AB70608712AFC718DF54C848BAAB7E9EF49714F00842DF9819B691CB70ED89CB92
                                                Function 00115732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WSAStartup.WSOCK32(00000101,?), ref: 00115793
                                                • inet_addr.WSOCK32(?,?,?), ref: 001157D8
                                                • gethostbyname.WSOCK32(?), ref: 001157E4
                                                • IcmpCreateFile.IPHLPAPI ref: 001157F2
                                                • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00115862
                                                • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00115878
                                                • IcmpCloseHandle.IPHLPAPI(00000000), ref: 001158ED
                                                • WSACleanup.WSOCK32 ref: 001158F3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                • String ID: Ping
                                                • API String ID: 1028309954-2246546115
                                                • Opcode ID: bcf9b2b268f52a57bc5be0724358a94237c9c663e18e5b9535f6607ea47eaf51
                                                • Instruction ID: ac65bb6a00d96319c02fa87a2f91c4474611e0951b35b6201f5db776c5263a86
                                                • Opcode Fuzzy Hash: bcf9b2b268f52a57bc5be0724358a94237c9c663e18e5b9535f6607ea47eaf51
                                                • Instruction Fuzzy Hash: 4C519E31600700EFD724AF65DC49BAAB7E5EF89710F044539F956EB2A1DB30E881DB52
                                                Function 0010B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetErrorMode.KERNEL32(00000001), ref: 0010B4D0
                                                • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0010B546
                                                • GetLastError.KERNEL32 ref: 0010B550
                                                • SetErrorMode.KERNEL32(00000000,READY), ref: 0010B5BD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Error$Mode$DiskFreeLastSpace
                                                • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                • API String ID: 4194297153-14809454
                                                • Opcode ID: 9bb54ece1f911d28525c8779c0dc8498098fdcd5f1cd4c1b35ae436495a9f227
                                                • Instruction ID: 1bc8a5088af24540489a4a76a8cb1e44ced6f31ad53b44e97f5d6cf708786ebc
                                                • Opcode Fuzzy Hash: 9bb54ece1f911d28525c8779c0dc8498098fdcd5f1cd4c1b35ae436495a9f227
                                                • Instruction Fuzzy Hash: E3319235A04209EFCB10DFA8CC95EAE77B4FF05311F1041A6E945EB2D2DBB19A46CB51
                                                Function 000F8F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000A7DE1: _memmove.LIBCMT ref: 000A7E22
                                                  • Part of subcall function 000FAA99: GetClassNameW.USER32(?,?,000000FF), ref: 000FAABC
                                                • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 000F9014
                                                • GetDlgCtrlID.USER32 ref: 000F901F
                                                • GetParent.USER32 ref: 000F903B
                                                • SendMessageW.USER32(00000000,?,00000111,?), ref: 000F903E
                                                • GetDlgCtrlID.USER32(?), ref: 000F9047
                                                • GetParent.USER32(?), ref: 000F9063
                                                • SendMessageW.USER32(00000000,?,?,00000111), ref: 000F9066
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                • String ID: ComboBox$ListBox
                                                • API String ID: 1536045017-1403004172
                                                • Opcode ID: 66e6ecdfa3ae69ed5e5ca8328c5e84a673fc70010e39c1e36c0e2d795152a88c
                                                • Instruction ID: 2fc2accb62a435557a1c3c4329ae1e6a62a42b2ea6d0e459070ec29bc9edf6aa
                                                • Opcode Fuzzy Hash: 66e6ecdfa3ae69ed5e5ca8328c5e84a673fc70010e39c1e36c0e2d795152a88c
                                                • Instruction Fuzzy Hash: 3321D8B4A00108BFDF14ABA0CC85EFEB774EF49310F104129BA21976E2DF75585ADB21
                                                Function 000F907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000A7DE1: _memmove.LIBCMT ref: 000A7E22
                                                  • Part of subcall function 000FAA99: GetClassNameW.USER32(?,?,000000FF), ref: 000FAABC
                                                • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 000F90FD
                                                • GetDlgCtrlID.USER32 ref: 000F9108
                                                • GetParent.USER32 ref: 000F9124
                                                • SendMessageW.USER32(00000000,?,00000111,?), ref: 000F9127
                                                • GetDlgCtrlID.USER32(?), ref: 000F9130
                                                • GetParent.USER32(?), ref: 000F914C
                                                • SendMessageW.USER32(00000000,?,?,00000111), ref: 000F914F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                • String ID: ComboBox$ListBox
                                                • API String ID: 1536045017-1403004172
                                                • Opcode ID: 86632e53b5fa477199e3e116c954f9a81ff7607330e21c8ff093448f1d649b3b
                                                • Instruction ID: d7323e4bd3c4e751c9ba4024096e2f09f593a4f7591a298c024a4d08e9f677b8
                                                • Opcode Fuzzy Hash: 86632e53b5fa477199e3e116c954f9a81ff7607330e21c8ff093448f1d649b3b
                                                • Instruction Fuzzy Hash: 092198B4A00108BFDF11ABA4CC85FFEBBB4EF49300F104129BA55976A2DB75545AEB21
                                                Function 000F9163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetParent.USER32 ref: 000F916F
                                                • GetClassNameW.USER32(00000000,?,00000100), ref: 000F9184
                                                • _wcscmp.LIBCMT ref: 000F9196
                                                • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 000F9211
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: ClassMessageNameParentSend_wcscmp
                                                • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                • API String ID: 1704125052-3381328864
                                                • Opcode ID: 86ca2e330d229757bb1a253c807942d37216f813eca1cc955ef427c80b6a56e4
                                                • Instruction ID: 6b5e176061952633072dc125681e6d10e76c19fba40ec1fb389954526dc553aa
                                                • Opcode Fuzzy Hash: 86ca2e330d229757bb1a253c807942d37216f813eca1cc955ef427c80b6a56e4
                                                • Instruction Fuzzy Hash: CD11AB7A14830BB5EA212624EC07FFB779CDB15735F20002AFE10A5CE2EE5158556554
                                                Function 001188AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VariantInit.OLEAUT32(?), ref: 001188D7
                                                • CoInitialize.OLE32(00000000), ref: 00118904
                                                • CoUninitialize.OLE32 ref: 0011890E
                                                • GetRunningObjectTable.OLE32(00000000,?), ref: 00118A0E
                                                • SetErrorMode.KERNEL32(00000001,00000029), ref: 00118B3B
                                                • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00132C0C), ref: 00118B6F
                                                • CoGetObject.OLE32(?,00000000,00132C0C,?), ref: 00118B92
                                                • SetErrorMode.KERNEL32(00000000), ref: 00118BA5
                                                • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00118C25
                                                • VariantClear.OLEAUT32(?), ref: 00118C35
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                • String ID:
                                                • API String ID: 2395222682-0
                                                • Opcode ID: 61da51f3bd94807076026230931db87b2f517f6ab21c4329bec3ee52ef321245
                                                • Instruction ID: fb4331b57e5d8f7955911eb2e3c557e45683b6d91275b0c32f166b310ab4b2c8
                                                • Opcode Fuzzy Hash: 61da51f3bd94807076026230931db87b2f517f6ab21c4329bec3ee52ef321245
                                                • Instruction Fuzzy Hash: B4C138B1608305AFC704DF64C8849ABB7E9FF89748F00892DF9899B251DB71ED46CB52
                                                Function 00107990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON
                                                Download Yara Rule
                                                APIs
                                                • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00107A6C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: ArraySafeVartype
                                                • String ID:
                                                • API String ID: 1725837607-0
                                                • Opcode ID: 7d626f0e662828484d400ae910c964b23ab9b58a0c7a0f78b71cd906bd249ef0
                                                • Instruction ID: e7efdb5cb3527ee3900d5b23c5ffda68bb9e98d04019ed9394f6114df6f59d05
                                                • Opcode Fuzzy Hash: 7d626f0e662828484d400ae910c964b23ab9b58a0c7a0f78b71cd906bd249ef0
                                                • Instruction Fuzzy Hash: A1B18D71E0420A9FEB10DFA4C984BBEB7B4FF09321F254429E581E72C1D7B4A941CBA0
                                                Function 001011CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentThreadId.KERNEL32 ref: 001011F0
                                                • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00100268,?,00000001), ref: 00101204
                                                • GetWindowThreadProcessId.USER32(00000000), ref: 0010120B
                                                • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00100268,?,00000001), ref: 0010121A
                                                • GetWindowThreadProcessId.USER32(?,00000000), ref: 0010122C
                                                • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00100268,?,00000001), ref: 00101245
                                                • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00100268,?,00000001), ref: 00101257
                                                • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00100268,?,00000001), ref: 0010129C
                                                • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00100268,?,00000001), ref: 001012B1
                                                • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00100268,?,00000001), ref: 001012BC
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                • String ID:
                                                • API String ID: 2156557900-0
                                                • Opcode ID: ea134eb4fdc1c367816d14aaefe02adfbf062e2e3c78bbdb3677e1e0e2b24d9b
                                                • Instruction ID: 2133c505efc9abc21fabe311c35fca68168006c265f8e2600d569d20d7e727a1
                                                • Opcode Fuzzy Hash: ea134eb4fdc1c367816d14aaefe02adfbf062e2e3c78bbdb3677e1e0e2b24d9b
                                                • Instruction Fuzzy Hash: 5C319C75600204BFEB209F64EDA8FA977B9FB64311F214169F940C6AE0D7F89D81CB60
                                                Function 000AFA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                                Download Yara Rule
                                                APIs
                                                • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 000AFAA6
                                                • OleUninitialize.OLE32(?,00000000), ref: 000AFB45
                                                • UnregisterHotKey.USER32(?), ref: 000AFC9C
                                                • DestroyWindow.USER32(?), ref: 000E45D6
                                                • FreeLibrary.KERNEL32(?), ref: 000E463B
                                                • VirtualFree.KERNEL32(?,00000000,00008000), ref: 000E4668
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                • String ID: close all
                                                • API String ID: 469580280-3243417748
                                                • Opcode ID: 453301700d17124acdc38d3d0e6878f9bb098c5cac8270d5b2cb41a6759399cf
                                                • Instruction ID: 876806d4326b6d185f3189839566f9bf7eb340eec36e70ddec1fd1599fa0ff62
                                                • Opcode Fuzzy Hash: 453301700d17124acdc38d3d0e6878f9bb098c5cac8270d5b2cb41a6759399cf
                                                • Instruction Fuzzy Hash: 45A16131701212DFCB69EF55C995ABDF3A4BF16710F5042ADE80AAB262CB30AD16CF51
                                                Function 000FA068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                Download Yara Rule
                                                APIs
                                                • EnumChildWindows.USER32(?,000FA439), ref: 000FA377
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: ChildEnumWindows
                                                • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                • API String ID: 3555792229-1603158881
                                                • Opcode ID: 37c598b79133c8e96c0ae6d50a2bf31469094c851d80330581fe728530fb2eb0
                                                • Instruction ID: a5dd957a5b843c985556a4fb7eef7dbcafee17a37077d82ec0dcdb1a3ad4aa59
                                                • Opcode Fuzzy Hash: 37c598b79133c8e96c0ae6d50a2bf31469094c851d80330581fe728530fb2eb0
                                                • Instruction Fuzzy Hash: 5091E970704609EACB48DFA4C442BFDFBB4BF05310F508119E95DA7682DF316959EBA1
                                                Function 000A2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SetWindowLongW.USER32(?,000000EB), ref: 000A2EAE
                                                  • Part of subcall function 000A1DB3: GetClientRect.USER32(?,?), ref: 000A1DDC
                                                  • Part of subcall function 000A1DB3: GetWindowRect.USER32(?,?), ref: 000A1E1D
                                                  • Part of subcall function 000A1DB3: ScreenToClient.USER32(?,?), ref: 000A1E45
                                                • GetDC.USER32 ref: 000DCD32
                                                • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 000DCD45
                                                • SelectObject.GDI32(00000000,00000000), ref: 000DCD53
                                                • SelectObject.GDI32(00000000,00000000), ref: 000DCD68
                                                • ReleaseDC.USER32(?,00000000), ref: 000DCD70
                                                • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 000DCDFB
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                • String ID: U
                                                • API String ID: 4009187628-3372436214
                                                • Opcode ID: 45a329116e8f454d2e76c637c59e087f01c68e50071dd1ea259c67ca8670aaaf
                                                • Instruction ID: af1dd18b112877cf2880e6e12622af053c4c01b49113ac06a1029eb23bd6105b
                                                • Opcode Fuzzy Hash: 45a329116e8f454d2e76c637c59e087f01c68e50071dd1ea259c67ca8670aaaf
                                                • Instruction Fuzzy Hash: E2718F31500206EFDF61CF64CC84EAA7BB6FF49360F14427AED559A2A6C7319C91DB60
                                                Function 00111A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00111A50
                                                • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00111A7C
                                                • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00111ABE
                                                • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00111AD3
                                                • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00111AE0
                                                • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00111B10
                                                • InternetCloseHandle.WININET(00000000), ref: 00111B57
                                                  • Part of subcall function 00112483: GetLastError.KERNEL32(?,?,00111817,00000000,00000000,00000001), ref: 00112498
                                                  • Part of subcall function 00112483: SetEvent.KERNEL32(?,?,00111817,00000000,00000000,00000001), ref: 001124AD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                                • String ID:
                                                • API String ID: 2603140658-3916222277
                                                • Opcode ID: 4049d7522f3ed1c6bbfa23a29e8fbd8d04a90e5671e096e4f1f1e21a568dabd1
                                                • Instruction ID: 71442fbbfe1bfd38cd60e7c6013e4a9834b564f9af344e0e786f26a1a272fdac
                                                • Opcode Fuzzy Hash: 4049d7522f3ed1c6bbfa23a29e8fbd8d04a90e5671e096e4f1f1e21a568dabd1
                                                • Instruction Fuzzy Hash: 21417DB1505218BFEB198F50CC89FFEBBACEF08354F00413AFA059A141E7709E959BA4
                                                Function 00118C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0012F910), ref: 00118D28
                                                • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0012F910), ref: 00118D5C
                                                • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00118ED6
                                                • SysFreeString.OLEAUT32(?), ref: 00118F00
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                • String ID:
                                                • API String ID: 560350794-0
                                                • Opcode ID: e3431b2bb11480a5fbd19cc2a3428b068c3d6ce3926a65f168f628ec67e0031d
                                                • Instruction ID: 15dbe77e8040ca3a0e91d3d3d3130b3fa4a88a5057fdced6595d86013c567ec6
                                                • Opcode Fuzzy Hash: e3431b2bb11480a5fbd19cc2a3428b068c3d6ce3926a65f168f628ec67e0031d
                                                • Instruction Fuzzy Hash: B1F10B71A00209AFDF18DF94C884EEEB7B9FF49314F108568F515AB251DB31AE86CB91
                                                Function 0011F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 0011F6B5
                                                • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0011F848
                                                • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0011F86C
                                                • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0011F8AC
                                                • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0011F8CE
                                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0011FA4A
                                                • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0011FA7C
                                                • CloseHandle.KERNEL32(?), ref: 0011FAAB
                                                • CloseHandle.KERNEL32(?), ref: 0011FB22
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                • String ID:
                                                • API String ID: 4090791747-0
                                                • Opcode ID: 3979df6d8ac2e58321bcaaa3ecd867fd3b3a42a635a15196851c12d5344b7bb2
                                                • Instruction ID: fb48ecf14fac1519f8151afb44667921157e279d2881da19471dd2c44fad1de5
                                                • Opcode Fuzzy Hash: 3979df6d8ac2e58321bcaaa3ecd867fd3b3a42a635a15196851c12d5344b7bb2
                                                • Instruction Fuzzy Hash: 2DE180316043019FC718EF24C891BAEBBE5AF85354F14857DF8959B2A2DB31EC86CB52
                                                Function 00104CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0010466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00103697,?), ref: 0010468B
                                                  • Part of subcall function 0010466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00103697,?), ref: 001046A4
                                                  • Part of subcall function 00104A31: GetFileAttributesW.KERNEL32(?,0010370B), ref: 00104A32
                                                • lstrcmpiW.KERNEL32(?,?), ref: 00104D40
                                                • _wcscmp.LIBCMT ref: 00104D5A
                                                • MoveFileW.KERNEL32(?,?), ref: 00104D75
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                • String ID:
                                                • API String ID: 793581249-0
                                                • Opcode ID: e4d4d1ea088a32ebc77e5991ad7476b56bbe9e2a753a88e2710e6e58eaef453e
                                                • Instruction ID: 879ae572b63e4ccfc2fca6475e5093c0e7c6ead82a3c2e2859c343e5a33ebd4c
                                                • Opcode Fuzzy Hash: e4d4d1ea088a32ebc77e5991ad7476b56bbe9e2a753a88e2710e6e58eaef453e
                                                • Instruction Fuzzy Hash: 135141B20083459BC724DBA4D881DDFB3ECAF95350F00492EB2C9D3192EF75A589C766
                                                Function 00128645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                                Download Yara Rule
                                                APIs
                                                • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 001286FF
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: InvalidateRect
                                                • String ID:
                                                • API String ID: 634782764-0
                                                • Opcode ID: 9bd2aeb777239bc0fb75f33a6966c4fbb78a932226754dc430b4ae411c6905e4
                                                • Instruction ID: 6b28a9ad6cbcd23675f708e829911f686912bcd9e05fa4277256e1d2b40f1d29
                                                • Opcode Fuzzy Hash: 9bd2aeb777239bc0fb75f33a6966c4fbb78a932226754dc430b4ae411c6905e4
                                                • Instruction Fuzzy Hash: 7651C030602274BFEB249F28EC89FAD7BA5EB05324F604125F910E65A1CF75A9B0CB40
                                                Function 000A2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 000DC2F7
                                                • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 000DC319
                                                • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 000DC331
                                                • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 000DC34F
                                                • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 000DC370
                                                • DestroyIcon.USER32(00000000), ref: 000DC37F
                                                • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 000DC39C
                                                • DestroyIcon.USER32(?), ref: 000DC3AB
                                                  • Part of subcall function 0012A4AF: DeleteObject.GDI32(00000000), ref: 0012A4E8
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                • String ID:
                                                • API String ID: 2819616528-0
                                                • Opcode ID: 6490fa49907eb13d619dd45b1c6cad17bf0520735fc78a693af743c9bcfde8f4
                                                • Instruction ID: 825a249b99ad625bc7ee147007296855d1012a3d01874f494130f8eea554d246
                                                • Opcode Fuzzy Hash: 6490fa49907eb13d619dd45b1c6cad17bf0520735fc78a693af743c9bcfde8f4
                                                • Instruction Fuzzy Hash: 24515970A1020AAFDB24DFA9CC45FAE7BF5EB19310F104529F94297690D7B0EDA1DB60
                                                Function 000F966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000FA82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 000FA84C
                                                  • Part of subcall function 000FA82C: GetCurrentThreadId.KERNEL32 ref: 000FA853
                                                  • Part of subcall function 000FA82C: AttachThreadInput.USER32(00000000,?,000F9683,?,00000001), ref: 000FA85A
                                                • MapVirtualKeyW.USER32(00000025,00000000), ref: 000F968E
                                                • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 000F96AB
                                                • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 000F96AE
                                                • MapVirtualKeyW.USER32(00000025,00000000), ref: 000F96B7
                                                • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 000F96D5
                                                • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 000F96D8
                                                • MapVirtualKeyW.USER32(00000025,00000000), ref: 000F96E1
                                                • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 000F96F8
                                                • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 000F96FB
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                • String ID:
                                                • API String ID: 2014098862-0
                                                • Opcode ID: bd96951706fb3c6b686bd6d70a9466d225ab3d78a469236ea53b77d7b1128c19
                                                • Instruction ID: 95ee828f3526c1171460891b6777d7efecd767051e80b81b48d6d62c68c68f9b
                                                • Opcode Fuzzy Hash: bd96951706fb3c6b686bd6d70a9466d225ab3d78a469236ea53b77d7b1128c19
                                                • Instruction Fuzzy Hash: 0E11E5B1910218BEF6206F60DC49FBA3B2DDB4C791F500439F344AB4A1CAF25C62DAA4
                                                Function 000F8921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,000F853C,00000B00,?,?), ref: 000F892A
                                                • HeapAlloc.KERNEL32(00000000,?,000F853C,00000B00,?,?), ref: 000F8931
                                                • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,000F853C,00000B00,?,?), ref: 000F8946
                                                • GetCurrentProcess.KERNEL32(?,00000000,?,000F853C,00000B00,?,?), ref: 000F894E
                                                • DuplicateHandle.KERNEL32(00000000,?,000F853C,00000B00,?,?), ref: 000F8951
                                                • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,000F853C,00000B00,?,?), ref: 000F8961
                                                • GetCurrentProcess.KERNEL32(000F853C,00000000,?,000F853C,00000B00,?,?), ref: 000F8969
                                                • DuplicateHandle.KERNEL32(00000000,?,000F853C,00000B00,?,?), ref: 000F896C
                                                • CreateThread.KERNEL32(00000000,00000000,000F8992,00000000,00000000,00000000), ref: 000F8986
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                • String ID:
                                                • API String ID: 1957940570-0
                                                • Opcode ID: 02e7516a1aea4eb138b45861c2e4df6522459c1185b8b3bd7b99c6b21afbad4b
                                                • Instruction ID: 11be64d71f25a2b2640a092abe8d9a09b79b413562240474f55278231d7b9220
                                                • Opcode Fuzzy Hash: 02e7516a1aea4eb138b45861c2e4df6522459c1185b8b3bd7b99c6b21afbad4b
                                                • Instruction Fuzzy Hash: 3C01BF75640308FFE720ABA5DD4EF673B6CEB89711F408425FA05DB591CA709862CB20
                                                Function 00119B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: NULL Pointer assignment$Not an Object type
                                                • API String ID: 0-572801152
                                                • Opcode ID: 84a0c7eee3061b36df279cf41bc765030a8179ca5fa86298d4310d550b54268f
                                                • Instruction ID: 5cb92e3b02d1447d2945f1d62a8e67acce8934a21e206c51114d7359d0943803
                                                • Opcode Fuzzy Hash: 84a0c7eee3061b36df279cf41bc765030a8179ca5fa86298d4310d550b54268f
                                                • Instruction Fuzzy Hash: 78C1C371A002099FDF18DFA8D894BEEB7F5FB48314F148479E915AB281E770AD81CB90
                                                Function 00119113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Variant$ClearInit$_memset
                                                • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                • API String ID: 2862541840-625585964
                                                • Opcode ID: ad1f8bd3bc9dec0754d963f9ee64c9507c417240c5a9ae16e7d1b546334813a4
                                                • Instruction ID: 530eae100fdc97f0120d36d0e55317fa107ce20edfc3ce78d8783dd9932e62ea
                                                • Opcode Fuzzy Hash: ad1f8bd3bc9dec0754d963f9ee64c9507c417240c5a9ae16e7d1b546334813a4
                                                • Instruction Fuzzy Hash: 61916071A00215ABDF28DFA5C858FEEB7B8FF45710F108569F525AB280D7709985CBA0
                                                Function 0011975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000F710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,000F7044,80070057,?,?,?,000F7455), ref: 000F7127
                                                  • Part of subcall function 000F710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,000F7044,80070057,?,?), ref: 000F7142
                                                  • Part of subcall function 000F710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,000F7044,80070057,?,?), ref: 000F7150
                                                  • Part of subcall function 000F710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,000F7044,80070057,?), ref: 000F7160
                                                • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00119806
                                                • _memset.LIBCMT ref: 00119813
                                                • _memset.LIBCMT ref: 00119956
                                                • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00119982
                                                • CoTaskMemFree.OLE32(?), ref: 0011998D
                                                Strings
                                                • NULL Pointer assignment, xrefs: 001199DB
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                • String ID: NULL Pointer assignment
                                                • API String ID: 1300414916-2785691316
                                                • Opcode ID: e5e0495c8b846db76cd16254b092fd99ccb33877db87dd07b19231895cc9408b
                                                • Instruction ID: 5bb7842e47b5d1e797b28af475faf609c46bbb4b26d25a34f250bb97cfc62d70
                                                • Opcode Fuzzy Hash: e5e0495c8b846db76cd16254b092fd99ccb33877db87dd07b19231895cc9408b
                                                • Instruction Fuzzy Hash: 22912671D00229EBDB14DFA5DC51EDEBBB9BF09310F10416AF519A7281DB71AA44CFA0
                                                Function 00126D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00126E24
                                                • SendMessageW.USER32(?,00001036,00000000,?), ref: 00126E38
                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00126E52
                                                • _wcscat.LIBCMT ref: 00126EAD
                                                • SendMessageW.USER32(?,00001057,00000000,?), ref: 00126EC4
                                                • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00126EF2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: MessageSend$Window_wcscat
                                                • String ID: SysListView32
                                                • API String ID: 307300125-78025650
                                                • Opcode ID: 3150143817cb7de13ac3d058d51ab420c285b4252a242dc23c57971f6d83dd48
                                                • Instruction ID: cac09b5391e366143fcfadd57c58758423994411825947d3b28dadfc493c1903
                                                • Opcode Fuzzy Hash: 3150143817cb7de13ac3d058d51ab420c285b4252a242dc23c57971f6d83dd48
                                                • Instruction Fuzzy Hash: EE419E74A00358EBDB21DFA4DC85BEE77B8EF08350F10046AF594A72D1D7719D958B60
                                                Function 0011E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00103C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00103C7A
                                                  • Part of subcall function 00103C55: Process32FirstW.KERNEL32(00000000,?), ref: 00103C88
                                                  • Part of subcall function 00103C55: CloseHandle.KERNEL32(00000000), ref: 00103D52
                                                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0011E9A4
                                                • GetLastError.KERNEL32 ref: 0011E9B7
                                                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0011E9E6
                                                • TerminateProcess.KERNEL32(00000000,00000000), ref: 0011EA63
                                                • GetLastError.KERNEL32(00000000), ref: 0011EA6E
                                                • CloseHandle.KERNEL32(00000000), ref: 0011EAA3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                • String ID: SeDebugPrivilege
                                                • API String ID: 2533919879-2896544425
                                                • Opcode ID: e178b64f40fb7ab99026c3c3d732ee813c484175de41b3d91a3c67b8d87f17db
                                                • Instruction ID: ee717c6a6a34b487cc6b8f40bd52218a0125501cfeb8d7f137e4bc701ec92fad
                                                • Opcode Fuzzy Hash: e178b64f40fb7ab99026c3c3d732ee813c484175de41b3d91a3c67b8d87f17db
                                                • Instruction Fuzzy Hash: 1341AC302002019FDB28EF94DCA5FAEB7E5AF41714F048468F9029B2D3CB75A895CB91
                                                Function 00102F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadIconW.USER32(00000000,00007F03), ref: 00103033
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: IconLoad
                                                • String ID: blank$info$question$stop$warning
                                                • API String ID: 2457776203-404129466
                                                • Opcode ID: 7fe4a269ba100ff6a5647fe4a16498ab49db1a32175fe632dccf87586d5e9969
                                                • Instruction ID: 0ea0adb5fc813d98c3c819f96dcfc7d8397a145c040adefc323ac8f829c37e47
                                                • Opcode Fuzzy Hash: 7fe4a269ba100ff6a5647fe4a16498ab49db1a32175fe632dccf87586d5e9969
                                                • Instruction Fuzzy Hash: 69113A35349386BEE7199B54DC42DAF77ACDF15360B20402EF960BA5C2EBF05F4456A0
                                                Function 001042F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00104312
                                                • LoadStringW.USER32(00000000), ref: 00104319
                                                • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0010432F
                                                • LoadStringW.USER32(00000000), ref: 00104336
                                                • _wprintf.LIBCMT ref: 0010435C
                                                • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0010437A
                                                Strings
                                                • %s (%d) : ==> %s: %s %s, xrefs: 00104357
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: HandleLoadModuleString$Message_wprintf
                                                • String ID: %s (%d) : ==> %s: %s %s
                                                • API String ID: 3648134473-3128320259
                                                • Opcode ID: 3b8d0d1ccb83e3d6a82f5b8d88f6a0cddcad8a615a685e213ca8d2bc11977fb1
                                                • Instruction ID: a1a17eafe818c972f893826a11559fa63719cabd1c3b9fcacc80d8224c37615b
                                                • Opcode Fuzzy Hash: 3b8d0d1ccb83e3d6a82f5b8d88f6a0cddcad8a615a685e213ca8d2bc11977fb1
                                                • Instruction Fuzzy Hash: 06018FF280020CBFE72097A0DD89EEA777CEB08300F4000B9BB45E6051EA705ED64B70
                                                Function 0012D43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000A2612: GetWindowLongW.USER32(?,000000EB), ref: 000A2623
                                                • GetSystemMetrics.USER32(0000000F), ref: 0012D47C
                                                • GetSystemMetrics.USER32(0000000F), ref: 0012D49C
                                                • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0012D6D7
                                                • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0012D6F5
                                                • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0012D716
                                                • ShowWindow.USER32(00000003,00000000), ref: 0012D735
                                                • InvalidateRect.USER32(?,00000000,00000001), ref: 0012D75A
                                                • DefDlgProcW.USER32(?,00000005,?,?), ref: 0012D77D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                • String ID:
                                                • API String ID: 1211466189-0
                                                • Opcode ID: 1d0ee8ed5d524dfdba3fcfd3bccc571f722b4e488d672babf8ac52521ea14e0c
                                                • Instruction ID: c13d29f524aa1895475018a2b30a5c0cc64b26be923e3323b352109bb149a0a0
                                                • Opcode Fuzzy Hash: 1d0ee8ed5d524dfdba3fcfd3bccc571f722b4e488d672babf8ac52521ea14e0c
                                                • Instruction Fuzzy Hash: ADB18A71600225EFDF18CF68E9C5BAD7BB1FF04705F088169EC489B695DB74A9A0CB90
                                                Function 0011FD11 Relevance: 12.3, APIs: 8, Instructions: 256registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000A7DE1: _memmove.LIBCMT ref: 000A7E22
                                                  • Part of subcall function 00120E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0011FDAD,?,?), ref: 00120E31
                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0011FDEE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: BuffCharConnectRegistryUpper_memmove
                                                • String ID:
                                                • API String ID: 3479070676-0
                                                • Opcode ID: 1c4bc6b3242053e7353800658971a8a3a8184c54d6e95f0eda6ac9d31fe20dff
                                                • Instruction ID: 59467bc8d60ab59ccded594f3bf29e78d5382b0e0455a1dc2d9cee1704226833
                                                • Opcode Fuzzy Hash: 1c4bc6b3242053e7353800658971a8a3a8184c54d6e95f0eda6ac9d31fe20dff
                                                • Instruction Fuzzy Hash: 75A1AC312042019FCB14EF54C890FAEB7E5FF85314F14882CF9969B2A2DB75E996CB52
                                                Function 000A2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                Download Yara Rule
                                                APIs
                                                • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,000DC1C7,00000004,00000000,00000000,00000000), ref: 000A2ACF
                                                • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,000DC1C7,00000004,00000000,00000000,00000000,000000FF), ref: 000A2B17
                                                • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,000DC1C7,00000004,00000000,00000000,00000000), ref: 000DC21A
                                                • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,000DC1C7,00000004,00000000,00000000,00000000), ref: 000DC286
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: ShowWindow
                                                • String ID:
                                                • API String ID: 1268545403-0
                                                • Opcode ID: 9487950e2aee458c2430e6ae6c512c8b4ad6a23c64d73ac90cf22e8742320964
                                                • Instruction ID: 5ab5b3536992925abdc22506f564a60c557838c475a2a060efd60afc7a8009cf
                                                • Opcode Fuzzy Hash: 9487950e2aee458c2430e6ae6c512c8b4ad6a23c64d73ac90cf22e8742320964
                                                • Instruction Fuzzy Hash: 3D411B31604780ABD7758BAC9D88B7F7BE3AF57310F15843EE04782A61C7709882D722
                                                Function 001070C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • InterlockedExchange.KERNEL32(?,000001F5), ref: 001070DD
                                                  • Part of subcall function 000C0DB6: std::exception::exception.LIBCMT ref: 000C0DEC
                                                  • Part of subcall function 000C0DB6: __CxxThrowException@8.LIBCMT ref: 000C0E01
                                                • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00107114
                                                • EnterCriticalSection.KERNEL32(?), ref: 00107130
                                                • _memmove.LIBCMT ref: 0010717E
                                                • _memmove.LIBCMT ref: 0010719B
                                                • LeaveCriticalSection.KERNEL32(?), ref: 001071AA
                                                • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 001071BF
                                                • InterlockedExchange.KERNEL32(?,000001F6), ref: 001071DE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                • String ID:
                                                • API String ID: 256516436-0
                                                • Opcode ID: 5a82f57011df7976b8bf297d34b773865dddd60b98fad7285b8b7789f212978f
                                                • Instruction ID: e1600b4b37cc99ed0efc164fdf5e8ec315a41618becaaf5f0546c2368df93f9a
                                                • Opcode Fuzzy Hash: 5a82f57011df7976b8bf297d34b773865dddd60b98fad7285b8b7789f212978f
                                                • Instruction Fuzzy Hash: 85315D71900205EBCB10EFA4DD85EAEB778EF45710F1541B9F904AB296DB70EE61CBA0
                                                Function 001261D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • DeleteObject.GDI32(00000000), ref: 001261EB
                                                • GetDC.USER32(00000000), ref: 001261F3
                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 001261FE
                                                • ReleaseDC.USER32(00000000,00000000), ref: 0012620A
                                                • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00126246
                                                • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00126257
                                                • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0012902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00126291
                                                • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 001262B1
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                • String ID:
                                                • API String ID: 3864802216-0
                                                • Opcode ID: 6247bad1e8d39e9fb1956ba547cbf861228b89f9899dadeda85a777ee580207f
                                                • Instruction ID: 58b14335d48144636cebba09b9d506cdcef4a13ab4de2577759d8a94cee49067
                                                • Opcode Fuzzy Hash: 6247bad1e8d39e9fb1956ba547cbf861228b89f9899dadeda85a777ee580207f
                                                • Instruction Fuzzy Hash: 40317F76101210BFEB218F50DC8AFEB3BA9EF49765F044069FE089A191D7759CA2CB64
                                                Function 000FBBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: _memcmp
                                                • String ID:
                                                • API String ID: 2931989736-0
                                                • Opcode ID: b5a1c98f0ff5a118d60734d07f76500972b8b6aadd0fadbef7e5267a3121c925
                                                • Instruction ID: 5a0af59b6c0147daf1cfc9f900496dc970ea2036cc02ce3638d338ae14575746
                                                • Opcode Fuzzy Hash: b5a1c98f0ff5a118d60734d07f76500972b8b6aadd0fadbef7e5267a3121c925
                                                • Instruction Fuzzy Hash: 0E219D7160120D7BE6187721DD42FFFB79DAF15388F084024FE0496A87EBA4DE11AAE1
                                                Function 0010EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000A9837: __itow.LIBCMT ref: 000A9862
                                                  • Part of subcall function 000A9837: __swprintf.LIBCMT ref: 000A98AC
                                                  • Part of subcall function 000BFC86: _wcscpy.LIBCMT ref: 000BFCA9
                                                • _wcstok.LIBCMT ref: 0010EC94
                                                • _wcscpy.LIBCMT ref: 0010ED23
                                                • _memset.LIBCMT ref: 0010ED56
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                • String ID: X
                                                • API String ID: 774024439-3081909835
                                                • Opcode ID: 2c4157cd703abf05d960d15a5ba59c0ea715d743b8ff71d6b89dba39d7d6f4b6
                                                • Instruction ID: e04997377edce158da001523b6a927c72d7bd449e572eabcf21c0b579ce342cc
                                                • Opcode Fuzzy Hash: 2c4157cd703abf05d960d15a5ba59c0ea715d743b8ff71d6b89dba39d7d6f4b6
                                                • Instruction Fuzzy Hash: DBC15D716087059FC714EF64C985AAAB7E4FF86310F04492DF8999B2A2DB70EC45CB92
                                                Function 00116B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00116C00
                                                • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00116C21
                                                • WSAGetLastError.WSOCK32(00000000), ref: 00116C34
                                                • htons.WSOCK32(?,?,?,00000000,?), ref: 00116CEA
                                                • inet_ntoa.WSOCK32(?), ref: 00116CA7
                                                  • Part of subcall function 000FA7E9: _strlen.LIBCMT ref: 000FA7F3
                                                  • Part of subcall function 000FA7E9: _memmove.LIBCMT ref: 000FA815
                                                • _strlen.LIBCMT ref: 00116D44
                                                • _memmove.LIBCMT ref: 00116DAD
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                                • String ID:
                                                • API String ID: 3619996494-0
                                                • Opcode ID: 4cbf7fc4aee114f371874006a74ec7cadd7da6781e98f2679a7cfd304c50ddb4
                                                • Instruction ID: 9006d4589a9e5169c078c80fef0aabc4636b45eac97cba3fb53496eba3e1e3a4
                                                • Opcode Fuzzy Hash: 4cbf7fc4aee114f371874006a74ec7cadd7da6781e98f2679a7cfd304c50ddb4
                                                • Instruction Fuzzy Hash: 7181C171208300ABCB14EBA4DC82FEFB7A8AF95714F14492CF9559B2D2DB719D41CB92
                                                Function 000A1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b1a5d775f7eafab9c1e02a604f0b39eb58d3ec877ede14eefd037ba417024448
                                                • Instruction ID: c1f0e94aa6e09c75c04e8234fef40695b252e675bf6796c5f37b6e7230a7914a
                                                • Opcode Fuzzy Hash: b1a5d775f7eafab9c1e02a604f0b39eb58d3ec877ede14eefd037ba417024448
                                                • Instruction Fuzzy Hash: FE716B34904109FFCB14CF98CC49AFEBBB9FF8A350F148159F915AA251C734AA52CBA4
                                                Function 0012B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • IsWindow.USER32(01175BF0), ref: 0012B3EB
                                                • IsWindowEnabled.USER32(01175BF0), ref: 0012B3F7
                                                • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0012B4DB
                                                • SendMessageW.USER32(01175BF0,000000B0,?,?), ref: 0012B512
                                                • IsDlgButtonChecked.USER32(?,?), ref: 0012B54F
                                                • GetWindowLongW.USER32(01175BF0,000000EC), ref: 0012B571
                                                • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0012B589
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                • String ID:
                                                • API String ID: 4072528602-0
                                                • Opcode ID: ad33f581d87b026e60836091de137b0c785ea50724ce85df9b10a5a7b074982c
                                                • Instruction ID: e73b974647caadbccf6ca5108045416cc8ddd78f4833a38ee0afdd06e8569daf
                                                • Opcode Fuzzy Hash: ad33f581d87b026e60836091de137b0c785ea50724ce85df9b10a5a7b074982c
                                                • Instruction Fuzzy Hash: 7471D434608264EFDB24EF54E8D4FBA77B9FF09300F144069FA42972A2D731A9A1DB50
                                                Function 0011F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 0011F448
                                                • _memset.LIBCMT ref: 0011F511
                                                • ShellExecuteExW.SHELL32(?), ref: 0011F556
                                                  • Part of subcall function 000A9837: __itow.LIBCMT ref: 000A9862
                                                  • Part of subcall function 000A9837: __swprintf.LIBCMT ref: 000A98AC
                                                  • Part of subcall function 000BFC86: _wcscpy.LIBCMT ref: 000BFCA9
                                                • GetProcessId.KERNEL32(00000000), ref: 0011F5CD
                                                • CloseHandle.KERNEL32(00000000), ref: 0011F5FC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                • String ID: @
                                                • API String ID: 3522835683-2766056989
                                                • Opcode ID: 2c498e00d9affdc80ac9c42a4b2ae171f05bfdfc14aea38e4b66aae2f9030797
                                                • Instruction ID: 9038612d309cc9a972cab702caa4e7ad8893f97ae2db7c2126323e30a996683f
                                                • Opcode Fuzzy Hash: 2c498e00d9affdc80ac9c42a4b2ae171f05bfdfc14aea38e4b66aae2f9030797
                                                • Instruction Fuzzy Hash: 6A61AE75A006199FCB18DF94C8819EEBBB5FF49310F14806DE815AB752CB34AD82CB90
                                                Function 00100F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetParent.USER32(?), ref: 00100F8C
                                                • GetKeyboardState.USER32(?), ref: 00100FA1
                                                • SetKeyboardState.USER32(?), ref: 00101002
                                                • PostMessageW.USER32(?,00000101,00000010,?), ref: 00101030
                                                • PostMessageW.USER32(?,00000101,00000011,?), ref: 0010104F
                                                • PostMessageW.USER32(?,00000101,00000012,?), ref: 00101095
                                                • PostMessageW.USER32(?,00000101,0000005B,?), ref: 001010B8
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: MessagePost$KeyboardState$Parent
                                                • String ID:
                                                • API String ID: 87235514-0
                                                • Opcode ID: b14479d3a9616f778b3c327b5670483423a042d1ff9a2c8f98c2670be2233087
                                                • Instruction ID: 874bdc5867c8917ee9d163a097f943b2e686d1700d0f82575774903ac3a0cd0a
                                                • Opcode Fuzzy Hash: b14479d3a9616f778b3c327b5670483423a042d1ff9a2c8f98c2670be2233087
                                                • Instruction Fuzzy Hash: B151E4B06047D63EFB3642348C45BBABEA96B06304F088589F1D4868D3C3E9DCD9D751
                                                Function 00100D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetParent.USER32(00000000), ref: 00100DA5
                                                • GetKeyboardState.USER32(?), ref: 00100DBA
                                                • SetKeyboardState.USER32(?), ref: 00100E1B
                                                • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00100E47
                                                • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00100E64
                                                • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00100EA8
                                                • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00100EC9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: MessagePost$KeyboardState$Parent
                                                • String ID:
                                                • API String ID: 87235514-0
                                                • Opcode ID: 974c508b3ed6f89fa093222c4fc18feddfee5dfbd95ee0ad540ba75097b5d0cf
                                                • Instruction ID: 6f17bf49137b404f598f585bf2611be49450887695e6b4e6d42640369be22848
                                                • Opcode Fuzzy Hash: 974c508b3ed6f89fa093222c4fc18feddfee5dfbd95ee0ad540ba75097b5d0cf
                                                • Instruction Fuzzy Hash: 8051E4B05086D53EFB338364CC45BBA7FA95B0A300F08889DE1D4568C2C3D5AC99E760
                                                Function 001055FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: _wcsncpy$LocalTime
                                                • String ID:
                                                • API String ID: 2945705084-0
                                                • Opcode ID: 86ade2e531821044c123afb8336d54ca9d4ac285190e452db5e77566f4c569b6
                                                • Instruction ID: b6750885a6343e436d63822ee2fecc7393fb5f136c78e8889f95462bcfab263c
                                                • Opcode Fuzzy Hash: 86ade2e531821044c123afb8336d54ca9d4ac285190e452db5e77566f4c569b6
