Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ru52XOQ1p7.exe

Overview

General Information

Sample name:ru52XOQ1p7.exe
renamed because original name is a hash value
Original sample name:98b6476344625f6f4510212eaa5e7b73343c136775e17c12ebebb0fc1da55427.exe
Analysis ID:1588343
MD5:692089076deaff03da7f7c4977b68ef7
SHA1:fcb8330a1b16a57a8d81c1b0ee584781b6c8e4d5
SHA256:98b6476344625f6f4510212eaa5e7b73343c136775e17c12ebebb0fc1da55427
Tags:AgentTeslaexeuser-adrian__luca
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected AgentTesla
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Drops VBS files to the startup folder
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to detect virtual machines (SLDT)
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • ru52XOQ1p7.exe (PID: 7828 cmdline: "C:\Users\user\Desktop\ru52XOQ1p7.exe" MD5: 692089076DEAFF03DA7F7C4977B68EF7)
    • indivinity.exe (PID: 7884 cmdline: "C:\Users\user\Desktop\ru52XOQ1p7.exe" MD5: 692089076DEAFF03DA7F7C4977B68EF7)
      • RegSvcs.exe (PID: 7928 cmdline: "C:\Users\user\Desktop\ru52XOQ1p7.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • wscript.exe (PID: 8136 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\indivinity.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • indivinity.exe (PID: 8184 cmdline: "C:\Users\user\AppData\Local\biopsies\indivinity.exe" MD5: 692089076DEAFF03DA7F7C4977B68EF7)
      • RegSvcs.exe (PID: 7216 cmdline: "C:\Users\user\AppData\Local\biopsies\indivinity.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.alltoursegypt.com", "Username": "admin@alltoursegypt.com", "Password": "OPldome23#12klein"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.1559657826.00000000018A0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000005.00000002.1559657826.00000000018A0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000005.00000002.1559657826.00000000018A0000.00000004.00001000.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
      • 0x34edb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
      • 0x34f4d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
      • 0x34fd7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
      • 0x35069:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
      • 0x350d3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
      • 0x35145:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
      • 0x351db:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
      • 0x3526b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
      00000003.00000002.1559661926.0000000002A71000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000003.00000002.1559661926.0000000002A71000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Click to see the 17 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          5.2.indivinity.exe.18a0000.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            5.2.indivinity.exe.18a0000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              5.2.indivinity.exe.18a0000.1.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
              • 0x330db:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
              • 0x3314d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
              • 0x331d7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
              • 0x33269:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
              • 0x332d3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
              • 0x33345:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
              • 0x333db:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
              • 0x3346b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
              2.2.indivinity.exe.3c70000.1.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                2.2.indivinity.exe.3c70000.1.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  Click to see the 10 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: WScript or CScript Dropper
                  Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\indivinity.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\indivinity.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\indivinity.vbs" , ProcessId: 8136, ProcessName: wscript.exe
                  Sigma detected: Suspicious Outbound SMTP Connections
                  Source: Network ConnectionAuthor: frack113: Data: DesusertionIp: 192.254.186.165, DesusertionIsIpv6: false, DesusertionPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 7928, Protocol: tcp, SourceIp: 192.168.2.9, SourceIsIpv6: false, SourcePort: 49714
                  Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                  Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\indivinity.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\indivinity.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\indivinity.vbs" , ProcessId: 8136, ProcessName: wscript.exe

                  Data Obfuscation

                  barindex
                  Sigma detected: Drops script at startup location
                  Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\biopsies\indivinity.exe, ProcessId: 7884, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\indivinity.vbs

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 2.2.indivinity.exe.3c70000.1.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.alltoursegypt.com", "Username": "admin@alltoursegypt.com", "Password": "OPldome23#12klein"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeReversingLabs: Detection: 71%
                  Multi AV Scanner detection for submitted file
                  Source: ru52XOQ1p7.exeReversingLabs: Detection: 71%
                  Source: ru52XOQ1p7.exeVirustotal: Detection: 69%Perma Link
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: ru52XOQ1p7.exeJoe Sandbox ML: detected
                  Source: ru52XOQ1p7.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.9:49713 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.9:49716 version: TLS 1.2
                  Source: Binary string: wntdll.pdbUGP source: indivinity.exe, 00000002.00000003.1454373481.0000000004150000.00000004.00001000.00020000.00000000.sdmp, indivinity.exe, 00000002.00000003.1455466766.00000000042F0000.00000004.00001000.00020000.00000000.sdmp, indivinity.exe, 00000005.00000003.1550880761.0000000003570000.00000004.00001000.00020000.00000000.sdmp, indivinity.exe, 00000005.00000003.1551623370.0000000003710000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: indivinity.exe, 00000002.00000003.1454373481.0000000004150000.00000004.00001000.00020000.00000000.sdmp, indivinity.exe, 00000002.00000003.1455466766.00000000042F0000.00000004.00001000.00020000.00000000.sdmp, indivinity.exe, 00000005.00000003.1550880761.0000000003570000.00000004.00001000.00020000.00000000.sdmp, indivinity.exe, 00000005.00000003.1551623370.0000000003710000.00000004.00001000.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_0027445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0027445A