                                                • Instruction Fuzzy Hash: 2741D679C5061876CB11EBF48C46EDFB7B9AF04310F50885AE508E3262FB34E645CBA6
                                                Function 00103671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0010466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00103697,?), ref: 0010468B
                                                  • Part of subcall function 0010466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00103697,?), ref: 001046A4
                                                • lstrcmpiW.KERNEL32(?,?), ref: 001036B7
                                                • _wcscmp.LIBCMT ref: 001036D3
                                                • MoveFileW.KERNEL32(?,?), ref: 001036EB
                                                • _wcscat.LIBCMT ref: 00103733
                                                • SHFileOperationW.SHELL32(?), ref: 0010379F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                • String ID: \*.*
                                                • API String ID: 1377345388-1173974218
                                                • Opcode ID: bdf468e165b6b37ef64c3f76c1410eb82ff92a7e7c6304deca614a5ae05704de
                                                • Instruction ID: c2c8546185e2b42e854f8d382690875a764ceca13b4e121482a8e1b66bce8a5c
                                                • Opcode Fuzzy Hash: bdf468e165b6b37ef64c3f76c1410eb82ff92a7e7c6304deca614a5ae05704de
                                                • Instruction Fuzzy Hash: D4416EB1508344AEC755EF64C441ADFB7ECAF89380F40082EB4DAC3291EB75D689C752
                                                Function 00127291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 001272AA
                                                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00127351
                                                • IsMenu.USER32(?), ref: 00127369
                                                • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 001273B1
                                                • DrawMenuBar.USER32 ref: 001273C4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Menu$Item$DrawInfoInsert_memset
                                                • String ID: 0
                                                • API String ID: 3866635326-4108050209
                                                • Opcode ID: 5a6c2e12682406fffec4da3c560804f0554c913372f48b5621e9eab5d800bf09
                                                • Instruction ID: 6e320bb33da02459ff18b9bea338fdeb656a0cb8b37c31b323c6f5d981f0d78a
                                                • Opcode Fuzzy Hash: 5a6c2e12682406fffec4da3c560804f0554c913372f48b5621e9eab5d800bf09
                                                • Instruction Fuzzy Hash: 3D413675A04219EFDB20DF51E884E9ABBF9FB08350F148429FD45AB290D730AD60DF90
                                                Function 00120FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00120FD4
                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00120FFE
                                                • FreeLibrary.KERNEL32(00000000), ref: 001210B5
                                                  • Part of subcall function 00120FA5: RegCloseKey.ADVAPI32(?), ref: 0012101B
                                                  • Part of subcall function 00120FA5: FreeLibrary.KERNEL32(?), ref: 0012106D
                                                  • Part of subcall function 00120FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00121090
                                                • RegDeleteKeyW.ADVAPI32(?,?), ref: 00121058
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                • String ID:
                                                • API String ID: 395352322-0
                                                • Opcode ID: befc4ab77e8c9106b912da0a53d2f8d8b4f8e3efcb20ba7f1a478db60e67eed5
                                                • Instruction ID: 666c9e6578a2c3bccd684aa500c4029465226ab94daf4f3c650f08f89e598f53
                                                • Opcode Fuzzy Hash: befc4ab77e8c9106b912da0a53d2f8d8b4f8e3efcb20ba7f1a478db60e67eed5
                                                • Instruction Fuzzy Hash: 7831EA71901119BFDB25DF90EC89EFFB7BCEB18300F000269F501A2151EB749E969AA4
                                                Function 001262CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 001262EC
                                                • GetWindowLongW.USER32(01175BF0,000000F0), ref: 0012631F
                                                • GetWindowLongW.USER32(01175BF0,000000F0), ref: 00126354
                                                • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00126386
                                                • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 001263B0
                                                • GetWindowLongW.USER32(00000000,000000F0), ref: 001263C1
                                                • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 001263DB
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: LongWindow$MessageSend
                                                • String ID:
                                                • API String ID: 2178440468-0
                                                • Opcode ID: adb4bf80303d649e20ff0e5b8080f380b8e50b3ebfc21d48646ca08c139454a5
                                                • Instruction ID: 0382fddd146e3a6f9b8466b86ca335bc000266c79e1f10132b43a410bd7701ab
                                                • Opcode Fuzzy Hash: adb4bf80303d649e20ff0e5b8080f380b8e50b3ebfc21d48646ca08c139454a5
                                                • Instruction Fuzzy Hash: FF311230640260AFDB20CF19EC84F5537E6FB4A754F1941A8F5459F6F2CB71ACA19B90
                                                Function 000FDAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000FDB2E
                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000FDB54
                                                • SysAllocString.OLEAUT32(00000000), ref: 000FDB57
                                                • SysAllocString.OLEAUT32(?), ref: 000FDB75
                                                • SysFreeString.OLEAUT32(?), ref: 000FDB7E
                                                • StringFromGUID2.OLE32(?,?,00000028), ref: 000FDBA3
                                                • SysAllocString.OLEAUT32(?), ref: 000FDBB1
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                • String ID:
                                                • API String ID: 3761583154-0
                                                • Opcode ID: edcd25fa520f5b6fde04dff678ec1643f36cfd5f16eb4b839a502cd3a93584b6
                                                • Instruction ID: 2c6b51d97880e24441571d65ff5adf06e447f474adad6f984ff4446621af0b28
                                                • Opcode Fuzzy Hash: edcd25fa520f5b6fde04dff678ec1643f36cfd5f16eb4b839a502cd3a93584b6
                                                • Instruction Fuzzy Hash: AF217436600219AFDB10AFA8DC48DBB73EDEB09360B01857AFA14DB551D7709C429760
                                                Function 00116173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00117D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00117DB6
                                                • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 001161C6
                                                • WSAGetLastError.WSOCK32(00000000), ref: 001161D5
                                                • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0011620E
                                                • connect.WSOCK32(00000000,?,00000010), ref: 00116217
                                                • WSAGetLastError.WSOCK32 ref: 00116221
                                                • closesocket.WSOCK32(00000000), ref: 0011624A
                                                • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00116263
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                • String ID:
                                                • API String ID: 910771015-0
                                                • Opcode ID: f1e30579487ea873af7fe35a11bed350c93af378f8282aebb508ec6db18ca4a8
                                                • Instruction ID: aa11fcd8ca6b61cb15219607351e29258da2b072504c1a6b17fd4bb0ec1fd3b5
                                                • Opcode Fuzzy Hash: f1e30579487ea873af7fe35a11bed350c93af378f8282aebb508ec6db18ca4a8
                                                • Instruction Fuzzy Hash: B231AF31600118ABDF24AF64CC85BFE7BB9EB45720F044039FD05A7292CB75AC959BA1
                                                Function 000FF65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: __wcsnicmp
                                                • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                • API String ID: 1038674560-2734436370
                                                • Opcode ID: 6765c5113d9a57def422bb769411f130b8cd999113bb0b9abad6c3543044c546
                                                • Instruction ID: 420e6a8932a105124424937099e98900324043fb32439fead4955fa6165f67d8
                                                • Opcode Fuzzy Hash: 6765c5113d9a57def422bb769411f130b8cd999113bb0b9abad6c3543044c546
                                                • Instruction Fuzzy Hash: 442126722086166AD230BB34AC03FFFB3D8EF55390F144439FA46D6992EFA19D41E295
                                                Function 000FDBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000FDC09
                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000FDC2F
                                                • SysAllocString.OLEAUT32(00000000), ref: 000FDC32
                                                • SysAllocString.OLEAUT32 ref: 000FDC53
                                                • SysFreeString.OLEAUT32 ref: 000FDC5C
                                                • StringFromGUID2.OLE32(?,?,00000028), ref: 000FDC76
                                                • SysAllocString.OLEAUT32(?), ref: 000FDC84
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                • String ID:
                                                • API String ID: 3761583154-0
                                                • Opcode ID: 8934ae71587c1217e85b71646c0009dba30bb96988fdae3e3956f6f06818c290
                                                • Instruction ID: 15a6221415546daf85da54595dfac8e33604994ce9012ad9e6d63842a8ff3871
                                                • Opcode Fuzzy Hash: 8934ae71587c1217e85b71646c0009dba30bb96988fdae3e3956f6f06818c290
                                                • Instruction Fuzzy Hash: FA213735604109BF9B24EFA8DC89DBB77EDEB09360B108136FA15CB661D6B0DC42D764
                                                Function 001275CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000A1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 000A1D73
                                                  • Part of subcall function 000A1D35: GetStockObject.GDI32(00000011), ref: 000A1D87
                                                  • Part of subcall function 000A1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 000A1D91
                                                • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00127632
                                                • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0012763F
                                                • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0012764A
                                                • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00127659
                                                • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00127665
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: MessageSend$CreateObjectStockWindow
                                                • String ID: Msctls_Progress32
                                                • API String ID: 1025951953-3636473452
                                                • Opcode ID: 3c904c8f5ad0ca9a6639441628b98c73a5855c2023a825c9c0f997474d72baaf
                                                • Instruction ID: d0e45bc1c84b8538b6ee00ab36c6a03f88a170c102bdf391f7816d2878ca6a8c
                                                • Opcode Fuzzy Hash: 3c904c8f5ad0ca9a6639441628b98c73a5855c2023a825c9c0f997474d72baaf
                                                • Instruction Fuzzy Hash: 8211B2B2110229BFFF158F64DC85EE7BF6DEF08798F014114BA04A60A0DB729C21DBA4
                                                Function 000C9AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __init_pointers.LIBCMT ref: 000C9AE6
                                                  • Part of subcall function 000C3187: EncodePointer.KERNEL32(00000000), ref: 000C318A
                                                  • Part of subcall function 000C3187: __initp_misc_winsig.LIBCMT ref: 000C31A5
                                                  • Part of subcall function 000C3187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 000C9EA0
                                                  • Part of subcall function 000C3187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 000C9EB4
                                                  • Part of subcall function 000C3187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 000C9EC7
                                                  • Part of subcall function 000C3187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 000C9EDA
                                                  • Part of subcall function 000C3187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 000C9EED
                                                  • Part of subcall function 000C3187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 000C9F00
                                                  • Part of subcall function 000C3187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 000C9F13
                                                  • Part of subcall function 000C3187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 000C9F26
                                                  • Part of subcall function 000C3187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 000C9F39
                                                  • Part of subcall function 000C3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 000C9F4C
                                                  • Part of subcall function 000C3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 000C9F5F
                                                  • Part of subcall function 000C3187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 000C9F72
                                                  • Part of subcall function 000C3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 000C9F85
                                                  • Part of subcall function 000C3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 000C9F98
                                                  • Part of subcall function 000C3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 000C9FAB
                                                  • Part of subcall function 000C3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 000C9FBE
                                                • __mtinitlocks.LIBCMT ref: 000C9AEB
                                                • __mtterm.LIBCMT ref: 000C9AF4
                                                  • Part of subcall function 000C9B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,000C9AF9,000C7CD0,0015A0B8,00000014), ref: 000C9C56
                                                  • Part of subcall function 000C9B5C: _free.LIBCMT ref: 000C9C5D
                                                  • Part of subcall function 000C9B5C: DeleteCriticalSection.KERNEL32(0015EC00,?,?,000C9AF9,000C7CD0,0015A0B8,00000014), ref: 000C9C7F
                                                • __calloc_crt.LIBCMT ref: 000C9B19
                                                • __initptd.LIBCMT ref: 000C9B3B
                                                • GetCurrentThreadId.KERNEL32 ref: 000C9B42
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                • String ID:
                                                • API String ID: 3567560977-0
                                                • Opcode ID: dc19520cb6fcf74d0bb2de04d26b937a7751cd1d407b275c4f4c382df2e9b145
                                                • Instruction ID: 08605646cbc338bc454e9fe711777057b939d3646c590b33cdd4870b1748eebc
                                                • Opcode Fuzzy Hash: dc19520cb6fcf74d0bb2de04d26b937a7751cd1d407b275c4f4c382df2e9b145
                                                • Instruction Fuzzy Hash: 79F06D325197116AE6747B74BC0BFCE26D0AF02734F214A2EF4649A4D3EF20994145A5
                                                Function 000C406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,000C3F85), ref: 000C4085
                                                • GetProcAddress.KERNEL32(00000000), ref: 000C408C
                                                • EncodePointer.KERNEL32(00000000), ref: 000C4097
                                                • DecodePointer.KERNEL32(000C3F85), ref: 000C40B2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                • String ID: RoUninitialize$combase.dll
                                                • API String ID: 3489934621-2819208100
                                                • Opcode ID: 427531a19eb75e8caba4881da72572239a0791f84f1f975477765707bc3d82a4
                                                • Instruction ID: 01ee36dd314deba3393cf2609ea40d64d0c611008b111a24cb063928c7ca5178
                                                • Opcode Fuzzy Hash: 427531a19eb75e8caba4881da72572239a0791f84f1f975477765707bc3d82a4
                                                • Instruction Fuzzy Hash: FBE09270581300EFEA60AFA1ED09B053AB4B705B42F104038F521E19A0CBB686A6DA24
                                                Function 001064B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: _memmove$__itow__swprintf
                                                • String ID:
                                                • API String ID: 3253778849-0
                                                • Opcode ID: 76b414fce70ed4315a476acb9bc9480d4d23d6fdfacab3245a9398dc4472c5c6
                                                • Instruction ID: a29986dffc6cee0f74ec6f39454c2c2e03118ebede4a192f0fc5b5b2234b3d9d
                                                • Opcode Fuzzy Hash: 76b414fce70ed4315a476acb9bc9480d4d23d6fdfacab3245a9398dc4472c5c6
                                                • Instruction Fuzzy Hash: 68617A3060065A9BCF05EFA0CC82EFF37A9AF06308F054529F8995B293DB75A915DB50
                                                Function 001201E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000A7DE1: _memmove.LIBCMT ref: 000A7E22
                                                  • Part of subcall function 00120E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0011FDAD,?,?), ref: 00120E31
                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001202BD
                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001202FD
                                                • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00120320
                                                • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00120349
                                                • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0012038C
                                                • RegCloseKey.ADVAPI32(00000000), ref: 00120399
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                • String ID:
                                                • API String ID: 4046560759-0
                                                • Opcode ID: 0b0375098e76890be8f0a6ebc10283d8c0eba2c4b3f4dc26f92c4cb03b96c276
                                                • Instruction ID: 5e0dd9a4f1ac0f3199727886841d13cb1edf756321fbc3b1137cafa55c759bc2
                                                • Opcode Fuzzy Hash: 0b0375098e76890be8f0a6ebc10283d8c0eba2c4b3f4dc26f92c4cb03b96c276
                                                • Instruction Fuzzy Hash: 6D515831208204AFC715EF64D885EAFBBE9FF89314F044A2DF5458B2A2DB31E915CB52
                                                Function 00125799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetMenu.USER32(?), ref: 001257FB
                                                • GetMenuItemCount.USER32(00000000), ref: 00125832
                                                • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0012585A
                                                • GetMenuItemID.USER32(?,?), ref: 001258C9
                                                • GetSubMenu.USER32(?,?), ref: 001258D7
                                                • PostMessageW.USER32(?,00000111,?,00000000), ref: 00125928
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Menu$Item$CountMessagePostString
                                                • String ID:
                                                • API String ID: 650687236-0
                                                • Opcode ID: 71bce2be1f0918e10e1323558778b14bd76ab3b24f9be86e00f40b274b54b75d
                                                • Instruction ID: 99ab7cb65b89d30d564c2944caef26d107d28a80f751cb59cc72b70da2351e91
                                                • Opcode Fuzzy Hash: 71bce2be1f0918e10e1323558778b14bd76ab3b24f9be86e00f40b274b54b75d
                                                • Instruction Fuzzy Hash: 57515C31A00625EFCF15EFA4D885AAEBBB5EF49310F104069E841AB352CB74AE51CB90
                                                Function 000FEEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                Download Yara Rule
                                                APIs
                                                • VariantInit.OLEAUT32(?), ref: 000FEF06
                                                • VariantClear.OLEAUT32(00000013), ref: 000FEF78
                                                • VariantClear.OLEAUT32(00000000), ref: 000FEFD3
                                                • _memmove.LIBCMT ref: 000FEFFD
                                                • VariantClear.OLEAUT32(?), ref: 000FF04A
                                                • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 000FF078
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Variant$Clear$ChangeInitType_memmove
                                                • String ID:
                                                • API String ID: 1101466143-0
                                                • Opcode ID: 3fbfdeaace34ce3a3d1ad9bdacf356c142bed7f8077b6cbcfcb2111fa7a72bf0
                                                • Instruction ID: 83bac307e8987f3f6dbfb1298a2d6ac2408392dbc42a768755d6f2f6bb117828
                                                • Opcode Fuzzy Hash: 3fbfdeaace34ce3a3d1ad9bdacf356c142bed7f8077b6cbcfcb2111fa7a72bf0
                                                • Instruction Fuzzy Hash: 52516CB5A00209EFCB14DF58C884AAAB7F8FF4C310F158569EA49DB301E731E951CBA0
                                                Function 0010220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 00102258
                                                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001022A3
                                                • IsMenu.USER32(00000000), ref: 001022C3
                                                • CreatePopupMenu.USER32 ref: 001022F7
                                                • GetMenuItemCount.USER32(000000FF), ref: 00102355
                                                • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00102386
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                • String ID:
                                                • API String ID: 3311875123-0
                                                • Opcode ID: 9d50e074986e565c4833eb72f112d090b49c6f0de0aeae5e3eb5dee02c02ad75
                                                • Instruction ID: 4a96517cd69d1853f52c306f2ff87d754c433c6e0e12cd23953c7db1328135a9
                                                • Opcode Fuzzy Hash: 9d50e074986e565c4833eb72f112d090b49c6f0de0aeae5e3eb5dee02c02ad75
                                                • Instruction Fuzzy Hash: 1C51CE30A00209EBDF25CF68C88CBAEBBF5BF19314F148129E895AB2D0D3B48945CB51
                                                Function 000A1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000A2612: GetWindowLongW.USER32(?,000000EB), ref: 000A2623
                                                • BeginPaint.USER32(?,?,?,?,?,?), ref: 000A179A
                                                • GetWindowRect.USER32(?,?), ref: 000A17FE
                                                • ScreenToClient.USER32(?,?), ref: 000A181B
                                                • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 000A182C
                                                • EndPaint.USER32(?,?), ref: 000A1876
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                • String ID:
                                                • API String ID: 1827037458-0
                                                • Opcode ID: 44e1330ad8a8d15ab2bbcddf59b2c298b786aa315504884d55d24bdfe0ac3e43
                                                • Instruction ID: 54622aa1f615bfb4df3447876f8af2406a4e5f50f5c271476ff9915faf964b6e
                                                • Opcode Fuzzy Hash: 44e1330ad8a8d15ab2bbcddf59b2c298b786aa315504884d55d24bdfe0ac3e43
                                                • Instruction Fuzzy Hash: 6141A030504700EFD720DF65CC84BFA7BF9EB46724F044629F5A48B6A2CB709856DB61
                                                Function 0012B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ShowWindow.USER32(001657B0,00000000,01175BF0,?,?,001657B0,?,0012B5A8,?,?), ref: 0012B712
                                                • EnableWindow.USER32(00000000,00000000), ref: 0012B736
                                                • ShowWindow.USER32(001657B0,00000000,01175BF0,?,?,001657B0,?,0012B5A8,?,?), ref: 0012B796
                                                • ShowWindow.USER32(00000000,00000004,?,0012B5A8,?,?), ref: 0012B7A8
                                                • EnableWindow.USER32(00000000,00000001), ref: 0012B7CC
                                                • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0012B7EF
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Window$Show$Enable$MessageSend
                                                • String ID:
                                                • API String ID: 642888154-0
                                                • Opcode ID: f448e1c166defc454f03e9fa80174945736fb4f0bfd18e25f368e5a6a1eb7cd3
                                                • Instruction ID: 7f52654769e19426672b19a408e62bdbc8791e1f2377878e872b1397a495830d
                                                • Opcode Fuzzy Hash: f448e1c166defc454f03e9fa80174945736fb4f0bfd18e25f368e5a6a1eb7cd3
                                                • Instruction Fuzzy Hash: C9417F34609251AFDB26CF24E4DAB957BF1FF45310F1841B9E9488F6E2C731A8A6CB50
                                                Function 0011709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetForegroundWindow.USER32(?,?,?,?,?,?,00114E41,?,?,00000000,00000001), ref: 001170AC
                                                  • Part of subcall function 001139A0: GetWindowRect.USER32(?,?), ref: 001139B3
                                                • GetDesktopWindow.USER32 ref: 001170D6
                                                • GetWindowRect.USER32(00000000), ref: 001170DD
                                                • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 0011710F
                                                  • Part of subcall function 00105244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 001052BC
                                                • GetCursorPos.USER32(?), ref: 0011713B
                                                • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00117199
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                • String ID:
                                                • API String ID: 4137160315-0
                                                • Opcode ID: 23623dcc323d677bced6f8ef722a9062147e12513755d5453645215267798c86
                                                • Instruction ID: 43a7332682c17a49690d78732af7733b1787da4f4e6b4372ba9d0376a6f65121
                                                • Opcode Fuzzy Hash: 23623dcc323d677bced6f8ef722a9062147e12513755d5453645215267798c86
                                                • Instruction Fuzzy Hash: 0831B072509305ABD724DF14C849F9BBBBAFF88314F000929F58597291CB74EA5ACB92
                                                Function 000F8879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000F80A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 000F80C0
                                                  • Part of subcall function 000F80A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 000F80CA
                                                  • Part of subcall function 000F80A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 000F80D9
                                                  • Part of subcall function 000F80A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 000F80E0
                                                  • Part of subcall function 000F80A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 000F80F6
                                                • GetLengthSid.ADVAPI32(?,00000000,000F842F), ref: 000F88CA
                                                • GetProcessHeap.KERNEL32(00000008,00000000), ref: 000F88D6
                                                • HeapAlloc.KERNEL32(00000000), ref: 000F88DD
                                                • CopySid.ADVAPI32(00000000,00000000,?), ref: 000F88F6
                                                • GetProcessHeap.KERNEL32(00000000,00000000,000F842F), ref: 000F890A
                                                • HeapFree.KERNEL32(00000000), ref: 000F8911
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                • String ID:
                                                • API String ID: 3008561057-0
                                                • Opcode ID: 741b475290f50edbb0a127dfe41247f4262289a3f15173a9e4a5c0a0f01e09fa
                                                • Instruction ID: 31a7a08123cd241d846891e300089759ee9423c94add5c12e5795a69c8d6c832
                                                • Opcode Fuzzy Hash: 741b475290f50edbb0a127dfe41247f4262289a3f15173a9e4a5c0a0f01e09fa
                                                • Instruction Fuzzy Hash: C911AC31601209FFDB649FA4DC0ABFE7BB9EB45311F54802CE98597610CB729962EB60
                                                Function 000F85B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 000F85E2
                                                • OpenProcessToken.ADVAPI32(00000000), ref: 000F85E9
                                                • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 000F85F8
                                                • CloseHandle.KERNEL32(00000004), ref: 000F8603
                                                • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 000F8632
                                                • DestroyEnvironmentBlock.USERENV(00000000), ref: 000F8646
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                • String ID:
                                                • API String ID: 1413079979-0
                                                • Opcode ID: ddaaf8035a2251a652d1c96195e15972d5413f156c8279b465996bffef71da6b
                                                • Instruction ID: f15c9fd57b6e051c475664fb30ab55a610d7679d13ec704e559d0b92dfb26932
                                                • Opcode Fuzzy Hash: ddaaf8035a2251a652d1c96195e15972d5413f156c8279b465996bffef71da6b
                                                • Instruction Fuzzy Hash: 3F114A7250024DBBDF118FA4ED49FEE7BB9EB08704F048069FE04A2560C6718D62EB60
                                                Function 000FB790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDC.USER32(00000000), ref: 000FB7B5
                                                • GetDeviceCaps.GDI32(00000000,00000058), ref: 000FB7C6
                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 000FB7CD
                                                • ReleaseDC.USER32(00000000,00000000), ref: 000FB7D5
                                                • MulDiv.KERNEL32(000009EC,?,00000000), ref: 000FB7EC
                                                • MulDiv.KERNEL32(000009EC,?,?), ref: 000FB7FE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: CapsDevice$Release
                                                • String ID:
                                                • API String ID: 1035833867-0
                                                • Opcode ID: e9a948367a524604812b2ca2a7237429d58973cee84681639e5816762d88c855
                                                • Instruction ID: afeb444c5a4fb7c7e2eac4f3b6115399ea671d6d9bb11b22cdc995e7e7bb7bb9
                                                • Opcode Fuzzy Hash: e9a948367a524604812b2ca2a7237429d58973cee84681639e5816762d88c855
                                                • Instruction Fuzzy Hash: 24018475E00309BBEB10ABA6DD45E5EBFB8EB48311F004079FA08A7691D6309C11CF91
                                                Function 000C0162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • MapVirtualKeyW.USER32(0000005B,00000000), ref: 000C0193
                                                • MapVirtualKeyW.USER32(00000010,00000000), ref: 000C019B
                                                • MapVirtualKeyW.USER32(000000A0,00000000), ref: 000C01A6
                                                • MapVirtualKeyW.USER32(000000A1,00000000), ref: 000C01B1
                                                • MapVirtualKeyW.USER32(00000011,00000000), ref: 000C01B9
                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 000C01C1
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Virtual
                                                • String ID:
                                                • API String ID: 4278518827-0
                                                • Opcode ID: d1b52384855e322065998515d744a4f094e4d303004c40fbc4a5d49e4a0f232e
                                                • Instruction ID: 1a06bd8f1c17f050b0c0215311757ee313187ecc155d4325525a2692e4f7d128
                                                • Opcode Fuzzy Hash: d1b52384855e322065998515d744a4f094e4d303004c40fbc4a5d49e4a0f232e
                                                • Instruction Fuzzy Hash: A30148B09027597DE3008F5A8C85A52FEA8FF19354F00411BA15847941C7B5A868CBE5
                                                Function 001053E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 001053F9
                                                • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0010540F
                                                • GetWindowThreadProcessId.USER32(?,?), ref: 0010541E
                                                • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0010542D
                                                • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00105437
                                                • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0010543E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                • String ID:
                                                • API String ID: 839392675-0
                                                • Opcode ID: b02af3aaa5b31c3635a8d92ce3a851225f35dd958b75140c669b6e6304988b7b
                                                • Instruction ID: 4a07d83e39f3745a0d8f07b1d0429894d887b32e3fa00374710d2181eb7ae576
                                                • Opcode Fuzzy Hash: b02af3aaa5b31c3635a8d92ce3a851225f35dd958b75140c669b6e6304988b7b
                                                • Instruction Fuzzy Hash: A1F06231140158BBD7315B529C0DEEB7A7CEBC6B11F00017DF904D145097A01A6386B5
                                                Function 00107230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • InterlockedExchange.KERNEL32(?,?), ref: 00107243
                                                • EnterCriticalSection.KERNEL32(?,?,000B0EE4,?,?), ref: 00107254
                                                • TerminateThread.KERNEL32(00000000,000001F6,?,000B0EE4,?,?), ref: 00107261
                                                • WaitForSingleObject.KERNEL32(00000000,000003E8,?,000B0EE4,?,?), ref: 0010726E
                                                  • Part of subcall function 00106C35: CloseHandle.KERNEL32(00000000,?,0010727B,?,000B0EE4,?,?), ref: 00106C3F
                                                • InterlockedExchange.KERNEL32(?,000001F6), ref: 00107281
                                                • LeaveCriticalSection.KERNEL32(?,?,000B0EE4,?,?), ref: 00107288
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                • String ID:
                                                • API String ID: 3495660284-0
                                                • Opcode ID: b3b1403dfcaee5680940be5a90fd7ae09656c9b5cc58b3aad15e3cdc2e5204e4
                                                • Instruction ID: e747b9f66e762fa5d23930659743e1fc0c7c0e22824c155668662e7adfcb968d
                                                • Opcode Fuzzy Hash: b3b1403dfcaee5680940be5a90fd7ae09656c9b5cc58b3aad15e3cdc2e5204e4
                                                • Instruction Fuzzy Hash: 18F0BE36841212FFE7611B24EE4C9EA3739EF06302F000139F103904E0CBB698A3CB50
                                                Function 000F8992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 000F899D
                                                • UnloadUserProfile.USERENV(?,?), ref: 000F89A9
                                                • CloseHandle.KERNEL32(?), ref: 000F89B2
                                                • CloseHandle.KERNEL32(?), ref: 000F89BA
                                                • GetProcessHeap.KERNEL32(00000000,?), ref: 000F89C3
                                                • HeapFree.KERNEL32(00000000), ref: 000F89CA
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                • String ID:
                                                • API String ID: 146765662-0
                                                • Opcode ID: 86553a1cca88e7e70a92a1a9e9f1b151b65c01a2176ae956834462d8238219d3
                                                • Instruction ID: 129c9e61c23850acc3c6134c25fe883f0a1e285282e0a1748bbcadf2d71696ca
                                                • Opcode Fuzzy Hash: 86553a1cca88e7e70a92a1a9e9f1b151b65c01a2176ae956834462d8238219d3
                                                • Instruction Fuzzy Hash: 22E0C236004001FBDA115FE1ED0C91ABB79FB89322B508238F21981870CB3294B3DB50
                                                Function 001185ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                Download Yara Rule
                                                APIs
                                                • VariantInit.OLEAUT32(?), ref: 00118613
                                                • CharUpperBuffW.USER32(?,?), ref: 00118722
                                                • VariantClear.OLEAUT32(?), ref: 0011889A
                                                  • Part of subcall function 00107562: VariantInit.OLEAUT32(00000000), ref: 001075A2
                                                  • Part of subcall function 00107562: VariantCopy.OLEAUT32(00000000,?), ref: 001075AB
                                                  • Part of subcall function 00107562: VariantClear.OLEAUT32(00000000), ref: 001075B7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                • API String ID: 4237274167-1221869570
                                                • Opcode ID: 680a68a786ef17a035967add75a0759dc7933694177a5ed8e08c3f5bf11b78d5
                                                • Instruction ID: e35dc6d85650ab79f681dee9ff7cb515d350f6f1c39ec0eadfba6eaf14fe5b72
                                                • Opcode Fuzzy Hash: 680a68a786ef17a035967add75a0759dc7933694177a5ed8e08c3f5bf11b78d5
                                                • Instruction Fuzzy Hash: 1C917C706043019FC714DF64C48599BB7E4EF89714F14892EF89A9B3A2DB30E946CB52
                                                Function 00102A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000BFC86: _wcscpy.LIBCMT ref: 000BFCA9
                                                • _memset.LIBCMT ref: 00102B87
                                                • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00102BB6
                                                • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00102C69
                                                • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00102C97
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                • String ID: 0
                                                • API String ID: 4152858687-4108050209
                                                • Opcode ID: def7670e4bdfeabe6e72f7e3676481aa3e3f071a2d856dc36f2b13cc8ff0b7e8
                                                • Instruction ID: 33968f0c0a090f3f6830dbd9249c8551445835ce4a2aa5bdf7713d8d92f22257
                                                • Opcode Fuzzy Hash: def7670e4bdfeabe6e72f7e3676481aa3e3f071a2d856dc36f2b13cc8ff0b7e8
                                                • Instruction Fuzzy Hash: D751BD716083019AE7249F28CA49AAFBBE8EF59314F144A2DF8D5D71D1DBB0CD44CB52
                                                Function 000FD56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 000FD5D4
                                                • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 000FD60A
                                                • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 000FD61B
                                                • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 000FD69D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: ErrorMode$AddressCreateInstanceProc
                                                • String ID: DllGetClassObject
                                                • API String ID: 753597075-1075368562
                                                • Opcode ID: a5c9ae4318f450fecc93b0e843219601059db54a2ca4c940c603d1a06e8003ab
                                                • Instruction ID: 79e60368fcb47589dc3fbf97a4d2a615f09d1455499f24dcd752dcc7cd4edffc
                                                • Opcode Fuzzy Hash: a5c9ae4318f450fecc93b0e843219601059db54a2ca4c940c603d1a06e8003ab
                                                • Instruction Fuzzy Hash: F34181B1600208EFDB15DF54C884AAA7BBAEF44310F1581AEEE09DF605D7B1DD44EBA0
                                                Function 00102753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 001027C0
                                                • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 001027DC
                                                • DeleteMenu.USER32(?,00000007,00000000), ref: 00102822
                                                • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00165890,00000000), ref: 0010286B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Menu$Delete$InfoItem_memset
                                                • String ID: 0
                                                • API String ID: 1173514356-4108050209
                                                • Opcode ID: 7868e5f6653cc579663e16fc23c43c5d1e0f7c180b2cb4b71c7a4fbc78e7a20c
                                                • Instruction ID: 85c180c5cf094e0218fb660359e08d1f952e760b5c1a3979c41b20bc8365d346
                                                • Opcode Fuzzy Hash: 7868e5f6653cc579663e16fc23c43c5d1e0f7c180b2cb4b71c7a4fbc78e7a20c
                                                • Instruction Fuzzy Hash: F641B1752043419FD724DF24CC48B5ABBE8EF95314F148A2EF9A5972D2DBB0E805CB52
                                                Function 0011D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                                Download Yara Rule
                                                APIs
                                                • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0011D7C5
                                                  • Part of subcall function 000A784B: _memmove.LIBCMT ref: 000A7899
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: BuffCharLower_memmove
                                                • String ID: cdecl$none$stdcall$winapi
                                                • API String ID: 3425801089-567219261
                                                • Opcode ID: d9e7707a930582834671a5912092007a148ead2db84c45e167531f38fa644d3f
                                                • Instruction ID: 7f1363832bd045222b916a9a7d595805631421bc0c5d8fd2fb6d9d611f83ae6f
                                                • Opcode Fuzzy Hash: d9e7707a930582834671a5912092007a148ead2db84c45e167531f38fa644d3f
                                                • Instruction Fuzzy Hash: 9A318F71904619EBCF04EFA8DC519FEB3B5FF05320B108629E875AB6D2DB71A945CB80
                                                Function 000F8E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000A7DE1: _memmove.LIBCMT ref: 000A7E22
                                                  • Part of subcall function 000FAA99: GetClassNameW.USER32(?,?,000000FF), ref: 000FAABC
                                                • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 000F8F14
                                                • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 000F8F27
                                                • SendMessageW.USER32(?,00000189,?,00000000), ref: 000F8F57
                                                  • Part of subcall function 000A7BCC: _memmove.LIBCMT ref: 000A7C06
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: MessageSend$_memmove$ClassName
                                                • String ID: ComboBox$ListBox
                                                • API String ID: 365058703-1403004172
                                                • Opcode ID: 2313561c1d2cc8a3ae073068416fc7bde28d60e2f16277ca431cb90916c5f8bd
                                                • Instruction ID: 94981dfdc0f4665a13daa8422f05379695c76501e5dc9d8b409bb2e5389d92bb
                                                • Opcode Fuzzy Hash: 2313561c1d2cc8a3ae073068416fc7bde28d60e2f16277ca431cb90916c5f8bd
                                                • Instruction Fuzzy Hash: CF21D571A04108BEDB14ABA09C45DFFB779DF06320F148529F925975E2DB39484EE610
                                                Function 0011182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0011184C
                                                • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00111872
                                                • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 001118A2
                                                • InternetCloseHandle.WININET(00000000), ref: 001118E9
                                                  • Part of subcall function 00112483: GetLastError.KERNEL32(?,?,00111817,00000000,00000000,00000001), ref: 00112498
                                                  • Part of subcall function 00112483: SetEvent.KERNEL32(?,?,00111817,00000000,00000000,00000001), ref: 001124AD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                • String ID:
                                                • API String ID: 3113390036-3916222277
                                                • Opcode ID: 8b16ddf900753d1b225e1c950d3afcec303ac2928c86fc701ce95ddea58fd8c5
                                                • Instruction ID: 9cd8e3efea9d4f72a82be035dcb74264515311d3fa1514b2d2c322b52bd6d1f0
                                                • Opcode Fuzzy Hash: 8b16ddf900753d1b225e1c950d3afcec303ac2928c86fc701ce95ddea58fd8c5
                                                • Instruction Fuzzy Hash: FD21AFB1500208BFEB159F648C85EFFB6ADEB48744F10813AF50592540DB308D9697A1
                                                Function 001263E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000A1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 000A1D73
                                                  • Part of subcall function 000A1D35: GetStockObject.GDI32(00000011), ref: 000A1D87
                                                  • Part of subcall function 000A1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 000A1D91
                                                • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00126461
                                                • LoadLibraryW.KERNEL32(?), ref: 00126468
                                                • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 0012647D
                                                • DestroyWindow.USER32(?), ref: 00126485
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                • String ID: SysAnimate32
                                                • API String ID: 4146253029-1011021900
                                                • Opcode ID: bf47d83917a418ac64185af4bbed65781e756637161932b6f5f9f09694b48aab
                                                • Instruction ID: 94d5dc795c1e1ccf23de66ba9e55ed91309c1da6a33acec5dacd78a7902e56b6
                                                • Opcode Fuzzy Hash: bf47d83917a418ac64185af4bbed65781e756637161932b6f5f9f09694b48aab
                                                • Instruction Fuzzy Hash: 8F219D71200265BFEF10AFA4EC80EBB37ADEF59324F104629FA90960D0D771DCA29760
                                                Function 00106D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetStdHandle.KERNEL32(0000000C), ref: 00106DBC
                                                • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00106DEF
                                                • GetStdHandle.KERNEL32(0000000C), ref: 00106E01
                                                • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00106E3B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: CreateHandle$FilePipe
                                                • String ID: nul
                                                • API String ID: 4209266947-2873401336
                                                • Opcode ID: fe27c3bfe8db13787883e59fab037dda0b4e93fd7332b629e715983125dcf8dc
                                                • Instruction ID: f71bd04fe490c51810f56a6b7eb2d4f4088c83d6ca2bd7444e5b57e9a1524a0b
                                                • Opcode Fuzzy Hash: fe27c3bfe8db13787883e59fab037dda0b4e93fd7332b629e715983125dcf8dc
                                                • Instruction Fuzzy Hash: B621907460030AAFDB209F69DC05A9A7BF4EF55720F204A29FCE0D72D0DBB099718B50
                                                Function 00106E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetStdHandle.KERNEL32(000000F6), ref: 00106E89
                                                • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00106EBB
                                                • GetStdHandle.KERNEL32(000000F6), ref: 00106ECC
                                                • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00106F06
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: CreateHandle$FilePipe
                                                • String ID: nul
                                                • API String ID: 4209266947-2873401336
                                                • Opcode ID: 57d244449a2651e7508761f6bff07c74f75f1c11bcd04631ab7abdb98372037e
                                                • Instruction ID: 0e4ce0f3a493d17dfd16d581d060d7567ce444ba7a8be9fbda8bbc0235891d5c
                                                • Opcode Fuzzy Hash: 57d244449a2651e7508761f6bff07c74f75f1c11bcd04631ab7abdb98372037e
                                                • Instruction Fuzzy Hash: 1B216079500305ABDB20DF69DC04A9A77A8AF55720F200A29FCE1D72D0D7B0A9618B60
                                                Function 0010AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetErrorMode.KERNEL32(00000001), ref: 0010AC54
                                                • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0010ACA8
                                                • __swprintf.LIBCMT ref: 0010ACC1
                                                • SetErrorMode.KERNEL32(00000000,00000001,00000000,0012F910), ref: 0010ACFF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: ErrorMode$InformationVolume__swprintf
                                                • String ID: %lu
                                                • API String ID: 3164766367-685833217
                                                • Opcode ID: dd3f8915ffe72e375aadd39d931157021d5a93ef03364cd4823469349a156d3b
                                                • Instruction ID: 03a6909285418a010dee188f81541198d6d591baef0b15ac5a98d6f7aeace3d2
                                                • Opcode Fuzzy Hash: dd3f8915ffe72e375aadd39d931157021d5a93ef03364cd4823469349a156d3b
                                                • Instruction Fuzzy Hash: 5C214130A00209AFCB10DFA5C945EEE7BB8EF49714F004069F909AB252DB71EA56CB61
                                                Function 00101AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                                Download Yara Rule
                                                APIs
                                                • CharUpperBuffW.USER32(?,?), ref: 00101B19
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: BuffCharUpper
                                                • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                • API String ID: 3964851224-769500911
                                                • Opcode ID: 64af59348ad61a8b1ae49467ee0f7367779f80595a4956b1b17ef7ca9079b0ed
                                                • Instruction ID: d8e31b3f31197f62d504879b28db81ae8aa8b393cca4309cab159e46c0823af5
                                                • Opcode Fuzzy Hash: 64af59348ad61a8b1ae49467ee0f7367779f80595a4956b1b17ef7ca9079b0ed
                                                • Instruction Fuzzy Hash: 2E115E30910208DFCF00EF94D9519EEB7B4FF2A308B108869D864AB692EB365D1ACB50
                                                Function 0011EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0011EC07
                                                • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0011EC37
                                                • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0011ED6A
                                                • CloseHandle.KERNEL32(?), ref: 0011EDEB
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                • String ID:
                                                • API String ID: 2364364464-0
                                                • Opcode ID: b31aec71b2b15e4bc0f908f1a699784bfd8c07456baf9d04307367aa6ba68944
                                                • Instruction ID: d71a8867d86e793ec2e9f52578a852100c5164f5bab829225febc9e1e1d7e90f
                                                • Opcode Fuzzy Hash: b31aec71b2b15e4bc0f908f1a699784bfd8c07456baf9d04307367aa6ba68944
                                                • Instruction Fuzzy Hash: 6681A371604300AFD724EF68C846FAAB7E5AF45710F04882DF999DB2D2DB75AC41CB52
                                                Function 00120037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000A7DE1: _memmove.LIBCMT ref: 000A7E22
                                                  • Part of subcall function 00120E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0011FDAD,?,?), ref: 00120E31
                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001200FD
                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0012013C
                                                • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00120183
                                                • RegCloseKey.ADVAPI32(?,?), ref: 001201AF
                                                • RegCloseKey.ADVAPI32(00000000), ref: 001201BC
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                • String ID:
                                                • API String ID: 3440857362-0