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_0027C6D1 FindFirstFileW,FindClose,0_2_0027C6D1
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_0027C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0027C75C
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_0027EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0027EF95
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_0027F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0027F0F2
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_0027F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0027F3F3
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_002737EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_002737EF
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_00273B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00273B12
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_0027BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0027BCBC
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_0015445A GetFileAttributesW,FindFirstFileW,FindClose,2_2_0015445A
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_0015C6D1 FindFirstFileW,FindClose,2_2_0015C6D1
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_0015C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_0015C75C
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_0015EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0015EF95
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_0015F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0015F0F2
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_0015F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0015F3F3
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_001537EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_001537EF
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_00153B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00153B12
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_0015BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0015BCBC
                  Source: global trafficTCP traffic: 192.168.2.9:52792 -> 1.1.1.1:53
                  Source: global trafficTCP traffic: 192.168.2.9:59877 -> 1.1.1.1:53
                  Source: global trafficTCP traffic: 192.168.2.9:55696 -> 162.159.36.2:53
                  Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                  Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                  Source: Joe Sandbox ViewIP Address: 192.254.186.165 192.254.186.165
                  Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_002822EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_002822EE
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                  Source: global trafficDNS traffic detected: DNS query: mail.alltoursegypt.com
                  Source: global trafficDNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa
                  Source: RegSvcs.exe, 00000003.00000002.1559661926.0000000002C34000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1559661926.0000000002A9C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2678830148.000000000302C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2678830148.00000000031C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://alltoursegypt.com
                  Source: RegSvcs.exe, 00000003.00000002.1568699970.0000000005BD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros
                  Source: RegSvcs.exe, 00000003.00000002.1559661926.0000000002C34000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1559661926.0000000002A9C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2678830148.000000000302C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2678830148.00000000031C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.alltoursegypt.com
                  Source: RegSvcs.exe, 00000003.00000002.1568699970.0000000005C7B000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1559661926.0000000002AA4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1555345301.0000000000B00000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1559661926.0000000002C34000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1568699970.0000000005BD0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1555345301.0000000000AF9000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2683342127.0000000006200000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2678830148.0000000003034000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2678830148.00000000031C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r10.i.lencr.org/01
                  Source: RegSvcs.exe, 00000003.00000002.1568699970.0000000005C7B000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1559661926.0000000002AA4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1555345301.0000000000B00000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1559661926.0000000002C34000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1568699970.0000000005BD0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1555345301.0000000000AF9000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2683342127.0000000006200000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2678830148.0000000003034000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2678830148.00000000031C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r10.o.lencr.org0#
                  Source: RegSvcs.exe, 00000003.00000002.1559661926.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2678830148.0000000002FBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: RegSvcs.exe, 00000003.00000002.1568699970.0000000005C7B000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1559661926.0000000002AA4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1555345301.0000000000B00000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1559661926.0000000002C34000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1568699970.0000000005BD0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1555345301.0000000000AF9000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2683342127.0000000006200000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2678830148.0000000003034000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2678125518.00000000012D2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2678830148.00000000031C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                  Source: RegSvcs.exe, 00000006.00000002.2683342127.0000000006200000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.cu