                                                • Opcode ID: 35f8fbc1ad7acd587a81daf7e41abd89bd0ecd0617ff58b62e0703c99e62c266
                                                • Instruction ID: 26c04632f3f2da6c9b5c1deecc731b519d8c61b2218c4dafba839035e5e3bfad
                                                • Opcode Fuzzy Hash: 35f8fbc1ad7acd587a81daf7e41abd89bd0ecd0617ff58b62e0703c99e62c266
                                                • Instruction Fuzzy Hash: 09517C71208204AFC715EF54DC81EABB7E9FF88304F00892DF5958B2A2DB31E965CB52
                                                Function 0011D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000A9837: __itow.LIBCMT ref: 000A9862
                                                  • Part of subcall function 000A9837: __swprintf.LIBCMT ref: 000A98AC
                                                • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0011D927
                                                • GetProcAddress.KERNEL32(00000000,?), ref: 0011D9AA
                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 0011D9C6
                                                • GetProcAddress.KERNEL32(00000000,?), ref: 0011DA07
                                                • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0011DA21
                                                  • Part of subcall function 000A5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00107896,?,?,00000000), ref: 000A5A2C
                                                  • Part of subcall function 000A5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00107896,?,?,00000000,?,?), ref: 000A5A50
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                • String ID:
                                                • API String ID: 327935632-0
                                                • Opcode ID: b29775168725bd0d488fc4cc2ff12c14d5feaf1a1065f963660426b0ed58a762
                                                • Instruction ID: 0a10426d2e0abcf71ffb8da77764d00cc612597298879967dd75f89cc8211d92
                                                • Opcode Fuzzy Hash: b29775168725bd0d488fc4cc2ff12c14d5feaf1a1065f963660426b0ed58a762
                                                • Instruction Fuzzy Hash: 83513935A04609EFCB04EFA8D4849EEB7F4FF19314B458069E815AB312DB31AD86CF91
                                                Function 0010E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0010E61F
                                                • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0010E648
                                                • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0010E687
                                                  • Part of subcall function 000A9837: __itow.LIBCMT ref: 000A9862
                                                  • Part of subcall function 000A9837: __swprintf.LIBCMT ref: 000A98AC
                                                • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0010E6AC
                                                • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0010E6B4
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                • String ID:
                                                • API String ID: 1389676194-0
                                                • Opcode ID: 4c1998d8e5c208cc1497d6b69ddfb5f59d73317f4b3b0352bb4663a75d7f759c
                                                • Instruction ID: d0f9321ccdb2de54204e59e8057fb51b2967d20ac68cf5c4ba2df62e1c9b28e5
                                                • Opcode Fuzzy Hash: 4c1998d8e5c208cc1497d6b69ddfb5f59d73317f4b3b0352bb4663a75d7f759c
                                                • Instruction Fuzzy Hash: EF510E35A00105DFCB01EFA5D981AAEBBF5EF0A314F1484A9E849AB362CB35ED51DF50
                                                Function 0012A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9085dbe3cbe00860287127646d2a3a4fec7e1311e06e43cb127288bcb9b17a5a
                                                • Instruction ID: ec3fc921e9bc4a53f31de47245e46512fa5de9a4d80a26a7ca859492bb7825b4
                                                • Opcode Fuzzy Hash: 9085dbe3cbe00860287127646d2a3a4fec7e1311e06e43cb127288bcb9b17a5a
                                                • Instruction Fuzzy Hash: F0412735904124BFC724DF28EC48FA9BBB8EF09320F950165F915A72E1C730AD71DA91
                                                Function 000A2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCursorPos.USER32(?), ref: 000A2357
                                                • ScreenToClient.USER32(001657B0,?), ref: 000A2374
                                                • GetAsyncKeyState.USER32(00000001), ref: 000A2399
                                                • GetAsyncKeyState.USER32(00000002), ref: 000A23A7
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: AsyncState$ClientCursorScreen
                                                • String ID:
                                                • API String ID: 4210589936-0
                                                • Opcode ID: 27e5be11c1acf9452cc3f0c8a5ae16af695d0bf33993911039184a61ef716988
                                                • Instruction ID: c5294e23753c264738da1be00761117ed317d8a7ff1e42a0544248f1bfd912de
                                                • Opcode Fuzzy Hash: 27e5be11c1acf9452cc3f0c8a5ae16af695d0bf33993911039184a61ef716988
                                                • Instruction Fuzzy Hash: 4F415435504215FFDF259FA8C844AEDBBB5FB06360F20436AF82592290C7346E94DFA1
                                                Function 000F63AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 000F63E7
                                                • TranslateAcceleratorW.USER32(?,?,?), ref: 000F6433
                                                • TranslateMessage.USER32(?), ref: 000F645C
                                                • DispatchMessageW.USER32(?), ref: 000F6466
                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 000F6475
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Message$PeekTranslate$AcceleratorDispatch
                                                • String ID:
                                                • API String ID: 2108273632-0
                                                • Opcode ID: 54e26cb1337b523acd33509741141718457639627dc1aee297d1df7970ba6555
                                                • Instruction ID: aaae99e827d69aacfd5394c01c39827e39931bd50744035f6e8bc42e81cccf0b
                                                • Opcode Fuzzy Hash: 54e26cb1337b523acd33509741141718457639627dc1aee297d1df7970ba6555
                                                • Instruction Fuzzy Hash: E331927190064AAFDBA4DFB0DC44BB67BF9AB01300F540179E621C3DA1E766A499F760
                                                Function 000F8A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetWindowRect.USER32(?,?), ref: 000F8A30
                                                • PostMessageW.USER32(?,00000201,00000001), ref: 000F8ADA
                                                • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 000F8AE2
                                                • PostMessageW.USER32(?,00000202,00000000), ref: 000F8AF0
                                                • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 000F8AF8
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: MessagePostSleep$RectWindow
                                                • String ID:
                                                • API String ID: 3382505437-0
                                                • Opcode ID: 9fe2fa0dee3d7ed80995b679cb246d26e85f01ac10b201d8ae6662849677d50e
                                                • Instruction ID: 68dd13a0cf6c3d6e2e56258d513238cffb0da2ebfdb71621de0082f2f84c8090
                                                • Opcode Fuzzy Hash: 9fe2fa0dee3d7ed80995b679cb246d26e85f01ac10b201d8ae6662849677d50e
                                                • Instruction Fuzzy Hash: 6331E27150021DEBEF14CF68DD4CAEE3BB5EB04315F108229FA24E66D0C7B09961DB91
                                                Function 000FB1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • IsWindowVisible.USER32(?), ref: 000FB204
                                                • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 000FB221
                                                • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 000FB259
                                                • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 000FB27F
                                                • _wcsstr.LIBCMT ref: 000FB289
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                • String ID:
                                                • API String ID: 3902887630-0
                                                • Opcode ID: d619bab06c57221bed8d29dec562af9134fe99a1ee176e0bf4e29fd9b8e37c5b
                                                • Instruction ID: 3e60cb80154b663b69d1e877a765b86ebd8828829f82baf38af7f0cfce3d938b
                                                • Opcode Fuzzy Hash: d619bab06c57221bed8d29dec562af9134fe99a1ee176e0bf4e29fd9b8e37c5b
                                                • Instruction Fuzzy Hash: 24213731204204BBEB655B79DC09E7F7BACDF49710F00803DF904CA5A1EF61DC41AA60
                                                Function 0012B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000A2612: GetWindowLongW.USER32(?,000000EB), ref: 000A2623
                                                • GetWindowLongW.USER32(?,000000F0), ref: 0012B192
                                                • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0012B1B7
                                                • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0012B1CF
                                                • GetSystemMetrics.USER32(00000004), ref: 0012B1F8
                                                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00110E90,00000000), ref: 0012B216
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Window$Long$MetricsSystem
                                                • String ID:
                                                • API String ID: 2294984445-0
                                                • Opcode ID: c5aacf9811f7a498f45e88827d230c23c665beedd3e59ae2a3a7f8cd458bbc45
                                                • Instruction ID: 4fed336422c2b3c63f52d9792b7e582701b5d68a32f8f2f258f57ac07bcd10f1
                                                • Opcode Fuzzy Hash: c5aacf9811f7a498f45e88827d230c23c665beedd3e59ae2a3a7f8cd458bbc45
                                                • Instruction Fuzzy Hash: F0219171918262EFCB249F38AC84A6A37A5FB05721F114738F932D75E0D73098719B90
                                                Function 000F9307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 000F9320
                                                  • Part of subcall function 000A7BCC: _memmove.LIBCMT ref: 000A7C06
                                                • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 000F9352
                                                • __itow.LIBCMT ref: 000F936A
                                                • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 000F9392
                                                • __itow.LIBCMT ref: 000F93A3
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: MessageSend$__itow$_memmove
                                                • String ID:
                                                • API String ID: 2983881199-0
                                                • Opcode ID: 39493c064f17b7de89911c4e8eb9149ad097e3165ced734ffd531264e4b9abba
                                                • Instruction ID: 3ca6b6977296494ccf2f8bf35a091b9198ade396c0d6447c768fa39779bcabe9
                                                • Opcode Fuzzy Hash: 39493c064f17b7de89911c4e8eb9149ad097e3165ced734ffd531264e4b9abba
                                                • Instruction Fuzzy Hash: 3021DA3170020CBBDB219BA49C85FFE7BA9EB49710F044029FE05E71D2D6708E559791
                                                Function 00115A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                Download Yara Rule
                                                APIs
                                                • IsWindow.USER32(00000000), ref: 00115A6E
                                                • GetForegroundWindow.USER32 ref: 00115A85
                                                • GetDC.USER32(00000000), ref: 00115AC1
                                                • GetPixel.GDI32(00000000,?,00000003), ref: 00115ACD
                                                • ReleaseDC.USER32(00000000,00000003), ref: 00115B08
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Window$ForegroundPixelRelease
                                                • String ID:
                                                • API String ID: 4156661090-0
                                                • Opcode ID: 371a594e8cd1687b52d14316bea4be640cbfd5e0f330dd45abafa5a90180121d
                                                • Instruction ID: 18e3f90a49e763ecff6eec7525e016a6559b38484b9b36f1fca1068ddb738875
                                                • Opcode Fuzzy Hash: 371a594e8cd1687b52d14316bea4be640cbfd5e0f330dd45abafa5a90180121d
                                                • Instruction Fuzzy Hash: C021A135A00104AFDB14EFA4DD85AAABBF5EF48310F14807DF84997762CB70AC42CB90
                                                Function 000A12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                Download Yara Rule
                                                APIs
                                                • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 000A134D
                                                • SelectObject.GDI32(?,00000000), ref: 000A135C
                                                • BeginPath.GDI32(?), ref: 000A1373
                                                • SelectObject.GDI32(?,00000000), ref: 000A139C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: ObjectSelect$BeginCreatePath
                                                • String ID:
                                                • API String ID: 3225163088-0
                                                • Opcode ID: 99cab99a46217069c5722dd70a7d807892200cef12498b3e23545253b60f0851
                                                • Instruction ID: c65f45b023ee43f8a225581945a0c65bf6a51fb038245ff46e05bc4dc4cf7995
                                                • Opcode Fuzzy Hash: 99cab99a46217069c5722dd70a7d807892200cef12498b3e23545253b60f0851
                                                • Instruction Fuzzy Hash: 26214C31800618EBDF218F66DC047AD7BEEEB01361F14822AF85097DA0D3B199E2DB90
                                                Function 000FBC9E Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: _memcmp
                                                • String ID:
                                                • API String ID: 2931989736-0
                                                • Opcode ID: f4ac0cfcb812be0786b2f375cb3943de61000ea6483376e136d76ddcb89bf495
                                                • Instruction ID: f959591c94337606c6956d3370b3233be8fc87bec28a06f90c44911a4d68ea5f
                                                • Opcode Fuzzy Hash: f4ac0cfcb812be0786b2f375cb3943de61000ea6483376e136d76ddcb89bf495
                                                • Instruction Fuzzy Hash: 040180B160010D7AE2186B11AD42FFFB79CDF51798F044025FE0996683FB60DE10AAE1
                                                Function 00104A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentThreadId.KERNEL32 ref: 00104ABA
                                                • __beginthreadex.LIBCMT ref: 00104AD8
                                                • MessageBoxW.USER32(?,?,?,?), ref: 00104AED
                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00104B03
                                                • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00104B0A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                • String ID:
                                                • API String ID: 3824534824-0
                                                • Opcode ID: a9cf98bfd02f81b63dec822434497030e1d2874f931d97baa346980a83c81fb5
                                                • Instruction ID: e280275f7c5869207423e7ee6332076cec56f39932c9acfed01bfe89266fb9c3
                                                • Opcode Fuzzy Hash: a9cf98bfd02f81b63dec822434497030e1d2874f931d97baa346980a83c81fb5
                                                • Instruction Fuzzy Hash: F71104B6904208FBC7109FA8EC48A9B7FADEB45324F14426DF914D36A0D7B1C99187A0
                                                Function 000F8202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 000F821E
                                                • GetLastError.KERNEL32(?,000F7CE2,?,?,?), ref: 000F8228
                                                • GetProcessHeap.KERNEL32(00000008,?,?,000F7CE2,?,?,?), ref: 000F8237
                                                • HeapAlloc.KERNEL32(00000000,?,000F7CE2,?,?,?), ref: 000F823E
                                                • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 000F8255
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                • String ID:
                                                • API String ID: 842720411-0
                                                • Opcode ID: d0dfcdf4924756b42b82ba34770c014c58ef3bb91a66ed9285ce888ab550ee7e
                                                • Instruction ID: 85ebdff3ccc129c06f61a57883cadd79f9ea3e06ea72cc54d3ecc5c1d5033200
                                                • Opcode Fuzzy Hash: d0dfcdf4924756b42b82ba34770c014c58ef3bb91a66ed9285ce888ab550ee7e
                                                • Instruction Fuzzy Hash: 64016D71600208BFDB604FA5DC48DAB7BBCEF8A754B50443DF909C2620EB319C62DB60
                                                Function 000F710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,000F7044,80070057,?,?,?,000F7455), ref: 000F7127
                                                • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,000F7044,80070057,?,?), ref: 000F7142
                                                • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,000F7044,80070057,?,?), ref: 000F7150
                                                • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,000F7044,80070057,?), ref: 000F7160
                                                • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,000F7044,80070057,?,?), ref: 000F716C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: From$Prog$FreeStringTasklstrcmpi
                                                • String ID:
                                                • API String ID: 3897988419-0
                                                • Opcode ID: 23341aabddf9830115e22fd1e2ca54af647649b0ced7da2c4c2823c02041571d
                                                • Instruction ID: 636307e2dda0fae041ffbd6beb507f5011f797212be6f5ea22021dd3f6f4ee3b
                                                • Opcode Fuzzy Hash: 23341aabddf9830115e22fd1e2ca54af647649b0ced7da2c4c2823c02041571d
                                                • Instruction Fuzzy Hash: 98017176601208BBDB214F68DC44AAABBFDFB44751F140078FE08D2620D731DD56A7A0
                                                Function 00105244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00105260
                                                • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0010526E
                                                • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00105276
                                                • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00105280
                                                • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 001052BC
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: PerformanceQuery$CounterSleep$Frequency
                                                • String ID:
                                                • API String ID: 2833360925-0
                                                • Opcode ID: 7f14bec63c738f0ccaaef17a8334274e6c8d972c0ce686b346196a79fbc21f92
                                                • Instruction ID: 646e43166f6344a396aaa6911c3519802b6e17bb209929dc90bbf71cb023ef40
                                                • Opcode Fuzzy Hash: 7f14bec63c738f0ccaaef17a8334274e6c8d972c0ce686b346196a79fbc21f92
                                                • Instruction Fuzzy Hash: 81016D31D01A1DEBDF14EFE4D8485EEBB79FF0D711F41006AE981B2180CB7055A28BA1
                                                Function 000F810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 000F8121
                                                • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 000F812B
                                                • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 000F813A
                                                • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 000F8141
                                                • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 000F8157
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: HeapInformationToken$AllocErrorLastProcess
                                                • String ID:
                                                • API String ID: 44706859-0
                                                • Opcode ID: b278fed73b65d23432d45f177ff30da16e15d9e9ed6df6db8ef357cc11d03615
                                                • Instruction ID: 4b2104e3de35f9825df91156c593c34c527e3e604015bdee4b5b530f7524bd78
                                                • Opcode Fuzzy Hash: b278fed73b65d23432d45f177ff30da16e15d9e9ed6df6db8ef357cc11d03615
                                                • Instruction Fuzzy Hash: CAF03C75200308BFEB610FA5EC88EB73BADFF49B54F104139FA4586550DB6199A3EB60
                                                Function 000FC1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDlgItem.USER32(?,000003E9), ref: 000FC1F7
                                                • GetWindowTextW.USER32(00000000,?,00000100), ref: 000FC20E
                                                • MessageBeep.USER32(00000000), ref: 000FC226
                                                • KillTimer.USER32(?,0000040A), ref: 000FC242
                                                • EndDialog.USER32(?,00000001), ref: 000FC25C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                • String ID:
                                                • API String ID: 3741023627-0
                                                • Opcode ID: f2737ceacadc3054bffe78bd6f14e2707adfd0be56fac4e2c5405c20daa1ce41
                                                • Instruction ID: 8e219b5088cc85b6f3c208fec4fbda07a08c7cd5b21c39d1017e86d6c108b566
                                                • Opcode Fuzzy Hash: f2737ceacadc3054bffe78bd6f14e2707adfd0be56fac4e2c5405c20daa1ce41
                                                • Instruction Fuzzy Hash: 5501A73040430CABFB705B50DD4EFA677B8FB00B05F00026DA642A18E1D7E46999AB50
                                                Function 000A13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                Download Yara Rule
                                                APIs
                                                • EndPath.GDI32(?), ref: 000A13BF
                                                • StrokeAndFillPath.GDI32(?,?,000DB888,00000000,?), ref: 000A13DB
                                                • SelectObject.GDI32(?,00000000), ref: 000A13EE
                                                • DeleteObject.GDI32 ref: 000A1401
                                                • StrokePath.GDI32(?), ref: 000A141C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Path$ObjectStroke$DeleteFillSelect
                                                • String ID:
                                                • API String ID: 2625713937-0
                                                • Opcode ID: b59b6648490875e2a17a591ecb0f6e324570bf5097cde76e38846316bf2ce8a0
                                                • Instruction ID: 1156f9639017afb9ab25d3fd27b1e81f053abdb47b92d524605136e976527cc7
                                                • Opcode Fuzzy Hash: b59b6648490875e2a17a591ecb0f6e324570bf5097cde76e38846316bf2ce8a0
                                                • Instruction Fuzzy Hash: B2F0CD31004708EBDB215F5AED4C7983BFAA742326F088228F4694ACF1C77545E6DF64
                                                Function 000B2CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000C0DB6: std::exception::exception.LIBCMT ref: 000C0DEC
                                                  • Part of subcall function 000C0DB6: __CxxThrowException@8.LIBCMT ref: 000C0E01
                                                  • Part of subcall function 000A7DE1: _memmove.LIBCMT ref: 000A7E22
                                                  • Part of subcall function 000A7A51: _memmove.LIBCMT ref: 000A7AAB
                                                • __swprintf.LIBCMT ref: 000B2ECD
                                                Strings
                                                • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 000B2D66
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                • API String ID: 1943609520-557222456
                                                • Opcode ID: ec8f51a27c589f0ae1e4247ef0f6f521daab12c3e4d47929f637f5315991c448
                                                • Instruction ID: 7c6bd203a4e7aa5e00d57fd07cce8d118810023dc1013435339372c586587a82
                                                • Opcode Fuzzy Hash: ec8f51a27c589f0ae1e4247ef0f6f521daab12c3e4d47929f637f5315991c448
                                                • Instruction Fuzzy Hash: 00915A71118201AFC714EF64D885DAFB7E8EF96750F00492DF496AB2A2EB31ED44CB52
                                                Function 0010B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000A4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000A4743,?,?,000A37AE,?), ref: 000A4770
                                                • CoInitialize.OLE32(00000000), ref: 0010B9BB
                                                • CoCreateInstance.OLE32(00132D6C,00000000,00000001,00132BDC,?), ref: 0010B9D4
                                                • CoUninitialize.OLE32 ref: 0010B9F1
                                                  • Part of subcall function 000A9837: __itow.LIBCMT ref: 000A9862
                                                  • Part of subcall function 000A9837: __swprintf.LIBCMT ref: 000A98AC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                • String ID: .lnk
                                                • API String ID: 2126378814-24824748
                                                • Opcode ID: 37ffd611f01383698cf618ee572bfcd7744f5103afe21d853b294471545d64cb
                                                • Instruction ID: 559d923255ad333980e77b6601d2c9d0f8b1ce933a88737ef29b2ffb9a8d689a
                                                • Opcode Fuzzy Hash: 37ffd611f01383698cf618ee572bfcd7744f5103afe21d853b294471545d64cb
                                                • Instruction Fuzzy Hash: E0A169756043059FCB10DF54C884D6ABBE5FF8A714F048998F8999B3A2CB71EC46CB91
                                                Function 000C501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                Download Yara Rule
                                                APIs
                                                • __startOneArgErrorHandling.LIBCMT ref: 000C50AD
                                                  • Part of subcall function 000D00F0: __87except.LIBCMT ref: 000D012B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: ErrorHandling__87except__start
                                                • String ID: pow
                                                • API String ID: 2905807303-2276729525
                                                • Opcode ID: 0ee3062bda46f5aa9d75059534ea896fd8796d20e91e6c7d6c13645e2b669aec
                                                • Instruction ID: c6de2ac65c9d846e3d4a353fb75da562c7722a262039b2fe46af38264b810aa2