                  Source: RegSvcs.exe, 00000003.00000002.1568699970.0000000005C7B000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1559661926.0000000002AA4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1555345301.0000000000B00000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1559661926.0000000002C34000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1568699970.0000000005BD0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1555345301.0000000000AF9000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2683342127.0000000006200000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2678830148.0000000003034000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2678125518.00000000012D2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2678830148.00000000031C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                  Source: indivinity.exe, 00000002.00000002.1457730606.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1554465859.0000000000402000.00000040.80000000.00040000.00000000.sdmp, indivinity.exe, 00000005.00000002.1559657826.00000000018A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                  Source: indivinity.exe, 00000002.00000002.1457730606.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1559661926.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1554465859.0000000000402000.00000040.80000000.00040000.00000000.sdmp, indivinity.exe, 00000005.00000002.1559657826.00000000018A0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2678830148.0000000002FBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                  Source: RegSvcs.exe, 00000003.00000002.1559661926.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2678830148.0000000002FBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                  Source: RegSvcs.exe, 00000003.00000002.1559661926.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2678830148.0000000002FBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                  Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.9:49713 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.9:49716 version: TLS 1.2

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Installs a global keyboard hook
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_00284164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00284164
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_00284164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00284164
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_00164164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,2_2_00164164
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_00283F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00283F66
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_0027001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_0027001C
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_0029CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0029CABC
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_0017CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_0017CABC

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 5.2.indivinity.exe.18a0000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 2.2.indivinity.exe.3c70000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 2.2.indivinity.exe.3c70000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 5.2.indivinity.exe.18a0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 00000005.00000002.1559657826.00000000018A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 00000002.00000002.1457730606.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Binary is likely a compiled AutoIt script file
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: This is a third-party compiled AutoIt script.0_2_00213B3A
                  Source: ru52XOQ1p7.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: ru52XOQ1p7.exe, 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_40178ae9-f
                  Source: ru52XOQ1p7.exe, 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_43b6a135-5
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: This is a third-party compiled AutoIt script.2_2_000F3B3A
                  Source: indivinity.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: indivinity.exe, 00000002.00000002.1455991224.00000000001A4000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_36dc9963-d
                  Source: indivinity.exe, 00000002.00000002.1455991224.00000000001A4000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_5e1bbd01-9
                  Source: indivinity.exe, 00000005.00000002.1555654136.00000000001A4000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_c1ea1a1d-d
                  Source: indivinity.exe, 00000005.00000002.1555654136.00000000001A4000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_62841dda-a
                  Windows Scripting host queries suspicious COM object (likely to drop second stage)
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_00213633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,0_2_00213633
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_0029C1AC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,0_2_0029C1AC
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_0029C498 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,0_2_0029C498
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_0029C57D SendMessageW,NtdllDialogWndProc_W,0_2_0029C57D
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_0029C5FE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,0_2_0029C5FE
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_0029C860 NtdllDialogWndProc_W,0_2_0029C860
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_0029C8BE NtdllDialogWndProc_W,0_2_0029C8BE
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_0029C88F NtdllDialogWndProc_W,0_2_0029C88F
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_0029C93E ClientToScreen,NtdllDialogWndProc_W,0_2_0029C93E
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_0029C909 NtdllDialogWndProc_W,0_2_0029C909
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_0029CA7C GetWindowLongW,NtdllDialogWndProc_W,0_2_0029CA7C
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_0029CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0029CABC
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_00211287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,74BFC8D0,NtdllDialogWndProc_W,0_2_00211287
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_00211290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,0_2_00211290
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_0029D3B8 NtdllDialogWndProc_W,0_2_0029D3B8
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_0029D43E GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,0_2_0029D43E
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_0021167D NtdllDialogWndProc_W,0_2_0021167D
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_002116B5 NtdllDialogWndProc_W,0_2_002116B5
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_002116DE GetParent,NtdllDialogWndProc_W,0_2_002116DE
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_0029D78C NtdllDialogWndProc_W,0_2_0029D78C
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_0021189B NtdllDialogWndProc_W,0_2_0021189B
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_0029BC5D NtdllDialogWndProc_W,CallWindowProcW,0_2_0029BC5D