                                                • Opcode Fuzzy Hash: 0ee3062bda46f5aa9d75059534ea896fd8796d20e91e6c7d6c13645e2b669aec
                                                • Instruction Fuzzy Hash: 7A519D6990970286DB617714CC057BE2BD0EB40301F348D5EF8D9C63EAEF349DC49A92
                                                Function 000B6192 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: _memset$_memmove
                                                • String ID: ERCP
                                                • API String ID: 2532777613-1384759551
                                                • Opcode ID: f62224648ede18abbf56cb35b45480b2ebdbc8ccef4f7c565eb5016bdca349c4
                                                • Instruction ID: 3ba67a45faecee9a96356f14e4213cbd30b8fa66b6e745e1f741fa6183c6a7f4
                                                • Opcode Fuzzy Hash: f62224648ede18abbf56cb35b45480b2ebdbc8ccef4f7c565eb5016bdca349c4
                                                • Instruction Fuzzy Hash: 7851BF71900709DBEB24CFA5C981BEAB7F4EF04704F20856EE94ADB251E779EA44CB40
                                                Function 000F97F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 001014BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,000F9296,?,?,00000034,00000800,?,00000034), ref: 001014E6
                                                • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 000F983F
                                                  • Part of subcall function 00101487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,000F92C5,?,?,00000800,?,00001073,00000000,?,?), ref: 001014B1
                                                  • Part of subcall function 001013DE: GetWindowThreadProcessId.USER32(?,?), ref: 00101409
                                                  • Part of subcall function 001013DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,000F925A,00000034,?,?,00001004,00000000,00000000), ref: 00101419
                                                  • Part of subcall function 001013DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,000F925A,00000034,?,?,00001004,00000000,00000000), ref: 0010142F
                                                • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 000F98AC
                                                • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 000F98F9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                • String ID: @
                                                • API String ID: 4150878124-2766056989
                                                • Opcode ID: 21bd46f3dc16262f9cd1407ec20a277ed79d3c384395f8ff0a9b170ce64733e8
                                                • Instruction ID: d7661338fd4a6d96589eae017b826d73ad4ec1abf02d7665ad380ac3ccbd5f94
                                                • Opcode Fuzzy Hash: 21bd46f3dc16262f9cd1407ec20a277ed79d3c384395f8ff0a9b170ce64733e8
                                                • Instruction Fuzzy Hash: 2C413D7690021CBEDB10DFA4CC81EEEBBB8EB19300F104199FA55B7191DB756E85DBA0
                                                Function 00127946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0012F910,00000000,?,?,?,?), ref: 001279DF
                                                • GetWindowLongW.USER32 ref: 001279FC
                                                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00127A0C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Window$Long
                                                • String ID: SysTreeView32
                                                • API String ID: 847901565-1698111956
                                                • Opcode ID: e966feae6a9a096a4771cbc8d91a87d4255deb1c9a7196f527fea109c03063ff
                                                • Instruction ID: 501895320c6581ff0a67383ebb3c361a02eba199e9d8ca606fee5b78cb4be1b5
                                                • Opcode Fuzzy Hash: e966feae6a9a096a4771cbc8d91a87d4255deb1c9a7196f527fea109c03063ff
                                                • Instruction Fuzzy Hash: 2031BC31204216AFDF118E38EC45BEB77A9EB09334F244729F875A32E0D730E9A18B50
                                                Function 001273D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00127461
                                                • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00127475
                                                • SendMessageW.USER32(?,00001002,00000000,?), ref: 00127499
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: MessageSend$Window
                                                • String ID: SysMonthCal32
                                                • API String ID: 2326795674-1439706946
                                                • Opcode ID: b1023b1a5a28bf30708f3b05c972f2f15e65d811945c457dd055a09b38a4ae70
                                                • Instruction ID: e476b4e12b4b7fe951eb7c69325c529828489e4c62b72eaae7ac249e92175fe5
                                                • Opcode Fuzzy Hash: b1023b1a5a28bf30708f3b05c972f2f15e65d811945c457dd055a09b38a4ae70
                                                • Instruction Fuzzy Hash: F321E132500228BBDF159E54DC42FEB3B79EB48724F110114FE146B1D0DBB1ACA18BA0
                                                Function 00127B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00127C4A
                                                • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00127C58
                                                • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00127C5F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: MessageSend$DestroyWindow
                                                • String ID: msctls_updown32
                                                • API String ID: 4014797782-2298589950
                                                • Opcode ID: be947b13d4733109cf4ed7a13fa6d627b2951750db298ae70f086b86106c8069
                                                • Instruction ID: 786d5724ccb0f19b25c36ebf6ef5a71908f4bbe6847235aeefba113f615f5a9f
                                                • Opcode Fuzzy Hash: be947b13d4733109cf4ed7a13fa6d627b2951750db298ae70f086b86106c8069
                                                • Instruction Fuzzy Hash: E3218CB5604219AFDB10DF28ECC1DA737EDEF4A394B140059FA119B3A1CB71EC618BA0
                                                Function 00126CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00126D3B
                                                • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00126D4B
                                                • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00126D70
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: MessageSend$MoveWindow
                                                • String ID: Listbox
                                                • API String ID: 3315199576-2633736733
                                                • Opcode ID: 9d58ecde636f3bbddfcaaebceb698fbb98910dfeb58577ff2b0b464b28c885e2
                                                • Instruction ID: afcfa60ae40a9f9b35e5f8974ccb2b14b0ddc1cfc3e0117f097377fe0a2991fa
                                                • Opcode Fuzzy Hash: 9d58ecde636f3bbddfcaaebceb698fbb98910dfeb58577ff2b0b464b28c885e2
                                                • Instruction Fuzzy Hash: EA219532600128BFDF159F54EC45FAB377AEF89750F018128F9555B1D0C7719C6187A0
                                                Function 0012770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00127772
                                                • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00127787
                                                • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00127794
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID: msctls_trackbar32
                                                • API String ID: 3850602802-1010561917
                                                • Opcode ID: 7f0eb4f1f024afef9b4a107f85a7fa3592929f20250406764765d40d2d78e23e
                                                • Instruction ID: 1a07e6771869172b0394c471ff3caa17e1418eb26b6c806ee721d5616cd77a6f
                                                • Opcode Fuzzy Hash: 7f0eb4f1f024afef9b4a107f85a7fa3592929f20250406764765d40d2d78e23e
                                                • Instruction Fuzzy Hash: 0A113672204208BFEF205FA0DC09FEB37A9EF89B54F010128FA41A60D0C372E861CB20
                                                Function 000A4C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryA.KERNEL32(kernel32.dll,?,000A4BD0,?,000A4DEF,?,001652F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 000A4C11
                                                • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 000A4C23
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: AddressLibraryLoadProc
                                                • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                • API String ID: 2574300362-3689287502
                                                • Opcode ID: 430622fa276ea811570029d9b33f62bcd0f068b779830a52292d087464766d72
                                                • Instruction ID: b3d4f9469460ef6c4e339a24e30c13084356ed00c3851589170f8671ade1db2b
                                                • Opcode Fuzzy Hash: 430622fa276ea811570029d9b33f62bcd0f068b779830a52292d087464766d72
                                                • Instruction Fuzzy Hash: 63D0C230510713DFC7206FB0D908247B6E5EF09352F008C3D9486C6550E7F0D4D2C610
                                                Function 000A4C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryA.KERNEL32(kernel32.dll,?,000A4B83,?), ref: 000A4C44
                                                • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 000A4C56
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: AddressLibraryLoadProc
                                                • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                • API String ID: 2574300362-1355242751
                                                • Opcode ID: c880924782afa3e887a27cf501583efc3eda02ed0b863b3d34a6b00918bcc04c
                                                • Instruction ID: dacc8859541f7abfb508f70808222ec91fdb9dab65e51da4516d45b5884bcfb7
                                                • Opcode Fuzzy Hash: c880924782afa3e887a27cf501583efc3eda02ed0b863b3d34a6b00918bcc04c
                                                • Instruction Fuzzy Hash: 6AD0C730610723DFC7208F71D90820A76E4AF06361F10883E98AACA560E7B0E8E1CA10
                                                Function 00120DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryA.KERNEL32(advapi32.dll,?,00121039), ref: 00120DF5
                                                • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00120E07
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: AddressLibraryLoadProc
                                                • String ID: RegDeleteKeyExW$advapi32.dll
                                                • API String ID: 2574300362-4033151799
                                                • Opcode ID: d5dce1fa91e2f3997da6499f51942c4c5c2d41c838b1d636b9368aa1ba3a7e2b
                                                • Instruction ID: e3b08f1d2c29090ca8a84f8b135a68dc4bfdb99264d88659e59c5687c2c88b51
                                                • Opcode Fuzzy Hash: d5dce1fa91e2f3997da6499f51942c4c5c2d41c838b1d636b9368aa1ba3a7e2b
                                                • Instruction Fuzzy Hash: 5ED0C730420322DFC3218F70D808282B2E5AF08342F028C3E9892E6550E7B8D8F0CA00
                                                Function 001190E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00118CF4,?,0012F910), ref: 001190EE
                                                • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00119100
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: AddressLibraryLoadProc
                                                • String ID: GetModuleHandleExW$kernel32.dll
                                                • API String ID: 2574300362-199464113
                                                • Opcode ID: 0786d0265ab10e3d5cd531d728a762312715e511eaf1aa4cb573e7ba76c7fb7d
                                                • Instruction ID: cbe6ec54f37c9cda99518fc918a2342e4710135b31d4d4a9546ff62eec53a51b
                                                • Opcode Fuzzy Hash: 0786d0265ab10e3d5cd531d728a762312715e511eaf1aa4cb573e7ba76c7fb7d
                                                • Instruction Fuzzy Hash: 08D01234610713EFD7209F31D81964676E5AF05751F15883E94A5D6550E770C4D1C650
                                                Function 000E1714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: LocalTime__swprintf
                                                • String ID: %.3d$WIN_XPe
                                                • API String ID: 2070861257-2409531811
                                                • Opcode ID: a56aa0432925878c06f5715e2a577fb6b65ddce5a548465b459833886f05020c
                                                • Instruction ID: 03da06eb54a1c87a4dd4a0d689ec7ec28740720f0d576e8a844790aab4facb10
                                                • Opcode Fuzzy Hash: a56aa0432925878c06f5715e2a577fb6b65ddce5a548465b459833886f05020c
                                                • Instruction Fuzzy Hash: F7D01771808298FECB249B929888DFD777CAB09B12F100462B842B2180E2318B95EA21
                                                Function 000F717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c2ac868932418840e78acecbc9c406e1841acb612bc60c6bc30543f07b2e0d7c
                                                • Instruction ID: e865276a11d6a3036f0600a55860f64cc5dcb6368407c77966da6e0b2e4d05cf
                                                • Opcode Fuzzy Hash: c2ac868932418840e78acecbc9c406e1841acb612bc60c6bc30543f07b2e0d7c
                                                • Instruction Fuzzy Hash: F7C15C74A0421AEFCB14CF94C884EAEBBF5FF48704B158598E909DB651D730ED81EB91
                                                Function 0011E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CharLowerBuffW.USER32(?,?), ref: 0011E0BE
                                                • CharLowerBuffW.USER32(?,?), ref: 0011E101
                                                  • Part of subcall function 0011D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0011D7C5
                                                • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0011E301
                                                • _memmove.LIBCMT ref: 0011E314
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: BuffCharLower$AllocVirtual_memmove
                                                • String ID:
                                                • API String ID: 3659485706-0
                                                • Opcode ID: ea33deef2ab5107506642123a61adb2dedfcd9b2ed767b295574db8494c1bdb5
                                                • Instruction ID: 32dfe66a9b7a822082defd2391d1d82cdbaa6214c9583afb886a3c06e93bc4bf
                                                • Opcode Fuzzy Hash: ea33deef2ab5107506642123a61adb2dedfcd9b2ed767b295574db8494c1bdb5
                                                • Instruction Fuzzy Hash: D6C14A71608301DFC718DF68C490AAABBE4FF89714F14896EF8999B351D731E986CB81
                                                Function 00118093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                Download Yara Rule
                                                APIs
                                                • CoInitialize.OLE32(00000000), ref: 001180C3
                                                • CoUninitialize.OLE32 ref: 001180CE
                                                  • Part of subcall function 000FD56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 000FD5D4
                                                • VariantInit.OLEAUT32(?), ref: 001180D9
                                                • VariantClear.OLEAUT32(?), ref: 001183AA
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                • String ID:
                                                • API String ID: 780911581-0
                                                • Opcode ID: b9ea7fb96732612b749c8657c23669da4a9087a0c21cf2c65990e0790261f378
                                                • Instruction ID: 6a256956206972293c98da77de09da7283d672f141bf4e5dba6c16dcfbb5ac31
                                                • Opcode Fuzzy Hash: b9ea7fb96732612b749c8657c23669da4a9087a0c21cf2c65990e0790261f378
                                                • Instruction Fuzzy Hash: 05A158757047019FCB14DF64C881BAAB7E4BF8A714F048468F9969B3A2CB34ED45CB92
                                                Function 000F7530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                                                Download Yara Rule
                                                APIs
                                                • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00132C7C,?), ref: 000F76EA
                                                • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00132C7C,?), ref: 000F7702
                                                • CLSIDFromProgID.OLE32(?,?,00000000,0012FB80,000000FF,?,00000000,00000800,00000000,?,00132C7C,?), ref: 000F7727
                                                • _memcmp.LIBCMT ref: 000F7748
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: FromProg$FreeTask_memcmp
                                                • String ID:
                                                • API String ID: 314563124-0
                                                • Opcode ID: d3d90e1c88a41b4709f31a8abef080befd8237b47ebf77bda9e8d63efce1d801
                                                • Instruction ID: cf5b9e0823a5303db3c4d61db5f336357883a9eda601ba20e28abfb7707d9d5a
                                                • Opcode Fuzzy Hash: d3d90e1c88a41b4709f31a8abef080befd8237b47ebf77bda9e8d63efce1d801
                                                • Instruction Fuzzy Hash: 96811B75A00209EFCB04DFA4C984EEEB7B9FF89315F204558E509EB250DB71AE06DB61
                                                Function 000F687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Variant$AllocClearCopyInitString
                                                • String ID:
                                                • API String ID: 2808897238-0
                                                • Opcode ID: 992fd489ac83fb8778d0cae217f1496554b21cf0b2f2e3c8a572f506cbf62dea
                                                • Instruction ID: 164f4875327f51d5e4b52fe14e602af1bed40ec4e07a7f94c50dfbad43e9c416
                                                • Opcode Fuzzy Hash: 992fd489ac83fb8778d0cae217f1496554b21cf0b2f2e3c8a572f506cbf62dea
                                                • Instruction Fuzzy Hash: 5F51E874704309DACB24EFA5D491A7EB3E4AF45310F20C81FE686DBA92DB76D840EB11
                                                Function 001297F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetWindowRect.USER32(0117F050,?), ref: 00129863
                                                • ScreenToClient.USER32(00000002,00000002), ref: 00129896
                                                • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00129903
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Window$ClientMoveRectScreen
                                                • String ID:
                                                • API String ID: 3880355969-0
                                                • Opcode ID: 0e83234a3b93f7970089bf408861ab4be77c71145d08727dd3a4dd70ac1a1743
                                                • Instruction ID: 37f108c80f0ad4b7028c7009f04c8e0c0d409b9c88c412a4b0b6ad9e8cd04c6e
                                                • Opcode Fuzzy Hash: 0e83234a3b93f7970089bf408861ab4be77c71145d08727dd3a4dd70ac1a1743
                                                • Instruction Fuzzy Hash: 60517374A00219EFCF14CF58E880AAE7BB6FF45360F14816DF9559B2A0D731ADA1CB90
                                                Function 000F9A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 000F9AD2
                                                • __itow.LIBCMT ref: 000F9B03
                                                  • Part of subcall function 000F9D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 000F9DBE
                                                • SendMessageW.USER32(?,0000110A,00000001,?), ref: 000F9B6C
                                                • __itow.LIBCMT ref: 000F9BC3
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: MessageSend$__itow
                                                • String ID:
                                                • API String ID: 3379773720-0
                                                • Opcode ID: b01a17c4c6f2c00bfbdeec8c4638ab91f3f074ff9b3da890a6380e2bb5781fe6
                                                • Instruction ID: 8fe5a0e0d18599fe5a1e2b4f0676d3374ac9bbe648a75a53a81ec81b6fd6e359
                                                • Opcode Fuzzy Hash: b01a17c4c6f2c00bfbdeec8c4638ab91f3f074ff9b3da890a6380e2bb5781fe6
                                                • Instruction Fuzzy Hash: 7A417F70A0020CABDF25EF54D845BFE7BB9EF45760F004069BA09A6292DB709944DBA1
                                                Function 001169AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • socket.WSOCK32(00000002,00000002,00000011), ref: 001169D1
                                                • WSAGetLastError.WSOCK32(00000000), ref: 001169E1
                                                  • Part of subcall function 000A9837: __itow.LIBCMT ref: 000A9862
                                                  • Part of subcall function 000A9837: __swprintf.LIBCMT ref: 000A98AC
                                                • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00116A45
                                                • WSAGetLastError.WSOCK32(00000000), ref: 00116A51
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: ErrorLast$__itow__swprintfsocket
                                                • String ID:
                                                • API String ID: 2214342067-0
                                                • Opcode ID: df9f9b34463ad12178c092511bff7c19d11c3eaefe9d4e241fa54efe445914a2
                                                • Instruction ID: 2367b1197963aa22b73fcdf070a5489c5e84f9ca00ad82c5c51d012613fa4612
                                                • Opcode Fuzzy Hash: df9f9b34463ad12178c092511bff7c19d11c3eaefe9d4e241fa54efe445914a2
                                                • Instruction Fuzzy Hash: 0D41AC35700200AFEB24AFA4DC86FAA77A49F05B14F04C028FA19AF2C3DB759D418B91
                                                Function 0011641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                Download Yara Rule
                                                APIs
                                                • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0012F910), ref: 001164A7
                                                • _strlen.LIBCMT ref: 001164D9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: _strlen
                                                • String ID:
                                                • API String ID: 4218353326-0
                                                • Opcode ID: 7b761436374d48b80e96e458e7bb3170f7467796bebcf97c0a157540402161b9
                                                • Instruction ID: 6ae63cb08782d8c8bfd2c518d95ff77a836d9b99df5f0c75c3134eb53e23cbbd
                                                • Opcode Fuzzy Hash: 7b761436374d48b80e96e458e7bb3170f7467796bebcf97c0a157540402161b9
                                                • Instruction Fuzzy Hash: CA41B331A00108ABCB18EBA8DC95FFEB7B9AF15350F148169F9199B2D3DB31AD41CB50
                                                Function 0010B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0010B89E
                                                • GetLastError.KERNEL32(?,00000000), ref: 0010B8C4
                                                • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0010B8E9
                                                • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0010B915
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: CreateHardLink$DeleteErrorFileLast
                                                • String ID:
                                                • API String ID: 3321077145-0
                                                • Opcode ID: 62626b5dfceb7a8e4bb75da38e4bef74c4174f7be0f3bbd3004d4a33c92eb170
                                                • Instruction ID: f258b2d5a6b6935925ca6ce006d127d3a19eb45ca0295965f2e3e2610c81f01d
                                                • Opcode Fuzzy Hash: 62626b5dfceb7a8e4bb75da38e4bef74c4174f7be0f3bbd3004d4a33c92eb170
                                                • Instruction Fuzzy Hash: A6410739700610DFCB10EF55C584A9ABBE1AF4A714F098098ED8A9F762CB74FD42CB91
                                                Function 00128851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                Download Yara Rule
                                                APIs
                                                • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 001288DE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: InvalidateRect
                                                • String ID:
                                                • API String ID: 634782764-0
                                                • Opcode ID: 8d9aa90a46d6a9eb2415f023ec2d2f3b402eb3f5623357192b9138cb834e5c4f
                                                • Instruction ID: 5b6e456a2e05735083576fd8663fedba42a674ef5e291ab605ba06f00d959c7f
                                                • Opcode Fuzzy Hash: 8d9aa90a46d6a9eb2415f023ec2d2f3b402eb3f5623357192b9138cb834e5c4f
                                                • Instruction Fuzzy Hash: 4431F434602128FFEF249A58EC45FB837A5EB49314F544116FA11E61A1CF70D9F1D752
                                                Function 0012AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ClientToScreen.USER32(?,?), ref: 0012AB60
                                                • GetWindowRect.USER32(?,?), ref: 0012ABD6
                                                • PtInRect.USER32(?,?,0012C014), ref: 0012ABE6
                                                • MessageBeep.USER32(00000000), ref: 0012AC57
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Rect$BeepClientMessageScreenWindow
                                                • String ID:
                                                • API String ID: 1352109105-0
                                                • Opcode ID: d17d2f141116159307f1ed169911afdb784b90cc9669643ec463f47c60477bc4
                                                • Instruction ID: 573502cc0876e7d89c4f52cb34182f99e332f9350aaea1086fb3893846ff2da9
                                                • Opcode Fuzzy Hash: d17d2f141116159307f1ed169911afdb784b90cc9669643ec463f47c60477bc4
                                                • Instruction Fuzzy Hash: 3E41A430600129DFCB21DF58E884B59BBF6FF49310F5480A9E458DB665D731E861CF92
                                                Function 00100AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00100B27
                                                • SetKeyboardState.USER32(00000080,?,00000001), ref: 00100B43
                                                • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00100BA9
                                                • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00100BFB
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: KeyboardState$InputMessagePostSend
                                                • String ID:
                                                • API String ID: 432972143-0
                                                • Opcode ID: 60ed4a1d3d88e4c5a538baae0f668652f82ed0bb0eaac38ce92f611f946b899b
                                                • Instruction ID: 61f7640c1b3b6591c728581af19f94b4b76a43896adad82e68ffe46a9e424ee6
                                                • Opcode Fuzzy Hash: 60ed4a1d3d88e4c5a538baae0f668652f82ed0bb0eaac38ce92f611f946b899b
                                                • Instruction Fuzzy Hash: 0F315834D4061CAEFF368B298C05BFABBA9AF4D318F08436AF5C1521D1C3F889959751