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_0029BF30 NtdllDialogWndProc_W,0_2_0029BF30
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_0029BF8C ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,0_2_0029BF8C
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_000F3633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,2_2_000F3633
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_0017C1AC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,2_2_0017C1AC
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_0017C498 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,2_2_0017C498
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_0017C57D SendMessageW,NtdllDialogWndProc_W,2_2_0017C57D
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_0017C5FE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,2_2_0017C5FE
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_0017C860 NtdllDialogWndProc_W,2_2_0017C860
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_0017C88F NtdllDialogWndProc_W,2_2_0017C88F
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_0017C8BE NtdllDialogWndProc_W,2_2_0017C8BE
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_0017C909 NtdllDialogWndProc_W,2_2_0017C909
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_0017C93E ClientToScreen,NtdllDialogWndProc_W,2_2_0017C93E
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_0017CA7C GetWindowLongW,NtdllDialogWndProc_W,2_2_0017CA7C
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_0017CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_0017CABC
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_000F1287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,74BFC8D0,NtdllDialogWndProc_W,2_2_000F1287
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_000F1290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,2_2_000F1290
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_0017D3B8 NtdllDialogWndProc_W,2_2_0017D3B8
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_0017D43E GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,2_2_0017D43E
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_000F167D NtdllDialogWndProc_W,2_2_000F167D
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_000F16B5 NtdllDialogWndProc_W,2_2_000F16B5
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_000F16DE GetParent,NtdllDialogWndProc_W,2_2_000F16DE
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_0017D78C NtdllDialogWndProc_W,2_2_0017D78C
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_000F189B NtdllDialogWndProc_W,2_2_000F189B
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_0017BC5D NtdllDialogWndProc_W,CallWindowProcW,2_2_0017BC5D
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_0017BF30 NtdllDialogWndProc_W,2_2_0017BF30
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_0017BF8C ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,2_2_0017BF8C
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_0027A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_0027A1EF
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_00268310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,74285590,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,0_2_00268310
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_002751BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_002751BD
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_001551BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,2_2_001551BD
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_0023D9750_2_0023D975
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_002321C50_2_002321C5
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_002462D20_2_002462D2
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_002903DA0_2_002903DA
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_0024242E0_2_0024242E
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_002325FA0_2_002325FA
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_0026E6160_2_0026E616
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_0021E6A00_2_0021E6A0
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_002266E10_2_002266E1
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_0024878F0_2_0024878F
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_002288080_2_00228808
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_002468440_2_00246844
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_002908570_2_00290857
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_002788890_2_00278889
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_0023CB210_2_0023CB21
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_00246DB60_2_00246DB6
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_00226F9E0_2_00226F9E
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_002230300_2_00223030
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_002331870_2_00233187
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_0023F1D90_2_0023F1D9
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_002112870_2_00211287
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_002314840_2_00231484
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_002255200_2_00225520
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_002376960_2_00237696
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_002257600_2_00225760
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_002319780_2_00231978
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_00249AB50_2_00249AB5
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_0021FCE00_2_0021FCE0
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_0023BDA60_2_0023BDA6
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_00231D900_2_00231D90
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_00297DDB0_2_00297DDB
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_0021DF000_2_0021DF00
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_00223FE00_2_00223FE0
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_015A45380_2_015A4538
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_0011D9752_2_0011D975
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_001121C52_2_001121C5
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_001262D22_2_001262D2
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_001703DA2_2_001703DA
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_0012242E2_2_0012242E
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_001125FA2_2_001125FA
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_0014E6162_2_0014E616
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_000FE6A02_2_000FE6A0
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_001066E12_2_001066E1
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_0012878F2_2_0012878F
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_001088082_2_00108808
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_001708572_2_00170857