                                                Function 00100C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetKeyboardState.USER32(?,76C1C0D0,?,00008000), ref: 00100C66
                                                • SetKeyboardState.USER32(00000080,?,00008000), ref: 00100C82
                                                • PostMessageW.USER32(00000000,00000101,00000000), ref: 00100CE1
                                                • SendInput.USER32(00000001,?,0000001C,76C1C0D0,?,00008000), ref: 00100D33
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: KeyboardState$InputMessagePostSend
                                                • String ID:
                                                • API String ID: 432972143-0
                                                • Opcode ID: 1aff2e053e8448fdeb8dd342c843f28fb28e37314dd6615564d0fdbad5be99bf
                                                • Instruction ID: 48443613af059de792505ec689e096675cf301b34cc7b1f9113fcbb3443381d3
                                                • Opcode Fuzzy Hash: 1aff2e053e8448fdeb8dd342c843f28fb28e37314dd6615564d0fdbad5be99bf
                                                • Instruction Fuzzy Hash: A0314830900618AEFF368BA488147FEBB75AF4D310F04836FE4C1525D1C3B59D959761
                                                Function 000D61C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000D61FB
                                                • __isleadbyte_l.LIBCMT ref: 000D6229
                                                • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 000D6257
                                                • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 000D628D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                • String ID:
                                                • API String ID: 3058430110-0
                                                • Opcode ID: 01e0abeab98559f04da9177ef4b8a21cb96f9a714c1dee2494ebc12cc4612451
                                                • Instruction ID: 76393d0d46031ea5626ba2d49d933a6fe57bd1012686ae1804a5cc1579bc2b25
                                                • Opcode Fuzzy Hash: 01e0abeab98559f04da9177ef4b8a21cb96f9a714c1dee2494ebc12cc4612451
                                                • Instruction Fuzzy Hash: E631AE31604746AFDB218FA5CC45BBA7BF9BF41310F15402AE864972A2D732D951DBA0
                                                Function 00124EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetForegroundWindow.USER32 ref: 00124F02
                                                  • Part of subcall function 00103641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0010365B
                                                  • Part of subcall function 00103641: GetCurrentThreadId.KERNEL32 ref: 00103662
                                                  • Part of subcall function 00103641: AttachThreadInput.USER32(00000000,?,00105005), ref: 00103669
                                                • GetCaretPos.USER32(?), ref: 00124F13
                                                • ClientToScreen.USER32(00000000,?), ref: 00124F4E
                                                • GetForegroundWindow.USER32 ref: 00124F54
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                • String ID:
                                                • API String ID: 2759813231-0
                                                • Opcode ID: 4b47d2405e1237e85ed2e3a28cb272ba0aa4f9b0b5621cea2426939c5d7cba77
                                                • Instruction ID: 0f73ca8462381d43c48fb32f9a22c7581064e377ac83e06e22fa8253dfd7ae82
                                                • Opcode Fuzzy Hash: 4b47d2405e1237e85ed2e3a28cb272ba0aa4f9b0b5621cea2426939c5d7cba77
                                                • Instruction Fuzzy Hash: E7311E71E00108AFDB14EFA5C9859EFB7FDEF99300F10406AE455E7242DA759E458BA0
                                                Function 00103C55 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateToolhelp32Snapshot.KERNEL32 ref: 00103C7A
                                                • Process32FirstW.KERNEL32(00000000,?), ref: 00103C88
                                                • Process32NextW.KERNEL32(00000000,?), ref: 00103CA8
                                                • CloseHandle.KERNEL32(00000000), ref: 00103D52
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                • String ID:
                                                • API String ID: 420147892-0
                                                • Opcode ID: 04e41d04bd02e28ef03e011102e4680ab342dd80f33afc57412eb1de13bdb331
                                                • Instruction ID: 09afa9ff673adc6be19bc692182648c4eedf1d8ba2b75ecfc9600c37831a4d27
                                                • Opcode Fuzzy Hash: 04e41d04bd02e28ef03e011102e4680ab342dd80f33afc57412eb1de13bdb331
                                                • Instruction Fuzzy Hash: 3B3193711083059FD314EF90CC85AEFBBF8AF95354F50092DF495861E2EBB19A4ACB52
                                                Function 0012C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000A2612: GetWindowLongW.USER32(?,000000EB), ref: 000A2623
                                                • GetCursorPos.USER32(?), ref: 0012C4D2
                                                • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,000DB9AB,?,?,?,?,?), ref: 0012C4E7
                                                • GetCursorPos.USER32(?), ref: 0012C534
                                                • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,000DB9AB,?,?,?), ref: 0012C56E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                • String ID:
                                                • API String ID: 2864067406-0
                                                • Opcode ID: 542560ad9b0126d32c302ff67231a2f7fb35f80c8746caeb10a46fbe8e382076
                                                • Instruction ID: eec2d8ec2135ab01430963bd500ca2741eba1228f5aff9c1b9fee6b423fe7600
                                                • Opcode Fuzzy Hash: 542560ad9b0126d32c302ff67231a2f7fb35f80c8746caeb10a46fbe8e382076
                                                • Instruction Fuzzy Hash: FA31B435600068BFCB258F58E858DEE7BF6EB09350F044069FA0587661C731A961DFD4
                                                Function 000F8656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000F810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 000F8121
                                                  • Part of subcall function 000F810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 000F812B
                                                  • Part of subcall function 000F810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 000F813A
                                                  • Part of subcall function 000F810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 000F8141
                                                  • Part of subcall function 000F810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 000F8157
                                                • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 000F86A3
                                                • _memcmp.LIBCMT ref: 000F86C6
                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 000F86FC
                                                • HeapFree.KERNEL32(00000000), ref: 000F8703
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                • String ID:
                                                • API String ID: 1592001646-0
                                                • Opcode ID: 63eeafbe7cdd3a75388037b810e372a2dc67c48197863aefd099c3203806551b
                                                • Instruction ID: 877a0f41e15acedccac12a5ca12ea57fe4c980669e358afd011c0f168908fbce
                                                • Opcode Fuzzy Hash: 63eeafbe7cdd3a75388037b810e372a2dc67c48197863aefd099c3203806551b
                                                • Instruction Fuzzy Hash: 6B216B71E00108EBDB14DFA4D949BFEB7F8EF44304F158059E644A7641EB30AE45DB50
                                                Function 000C098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                Download Yara Rule
                                                APIs
                                                • __setmode.LIBCMT ref: 000C09AE
                                                  • Part of subcall function 000A5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00107896,?,?,00000000), ref: 000A5A2C
                                                  • Part of subcall function 000A5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00107896,?,?,00000000,?,?), ref: 000A5A50
                                                • _fprintf.LIBCMT ref: 000C09E5
                                                • OutputDebugStringW.KERNEL32(?), ref: 000F5DBB
                                                  • Part of subcall function 000C4AAA: _flsall.LIBCMT ref: 000C4AC3
                                                • __setmode.LIBCMT ref: 000C0A1A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                • String ID:
                                                • API String ID: 521402451-0
                                                • Opcode ID: 5b3dcb437f3e321cc4b790d7f726ad52a64a1014aa7f3cd0789acb7ec43c4eee
                                                • Instruction ID: 3705d8c166dd5e0e202c9a6b02efb6ceba825c73467238454068386d1fd0b49d
                                                • Opcode Fuzzy Hash: 5b3dcb437f3e321cc4b790d7f726ad52a64a1014aa7f3cd0789acb7ec43c4eee
                                                • Instruction Fuzzy Hash: 46110231A04608BBDB04B3F49C46EFE77A8AF52321F20011DF20556183EF60484697A2
                                                Function 00111767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 001117A3
                                                  • Part of subcall function 0011182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0011184C
                                                  • Part of subcall function 0011182D: InternetCloseHandle.WININET(00000000), ref: 001118E9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Internet$CloseConnectHandleOpen
                                                • String ID:
                                                • API String ID: 1463438336-0
                                                • Opcode ID: 09504016a91bd01e41b26013653dff90c54f7865a3b51203519202a651768ee3
                                                • Instruction ID: f5451aac7e814d0651d0a70a917ee15421fcdf44e01e02d673a144579fe95e2a
                                                • Opcode Fuzzy Hash: 09504016a91bd01e41b26013653dff90c54f7865a3b51203519202a651768ee3
                                                • Instruction Fuzzy Hash: 28218435200605BFEB1A9F60DC41FFAFBA9FF48710F10413EFA5596650D77198A297A0
                                                Function 00103A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetFileAttributesW.KERNEL32(?,0012FAC0), ref: 00103A64
                                                • GetLastError.KERNEL32 ref: 00103A73
                                                • CreateDirectoryW.KERNEL32(?,00000000), ref: 00103A82
                                                • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0012FAC0), ref: 00103ADF
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: CreateDirectory$AttributesErrorFileLast
                                                • String ID:
                                                • API String ID: 2267087916-0
                                                • Opcode ID: 7cf66659f2eeb40b7d8cd1bfce453d565b3a32d8e1999ea0ce5c42740ee6a62f
                                                • Instruction ID: 52a49183b2ae0bd56ffeb3dcd4b9fcd2755d92e65054975a3bbfe008f8a8e126
                                                • Opcode Fuzzy Hash: 7cf66659f2eeb40b7d8cd1bfce453d565b3a32d8e1999ea0ce5c42740ee6a62f
                                                • Instruction Fuzzy Hash: 12216074608201DFC710DF68D8818AAB7E8AF56764F104A2DF4E9C72E2D771DA46CB92
                                                Function 00125D11 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetWindowLongW.USER32(?,000000EC), ref: 00125D80
                                                • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00125D9A
                                                • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00125DA8
                                                • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00125DB6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Window$Long$AttributesLayered
                                                • String ID:
                                                • API String ID: 2169480361-0
                                                • Opcode ID: 6ec01e9c21557c55f0ce3603fee762b669577765fdc852ceb31dee95dc87aef1
                                                • Instruction ID: 7a71ca5b8169dfa878f90e25a8880d2d8c63358151562b634bd485a15fcbb4e8
                                                • Opcode Fuzzy Hash: 6ec01e9c21557c55f0ce3603fee762b669577765fdc852ceb31dee95dc87aef1
                                                • Instruction Fuzzy Hash: 4C11D331305514AFDB14AB54EC59FBB77AAEF86320F144228F816DB2E2CB74AD12C794
                                                Function 000FDCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000FF0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,000FDCD3,?,?,?,000FEAC6,00000000,000000EF,00000119,?,?), ref: 000FF0CB
                                                  • Part of subcall function 000FF0BC: lstrcpyW.KERNEL32(00000000,?,?,000FDCD3,?,?,?,000FEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 000FF0F1
                                                  • Part of subcall function 000FF0BC: lstrcmpiW.KERNEL32(00000000,?,000FDCD3,?,?,?,000FEAC6,00000000,000000EF,00000119,?,?), ref: 000FF122
                                                • lstrlenW.KERNEL32(?,00000002,?,?,?,?,000FEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 000FDCEC
                                                • lstrcpyW.KERNEL32(00000000,?,?,000FEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 000FDD12
                                                • lstrcmpiW.KERNEL32(00000002,cdecl,?,000FEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 000FDD46
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: lstrcmpilstrcpylstrlen
                                                • String ID: cdecl
                                                • API String ID: 4031866154-3896280584
                                                • Opcode ID: da5cce41878080c793eab42dada835a861a2671e5f4e93b12f1c974ecfe2094e
                                                • Instruction ID: fc8dfae08108c2f731d79c928ae6bc9df8d6334df17882beb0d26e72b2d73ccd
                                                • Opcode Fuzzy Hash: da5cce41878080c793eab42dada835a861a2671e5f4e93b12f1c974ecfe2094e
                                                • Instruction Fuzzy Hash: FC118E3A200309EBCB259F74D845DBA77A9FF45350B40802AFA06CB6A1EB719851E791
                                                Function 000D50E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • _free.LIBCMT ref: 000D5101
                                                  • Part of subcall function 000C571C: __FF_MSGBANNER.LIBCMT ref: 000C5733
                                                  • Part of subcall function 000C571C: __NMSG_WRITE.LIBCMT ref: 000C573A
                                                  • Part of subcall function 000C571C: RtlAllocateHeap.NTDLL(01160000,00000000,00000001,00000000,?,?,?,000C0DD3,?), ref: 000C575F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: AllocateHeap_free
                                                • String ID:
                                                • API String ID: 614378929-0
                                                • Opcode ID: 0182bcc18414954bcd3373d99f97695fe635e9c15d450a9869cc34d38e4d196a
                                                • Instruction ID: 3952f599a0aad7ae86a5d585ae6e90acdb4fe54721e4dd187f3349b755574a75
                                                • Opcode Fuzzy Hash: 0182bcc18414954bcd3373d99f97695fe635e9c15d450a9869cc34d38e4d196a
                                                • Instruction Fuzzy Hash: 4511A376504B11AECB312FB4AC45B9E3BE8AF543A2F10452FFD4596352DF308D8197A4
                                                Function 000A44A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 000A44CF
                                                  • Part of subcall function 000A407C: _memset.LIBCMT ref: 000A40FC
                                                  • Part of subcall function 000A407C: _wcscpy.LIBCMT ref: 000A4150
                                                  • Part of subcall function 000A407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 000A4160
                                                • KillTimer.USER32(?,00000001,?,?), ref: 000A4524
                                                • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 000A4533
                                                • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 000DD4B9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                • String ID:
                                                • API String ID: 1378193009-0
                                                • Opcode ID: 02860ccfa411901b341ec9d6e7af5a1a8540ff6867c702f88be95d3fde9bed0b
                                                • Instruction ID: a0a48089e2cb375923de41dc6a00a14e79a39666020ccc45339a28f1c3185077
                                                • Opcode Fuzzy Hash: 02860ccfa411901b341ec9d6e7af5a1a8540ff6867c702f88be95d3fde9bed0b
                                                • Instruction Fuzzy Hash: 7A21D774904784AFE7728B74C855BEBBBEC9F46318F04009FE69E56242C7B42A85CB51
                                                Function 00116369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000A5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00107896,?,?,00000000), ref: 000A5A2C
                                                  • Part of subcall function 000A5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00107896,?,?,00000000,?,?), ref: 000A5A50
                                                • gethostbyname.WSOCK32(?,?,?), ref: 00116399
                                                • WSAGetLastError.WSOCK32(00000000), ref: 001163A4
                                                • _memmove.LIBCMT ref: 001163D1
                                                • inet_ntoa.WSOCK32(?), ref: 001163DC
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                • String ID:
                                                • API String ID: 1504782959-0
                                                • Opcode ID: e1bdd17dc566d8987889358817e367e8516e92b420766044ae6e9ac952f503de
                                                • Instruction ID: d4df37a5e5a633b773df65623c07b2ffcff8d16db598e0bd60be0ce08a298006
                                                • Opcode Fuzzy Hash: e1bdd17dc566d8987889358817e367e8516e92b420766044ae6e9ac952f503de
                                                • Instruction Fuzzy Hash: 4E117C31600109AFCB04EBE4DD46CEFB7B8BF15310B004039F505AB2A2DB31AE55DBA1
                                                Function 000F8B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(?,000000B0,?,?), ref: 000F8B61
                                                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 000F8B73
                                                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 000F8B89
                                                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 000F8BA4
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID:
                                                • API String ID: 3850602802-0
                                                • Opcode ID: 1d4ec401d324e08e822aed85f8a3f879b50ec764cfe3e0159a43d30ac9300767
                                                • Instruction ID: fd37f1e5b3ec8dd8509462b141ca72fd0cc37aa288d0b7bf29fb20dbed82edb5
                                                • Opcode Fuzzy Hash: 1d4ec401d324e08e822aed85f8a3f879b50ec764cfe3e0159a43d30ac9300767
                                                • Instruction Fuzzy Hash: 28110A79901218BFDB11DB95C885EEDBBB4EB48710F2040A5EA00B7250DB716E51EB94
                                                Function 000A1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000A2612: GetWindowLongW.USER32(?,000000EB), ref: 000A2623
                                                • DefDlgProcW.USER32(?,00000020,?), ref: 000A12D8
                                                • GetClientRect.USER32(?,?), ref: 000DB5FB
                                                • GetCursorPos.USER32(?), ref: 000DB605
                                                • ScreenToClient.USER32(?,?), ref: 000DB610
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Client$CursorLongProcRectScreenWindow
                                                • String ID:
                                                • API String ID: 4127811313-0
                                                • Opcode ID: efe7f22aae2d99a1cbb0e257bfcb1269126c1fe262a845355e987e67380cf4c4
                                                • Instruction ID: 4e9fb81fd9debc5113908d95c8a3cb4207f6ee9ff4400a848ac7bed76d54a8b2
                                                • Opcode Fuzzy Hash: efe7f22aae2d99a1cbb0e257bfcb1269126c1fe262a845355e987e67380cf4c4
                                                • Instruction Fuzzy Hash: C7110A39500519FFCB10DF98D985AFE77B9EB06301F500466F901E7651D730FAA28BA5
                                                Function 00101142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,000FFCED,?,00100D40,?,00008000), ref: 0010115F
                                                • Sleep.KERNEL32(00000000,?,?,?,?,?,?,000FFCED,?,00100D40,?,00008000), ref: 00101184
                                                • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,000FFCED,?,00100D40,?,00008000), ref: 0010118E
                                                • Sleep.KERNEL32(?,?,?,?,?,?,?,000FFCED,?,00100D40,?,00008000), ref: 001011C1
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: CounterPerformanceQuerySleep
                                                • String ID:
                                                • API String ID: 2875609808-0
                                                • Opcode ID: dd7f71ba97faab2d0fbcf7da09244df7257581b28b88a5872482b8de7460894e
                                                • Instruction ID: 5aeb946d00bffe9d7430f90028c36498c2b66bbb5052bbf8a7c77539ab863276
                                                • Opcode Fuzzy Hash: dd7f71ba97faab2d0fbcf7da09244df7257581b28b88a5872482b8de7460894e
                                                • Instruction Fuzzy Hash: 2A118E31C0061CF7CF08DFA4D848AEEBB78FF09711F414069EA80B2280CBB495A1CB91
                                                Function 000FD831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 000FD84D
                                                • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 000FD864
                                                • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 000FD879
                                                • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 000FD897
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Type$Register$FileLoadModuleNameUser
                                                • String ID:
                                                • API String ID: 1352324309-0
                                                • Opcode ID: 8e582554d206ed01f97239ac54c63ffe44b320ca97db8d21b5a60d71edaa3a31
                                                • Instruction ID: 047eb59958794d7dce81ab2ecabef726bfdc91f217dc22768827ef80a40e3f85
                                                • Opcode Fuzzy Hash: 8e582554d206ed01f97239ac54c63ffe44b320ca97db8d21b5a60d71edaa3a31
                                                • Instruction Fuzzy Hash: FA115E75605308EBE3309F50DC08FA6BBBDEB40B40F10856EA616D6850DBB1E55BABA1
                                                Function 000D6FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                • String ID:
                                                • API String ID: 3016257755-0
                                                • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                • Instruction ID: 7ba37ef8b5b3389f16d5f76ecdb90f3e6b14aa21293be9762e078aa85d1c1007
                                                • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                • Instruction Fuzzy Hash: 28014E7244824AFBCF265F84DC05CED3F62BB18350B588456FA5C58271E237C9B1ABA1
                                                Function 0012B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetWindowRect.USER32(?,?), ref: 0012B2E4
                                                • ScreenToClient.USER32(?,?), ref: 0012B2FC
                                                • ScreenToClient.USER32(?,?), ref: 0012B320
                                                • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0012B33B
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: ClientRectScreen$InvalidateWindow
                                                • String ID:
                                                • API String ID: 357397906-0
                                                • Opcode ID: 4e8c6f40b99110ce537f0fcf6a0a403f5e9a5f3ac340631040ce21afdf8e7e39
                                                • Instruction ID: 38910aa45d117c937f35dd963c145cfc8c9824742dcffdb5339623f87fe50b9a
                                                • Opcode Fuzzy Hash: 4e8c6f40b99110ce537f0fcf6a0a403f5e9a5f3ac340631040ce21afdf8e7e39
                                                • Instruction Fuzzy Hash: DE114779D00209EFDB51CF99D4849EEBBF5FF08310F104166E914E3620D735AA658F50
                                                Function 0012B635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 0012B644
                                                • _memset.LIBCMT ref: 0012B653
                                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00166F20,00166F64), ref: 0012B682
                                                • CloseHandle.KERNEL32 ref: 0012B694
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: _memset$CloseCreateHandleProcess
                                                • String ID:
                                                • API String ID: 3277943733-0
                                                • Opcode ID: dc9c2e9eaafad4e3a0b930daa8eef7eb5b6cb077efc5a063cba6527951a21cf8
                                                • Instruction ID: 609d6501f6cbe66f35298824e3c3d9cefd3f9a57142aaa201de4e66e9e562de6
                                                • Opcode Fuzzy Hash: dc9c2e9eaafad4e3a0b930daa8eef7eb5b6cb077efc5a063cba6527951a21cf8
                                                • Instruction Fuzzy Hash: 11F082B25403107BE3106771BC26FBB3A9CEB18395F004074FA09E9992D7B24C61C7A8
                                                Function 00106BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                Download Yara Rule
                                                APIs
                                                • EnterCriticalSection.KERNEL32(?), ref: 00106BE6
                                                  • Part of subcall function 001076C4: _memset.LIBCMT ref: 001076F9
                                                • _memmove.LIBCMT ref: 00106C09
                                                • _memset.LIBCMT ref: 00106C16
                                                • LeaveCriticalSection.KERNEL32(?), ref: 00106C26
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: CriticalSection_memset$EnterLeave_memmove
                                                • String ID:
                                                • API String ID: 48991266-0
                                                • Opcode ID: bf6aaee4809d95c83f26ad54c41a2a6f7979ea7e0eccd26ecd19e9c51383a6db
                                                • Instruction ID: d372b7f4cbb2c6a1d2c2661455fecca6789d36d15bdcb2b3b53271eafddca5f5
                                                • Opcode Fuzzy Hash: bf6aaee4809d95c83f26ad54c41a2a6f7979ea7e0eccd26ecd19e9c51383a6db
                                                • Instruction Fuzzy Hash: 25F0543A100100BBCF016F95DC85E8ABB29EF55320F048065FE095E267CB71E852CBB4
                                                Function 000A2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetSysColor.USER32(00000008), ref: 000A2231
                                                • SetTextColor.GDI32(?,000000FF), ref: 000A223B
                                                • SetBkMode.GDI32(?,00000001), ref: 000A2250
                                                • GetStockObject.GDI32(00000005), ref: 000A2258
                                                • GetWindowDC.USER32(?,00000000), ref: 000DBE83
                                                • GetPixel.GDI32(00000000,00000000,00000000), ref: 000DBE90
                                                • GetPixel.GDI32(00000000,?,00000000), ref: 000DBEA9
                                                • GetPixel.GDI32(00000000,00000000,?), ref: 000DBEC2
                                                • GetPixel.GDI32(00000000,?,?), ref: 000DBEE2
                                                • ReleaseDC.USER32(?,00000000), ref: 000DBEED
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                • String ID:
                                                • API String ID: 1946975507-0
                                                • Opcode ID: 6671ff2b53ffe26fe87159b7999f5882de88fb702c52eeb51d29dc5c8a7c9b97
                                                • Instruction ID: 10bd625fe8e207236a21ba585a4f6439b85629adb468ca83f6539d4956f29ab1
                                                • Opcode Fuzzy Hash: 6671ff2b53ffe26fe87159b7999f5882de88fb702c52eeb51d29dc5c8a7c9b97
                                                • Instruction Fuzzy Hash: 4EE03932104244FADB615FA8EC0DBD83B60EB05332F00837AFA69880E1877149A2DB22
                                                Function 000F8712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentThread.KERNEL32 ref: 000F871B
                                                • OpenThreadToken.ADVAPI32(00000000,?,?,?,000F82E6), ref: 000F8722
                                                • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,000F82E6), ref: 000F872F
                                                • OpenProcessToken.ADVAPI32(00000000,?,?,?,000F82E6), ref: 000F8736
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: CurrentOpenProcessThreadToken
                                                • String ID:
                                                • API String ID: 3974789173-0
                                                • Opcode ID: dcdd25b85f8fee16c9e26d27ce7cb0b627184511aefc98a28ab28b0c1cc2b4d7
                                                • Instruction ID: 807f77c01eccbe345990f9cd953fce687abffb243351639c320d948fda081327
                                                • Opcode Fuzzy Hash: dcdd25b85f8fee16c9e26d27ce7cb0b627184511aefc98a28ab28b0c1cc2b4d7
                                                • Instruction Fuzzy Hash: 25E04F36615311EBD770AFB06D0CB973BB8EF55791F14883CB245C9440DA248493D750
                                                Function 000FB2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OleSetContainedObject.OLE32(?,00000001), ref: 000FB4BE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: ContainedObject
                                                • String ID: AutoIt3GUI$Container
                                                • API String ID: 3565006973-3941886329
                                                • Opcode ID: d60cbd0613a8178fb485bdbb6791be87790e884eb19be5b8635b2f9056cf1652
                                                • Instruction ID: cc9600659058cd31e3f2802b08e81033cf46f31808a1edc234ede2847a6a9a59
                                                • Opcode Fuzzy Hash: d60cbd0613a8178fb485bdbb6791be87790e884eb19be5b8635b2f9056cf1652
                                                • Instruction Fuzzy Hash: 12915870200605AFDB64DF64C884B6AB7E9FF48B00F20846DFA4ACB691DB71E841DF50
                                                Function 0010AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000BFC86: _wcscpy.LIBCMT ref: 000BFCA9
                                                  • Part of subcall function 000A9837: __itow.LIBCMT ref: 000A9862
                                                  • Part of subcall function 000A9837: __swprintf.LIBCMT ref: 000A98AC
                                                • __wcsnicmp.LIBCMT ref: 0010B02D
                                                • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0010B0F6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                • String ID: LPT
                                                • API String ID: 3222508074-1350329615
                                                • Opcode ID: 1daae9262dc4f5b4cb59efe5ea4cbf05f1330efb8048f52e8350db729e289fc9
                                                • Instruction ID: 3960b4df2186df66027dff7175f76cc1ccb25adb11e8539c96911604e4e523e8
                                                • Opcode Fuzzy Hash: 1daae9262dc4f5b4cb59efe5ea4cbf05f1330efb8048f52e8350db729e289fc9
                                                • Instruction Fuzzy Hash: 6461A075A04219EFCB18DF94D891EFEB7B4EF09710F114069F956AB291DBB0AE80CB50
                                                Function 000B2957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Sleep.KERNEL32(00000000), ref: 000B2968
                                                • GlobalMemoryStatusEx.KERNEL32(?), ref: 000B2981
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: GlobalMemorySleepStatus
                                                • String ID: @
                                                • API String ID: 2783356886-2766056989
                                                • Opcode ID: a074f9c67c0d1f514fa0355703151428e8a1c9424ee08dc120b2bd2714804b76
                                                • Instruction ID: e8dbd473b19bdc82f665475ce220d7308709f964835b8f79915ff157de929bdf
                                                • Opcode Fuzzy Hash: a074f9c67c0d1f514fa0355703151428e8a1c9424ee08dc120b2bd2714804b76
                                                • Instruction Fuzzy Hash: F7514771518744ABE320EF50D886BEFBBE8FB86344F41885DF2D8410A2DF358569CB66
                                                Function 00109734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000A4F0B: __fread_nolock.LIBCMT ref: 000A4F29
                                                • _wcscmp.LIBCMT ref: 00109824
                                                • _wcscmp.LIBCMT ref: 00109837
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: _wcscmp$__fread_nolock
                                                • String ID: FILE
                                                • API String ID: 4029003684-3121273764
                                                • Opcode ID: 8e472e865cced5fe04272bbfd3b73c2e90e96f13e6fd1a6a301c4ed25a2d202c
                                                • Instruction ID: 66eaebff88700709a0bab95d962f9a7ed0cedef82762302d83cca41b8d369c16
                                                • Opcode Fuzzy Hash: 8e472e865cced5fe04272bbfd3b73c2e90e96f13e6fd1a6a301c4ed25a2d202c
                                                • Instruction Fuzzy Hash: 42419575A00219BADF219AE4CC56FEFB7B9DF86710F00447AF944A7182DBB199048B61
                                                Function 0011258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 0011259E
                                                • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 001125D4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: CrackInternet_memset
                                                • String ID: |
                                                • API String ID: 1413715105-2343686810
                                                • Opcode ID: 4b791c147ee52ad56c689529b87e6dd5d920a508c47396041c4decb41523e1da
                                                • Instruction ID: 242cfce5a9a61a2d27ba3457c2d9d2a235ab197e262599cfceb811b67046c4ff
                                                • Opcode Fuzzy Hash: 4b791c147ee52ad56c689529b87e6dd5d920a508c47396041c4decb41523e1da
                                                • Instruction Fuzzy Hash: 4031F471804219EBCF15EFA0CC85EEEBFB9FF09350F104069ED19A6162EB315956DB60
                                                Function 00127A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(?,00001132,00000000,?), ref: 00127B61
                                                • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00127B76
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID: '
                                                • API String ID: 3850602802-1997036262
                                                • Opcode ID: 34e91f5c089b3c7c74e63e7973fdbf81814a8d86df43417fd103a7b378d55c0a
                                                • Instruction ID: 918edae67d861860357a6e53560176eb4728c18f54ba7a554b0b9db87b6c6bd9
                                                • Opcode Fuzzy Hash: 34e91f5c089b3c7c74e63e7973fdbf81814a8d86df43417fd103a7b378d55c0a
                                                • Instruction Fuzzy Hash: 27413874A0521A9FDB14CF68D980BEABBB9FF08310F14016AE904EB381D770A961CF90
                                                Function 00126A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                Download Yara Rule
                                                APIs
                                                • DestroyWindow.USER32(?,?,?,?), ref: 00126B17
                                                • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00126B53
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Window$DestroyMove
                                                • String ID: static
                                                • API String ID: 2139405536-2160076837
                                                • Opcode ID: ebe7c1f60cdc32a1b7accf1f7ba8720d5f0aa46bdd5c3318b8e983af5f94ea71
                                                • Instruction ID: 196e2c174a5a6f864ba88c559c502ad53b2847cec881cd1156187e0eef362294
                                                • Opcode Fuzzy Hash: ebe7c1f60cdc32a1b7accf1f7ba8720d5f0aa46bdd5c3318b8e983af5f94ea71
                                                • Instruction Fuzzy Hash: 4C316D71200614AEDB109F68DC81AFB77B9FF48760F10862DF9A9D7190DB35ACA2C760
                                                Function 001028A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 00102911
                                                • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0010294C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: InfoItemMenu_memset
                                                • String ID: 0
                                                • API String ID: 2223754486-4108050209
                                                • Opcode ID: 0c42c8404cd996bbe0b3a4d146c6c6b7bb870783139361dd481158f1189cee60
                                                • Instruction ID: 5870e5f11bd179915a9dd2b64539e21a6d842d7053c75dd9ce0e00cb31ab390b
                                                • Opcode Fuzzy Hash: 0c42c8404cd996bbe0b3a4d146c6c6b7bb870783139361dd481158f1189cee60
                                                • Instruction Fuzzy Hash: 80319131600315EBEF28CF98C989BAEBBF9EF45358F144029E9C5A61E1D7F09944CB51
                                                Function 001139E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                                Download Yara Rule
                                                APIs
                                                • __snwprintf.LIBCMT ref: 00113A66
                                                  • Part of subcall function 000A7DE1: _memmove.LIBCMT ref: 000A7E22
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: __snwprintf_memmove
                                                • String ID: , $$AUTOITCALLVARIABLE%d
                                                • API String ID: 3506404897-2584243854
                                                • Opcode ID: cb23a1a84b9cb471099d73472e8061eaa7ee9eac5a94842d5f4bd9511863a84b
                                                • Instruction ID: d1e90c49b38f8eeeef4d5934cfb9c3993d7a731750899656755a4b94bab65047
                                                • Opcode Fuzzy Hash: cb23a1a84b9cb471099d73472e8061eaa7ee9eac5a94842d5f4bd9511863a84b
                                                • Instruction Fuzzy Hash: E4218D30600219AFCF14EFA4DC82EEE77B5AF45310F404468F969BB186DB30EA85CB61
                                                Function 001266D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00126761
                                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0012676C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID: Combobox
                                                • API String ID: 3850602802-2096851135
                                                • Opcode ID: e1c5b7feec51fe016adfa4ff4b8f2d64e0777a5d87ab7773384f0b6f833de3bf
                                                • Instruction ID: 95aeb124a38f27b643d6fca649a11b7c72cf532c084200ae91f6284c8b5d6a9d
                                                • Opcode Fuzzy Hash: e1c5b7feec51fe016adfa4ff4b8f2d64e0777a5d87ab7773384f0b6f833de3bf
                                                • Instruction Fuzzy Hash: 0B11B275200218AFEF218F54EC80EEB376BEB48368F100129F9149B2D0D771DC6197A0
                                                Function 00126C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000A1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 000A1D73
                                                  • Part of subcall function 000A1D35: GetStockObject.GDI32(00000011), ref: 000A1D87
                                                  • Part of subcall function 000A1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 000A1D91
                                                • GetWindowRect.USER32(00000000,?), ref: 00126C71
                                                • GetSysColor.USER32(00000012), ref: 00126C8B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                • String ID: static
                                                • API String ID: 1983116058-2160076837
                                                • Opcode ID: 6d7e915695354507be951c44f8debd7ebca0987cdc518e97d230c1e5a49bde28
                                                • Instruction ID: f80062260a398f3adae5069292393af4bd98ea1f6b903e2539baca306dff8ead
                                                • Opcode Fuzzy Hash: 6d7e915695354507be951c44f8debd7ebca0987cdc518e97d230c1e5a49bde28
                                                • Instruction Fuzzy Hash: 0421267261021AAFDF14DFA8DC45EEA7BB8FB08314F004629F995D2290D735E861DB60
                                                Function 00126920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetWindowTextLengthW.USER32(00000000), ref: 001269A2
                                                • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 001269B1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: LengthMessageSendTextWindow
                                                • String ID: edit
                                                • API String ID: 2978978980-2167791130
                                                • Opcode ID: f8100c753a722ba0f0d5e7a279890e3fc70a558a14fad724c4c1de4604cd5bf0
                                                • Instruction ID: fea640042b7a9d6c36f156d6514382d827aeb4d40c450409ecdb61f1415f3cd2
                                                • Opcode Fuzzy Hash: f8100c753a722ba0f0d5e7a279890e3fc70a558a14fad724c4c1de4604cd5bf0
                                                • Instruction Fuzzy Hash: 5C114F71500124AFEF108F64EC45EEB3769EB05378F504728F9A5971E0CB75DCA19760
                                                Function 001029AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 00102A22
                                                • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00102A41
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: InfoItemMenu_memset
                                                • String ID: 0
                                                • API String ID: 2223754486-4108050209
                                                • Opcode ID: cde5e52e137e35103fbd644ee16b8925863a29aa53f81f544ea2ccf94b9189b3
                                                • Instruction ID: a71357989515be133858869493ae55bbe969fcf34681835961cf1c79f7e26891
                                                • Opcode Fuzzy Hash: cde5e52e137e35103fbd644ee16b8925863a29aa53f81f544ea2ccf94b9189b3
                                                • Instruction Fuzzy Hash: 9311E232A01124EBCF34DF98DC48BAA77B9AB45344F154061E895E76D0DBB0AD0AC791
                                                Function 001121D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0011222C
                                                • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00112255
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Internet$OpenOption
                                                • String ID: <local>
                                                • API String ID: 942729171-4266983199
                                                • Opcode ID: b6b9281384ab8f8fa5324fe1598a09963d571773f8b0792b888bb497fe1e64e9
                                                • Instruction ID: 838149780b079993e65bb14fe21060b39cc8dddc2be9f00a8ca46cbfd40cb585
                                                • Opcode Fuzzy Hash: b6b9281384ab8f8fa5324fe1598a09963d571773f8b0792b888bb497fe1e64e9
                                                • Instruction Fuzzy Hash: F6110E70501225BADB2C8F118C88EFBFBA8FF1A351F10823AF91586000E3B058E5DAF0
                                                Function 000F8E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000A7DE1: _memmove.LIBCMT ref: 000A7E22
                                                  • Part of subcall function 000FAA99: GetClassNameW.USER32(?,?,000000FF), ref: 000FAABC
                                                • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 000F8E73
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: ClassMessageNameSend_memmove
                                                • String ID: ComboBox$ListBox
                                                • API String ID: 372448540-1403004172
                                                • Opcode ID: 657a4025fbd1b4759667b72b8057af53b254f31487bef77abb993372936e57d3
                                                • Instruction ID: 8b537c0beb1c0d4b17818de93259b0d042d4b03c228fd176d3b943eebe5951e6
                                                • Opcode Fuzzy Hash: 657a4025fbd1b4759667b72b8057af53b254f31487bef77abb993372936e57d3
                                                • Instruction Fuzzy Hash: 0601F1B1701218ABCB14EBE0CC468FE7368EF06320B004A19B9355B6E2EF31580CE750
                                                Function 000F8CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000A7DE1: _memmove.LIBCMT ref: 000A7E22
                                                  • Part of subcall function 000FAA99: GetClassNameW.USER32(?,?,000000FF), ref: 000FAABC
                                                • SendMessageW.USER32(?,00000180,00000000,?), ref: 000F8D6B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: ClassMessageNameSend_memmove
                                                • String ID: ComboBox$ListBox
                                                • API String ID: 372448540-1403004172
                                                • Opcode ID: d2299f1c97db749e1b5d2155655c167d52fb3e44717f65ca32fba56418778919
                                                • Instruction ID: 8f04fb240269b9e39ba79a7eb27001d51cedd8b6b299d2277a3b91df41a7a66d
                                                • Opcode Fuzzy Hash: d2299f1c97db749e1b5d2155655c167d52fb3e44717f65ca32fba56418778919
                                                • Instruction Fuzzy Hash: C801B1B1B4110CABCB24EBE0CD52AFF77A89F16300F104019B9156B6D2DE145A0CA262
                                                Function 000F8D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000A7DE1: _memmove.LIBCMT ref: 000A7E22
                                                  • Part of subcall function 000FAA99: GetClassNameW.USER32(?,?,000000FF), ref: 000FAABC
                                                • SendMessageW.USER32(?,00000182,?,00000000), ref: 000F8DEE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: ClassMessageNameSend_memmove
                                                • String ID: ComboBox$ListBox
                                                • API String ID: 372448540-1403004172
                                                • Opcode ID: 28804cf3798201d2898b6548e8f023b354c80a92f00368c3cf36ec5f71e3b835
                                                • Instruction ID: b7059ffa385f6289c0fbebfd6e402bb25e38d4477c625ce180810353e72a23b0
                                                • Opcode Fuzzy Hash: 28804cf3798201d2898b6548e8f023b354c80a92f00368c3cf36ec5f71e3b835
                                                • Instruction Fuzzy Hash: 0C0184B1A41109A7DB25E6E4CD42AFF77A89F16300F104019B916676D2DA154E0DE271
                                                Function 00104F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: ClassName_wcscmp
                                                • String ID: #32770
                                                • API String ID: 2292705959-463685578
                                                • Opcode ID: 7f720161b7c9ea295aef7070e9e3c02be7f80b3a050e7ffe5df9234123962dbb
                                                • Instruction ID: ac59521651e08949f2ea6c5d635df4304e2a3651257db46e914be87bc00c539c
                                                • Opcode Fuzzy Hash: 7f720161b7c9ea295aef7070e9e3c02be7f80b3a050e7ffe5df9234123962dbb
                                                • Instruction Fuzzy Hash: E6E0D13350022967D7209B599C45FA7F7BCDB45B71F00006BFD04D7051D6609B5687D0
                                                Function 000DB2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000DB314: _memset.LIBCMT ref: 000DB321
                                                  • Part of subcall function 000C0940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,000DB2F0,?,?,?,000A100A), ref: 000C0945
                                                • IsDebuggerPresent.KERNEL32(?,?,?,000A100A), ref: 000DB2F4
                                                • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,000A100A), ref: 000DB303
                                                Strings
                                                • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 000DB2FE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                • API String ID: 3158253471-631824599
                                                • Opcode ID: d7348a44e9871629396867c8145eb763cd383cf411b86043718604e72d001374
                                                • Instruction ID: 23b0976415b0b5b85ddfbd6ef49adf37789c8bdb66486533c7aaeb8f57dca76f
                                                • Opcode Fuzzy Hash: d7348a44e9871629396867c8145eb763cd383cf411b86043718604e72d001374
                                                • Instruction Fuzzy Hash: C6E03270200710CBD720AF68E904B867AE8EF00744F018A2EE486C6B51EBB4E586CBB1
                                                Function 000F7C74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 000F7C82
                                                  • Part of subcall function 000C3358: _doexit.LIBCMT ref: 000C3362
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Message_doexit
                                                • String ID: AutoIt$Error allocating memory.
                                                • API String ID: 1993061046-4017498283
                                                • Opcode ID: 92307d8c6c82cb0d5b7f605fb6ccac689b19de458580815b396fc66a03b2b1a6
                                                • Instruction ID: 2dd4b25e2d6c25a520e82c13bca40aa7d5b6b11c4593ea58ec8956bdbfb0bd90
                                                • Opcode Fuzzy Hash: 92307d8c6c82cb0d5b7f605fb6ccac689b19de458580815b396fc66a03b2b1a6
                                                • Instruction Fuzzy Hash: 2DD05B323C435C76D11533A9BC07FDE75888F05B52F144429FF08995D34AD5499151E5
                                                Function 000E1935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetSystemDirectoryW.KERNEL32(?), ref: 000E1775
                                                  • Part of subcall function 0011BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,000E195E,?), ref: 0011BFFE
                                                  • Part of subcall function 0011BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0011C010
                                                • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 000E196D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                • String ID: WIN_XPe
                                                • API String ID: 582185067-3257408948
                                                • Opcode ID: 83836703e42ba59d65905ade6c023cd30bba2ecc76e7a9a39aeca2bcad82c3f8
                                                • Instruction ID: ff0c4625c24ed86987d4495b7619a68ab7f2e0a27b9ef10600a41c97dfb7a06f
                                                • Opcode Fuzzy Hash: 83836703e42ba59d65905ade6c023cd30bba2ecc76e7a9a39aeca2bcad82c3f8
                                                • Instruction Fuzzy Hash: 3CF0ED71808149EFDB25DB92C988AECBBF8BB18701F5400AAE142B6590D7714FC6DF61
                                                Function 00125964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0012596E
                                                • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00125981
                                                  • Part of subcall function 00105244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 001052BC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: FindMessagePostSleepWindow
                                                • String ID: Shell_TrayWnd
                                                • API String ID: 529655941-2988720461
                                                • Opcode ID: 44181f7fb6610f3e3976c90e68a567be8e6dd9e413a9f86f6de86b0baff43900
                                                • Instruction ID: 4574328917cefde8b296839a0ee5a7604b6e50803c1a5824e82b2a65377f481c
                                                • Opcode Fuzzy Hash: 44181f7fb6610f3e3976c90e68a567be8e6dd9e413a9f86f6de86b0baff43900
                                                • Instruction Fuzzy Hash: F4D0C931394311B6E674BB709C0BFD76A25AF10B51F000839B699AA5D0DAE09852CA54
                                                Function 00125998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 001259AE
                                                • PostMessageW.USER32(00000000), ref: 001259B5
                                                  • Part of subcall function 00105244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 001052BC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1435052273.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                                • Associated: 00000000.00000002.1434798518.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435363523.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435513766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1435582158.0000000000167000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a0000_MLxloAVuCZ.jbxd
                                                Similarity
                                                • API ID: FindMessagePostSleepWindow
                                                • String ID: Shell_TrayWnd
                                                • API String ID: 529655941-2988720461
                                                • Opcode ID: 70785b4adb7ed7270f956d2767cdd507fc01e7c1d0911511735b47525955048a
                                                • Instruction ID: 930e3dde1befd32944069ae83746b32c8b240f6140466015fde516e26fbb7c0b
                                                • Opcode Fuzzy Hash: 70785b4adb7ed7270f956d2767cdd507fc01e7c1d0911511735b47525955048a
                                                • Instruction Fuzzy Hash: 17D0C931380311BAE674BB709C0BFD76A25AF14B51F000839B695AA5D0DAE0A852CA54