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_001268442_2_00126844
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_001588892_2_00158889
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_0011CB212_2_0011CB21
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_00126DB62_2_00126DB6
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_00106F9E2_2_00106F9E
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_001030302_2_00103030
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_001131872_2_00113187
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_0011F1D92_2_0011F1D9
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_000F12872_2_000F1287
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_001114842_2_00111484
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_001055202_2_00105520
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_001176962_2_00117696
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_001057602_2_00105760
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_001119782_2_00111978
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_00129AB52_2_00129AB5
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_000FFCE02_2_000FFCE0
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_00111D902_2_00111D90
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_0011BDA62_2_0011BDA6
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_00177DDB2_2_00177DDB
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_000FDF002_2_000FDF00
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_00103FE02_2_00103FE0
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_01464CB82_2_01464CB8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_028141C83_2_028141C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_02814A983_2_02814A98
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0281A9683_2_0281A968
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_02813E803_2_02813E80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0281F9C83_2_0281F9C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_061E36903_2_061E3690
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_061E46D83_2_061E46D8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_061EA2603_2_061EA260
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_061E93123_2_061E9312
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_061E11483_2_061E1148
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_061EE1F93_2_061EE1F9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_061E5E683_2_061E5E68
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_061E57883_2_061E5788
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_061EC4A03_2_061EC4A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_061E03283_2_061E0328
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_061E3DCF3_2_061E3DCF
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 5_2_00BD51B85_2_00BD51B8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014CA1B06_2_014CA1B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014CA9786_2_014CA978
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014CAB106_2_014CAB10
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C4A986_2_014C4A98
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C3E806_2_014C3E80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C41C86_2_014C41C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014CF9C86_2_014CF9C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_06A436906_2_06A43690
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_06A446D86_2_06A446D8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_06A45E686_2_06A45E68
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_06A4E5F96_2_06A4E5F9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_06A4A2606_2_06A4A260
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_06A493206_2_06A49320
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_06A403386_2_06A40338
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_06A457886_2_06A45788
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_06A4C4A06_2_06A4C4A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_06A43DE06_2_06A43DE0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_06B9D1906_2_06B9D190
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_06B91C936_2_06B91C93
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: String function: 00238900 appears 42 times
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: String function: 00217DE1 appears 35 times
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: String function: 00230AE3 appears 70 times
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: String function: 000F7DE1 appears 35 times
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: String function: 00118900 appears 42 times
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: String function: 00110AE3 appears 70 times
                  Source: ru52XOQ1p7.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: 5.2.indivinity.exe.18a0000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 2.2.indivinity.exe.3c70000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 2.2.indivinity.exe.3c70000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 5.2.indivinity.exe.18a0000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 00000005.00000002.1559657826.00000000018A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 00000002.00000002.1457730606.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@10/10@3/2
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_0027A06A GetLastError,FormatMessageW,0_2_0027A06A
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_002681CB AdjustTokenPrivileges,CloseHandle,0_2_002681CB
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_002687E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_002687E1
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_001481CB AdjustTokenPrivileges,CloseHandle,2_2_001481CB
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_001487E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,2_2_001487E1
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_0027B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0027B333
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_0028EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0028EE0D
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_002883BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,0_2_002883BB
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_00214E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00214E89
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeFile created: C:\Users\user\AppData\Local\biopsiesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeFile created: C:\Users\user\AppData\Local\Temp\autEFFB.tmpJump to behavior
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\indivinity.vbs"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: ru52XOQ1p7.exeReversingLabs: Detection: 71%
                  Source: ru52XOQ1p7.exeVirustotal: Detection: 69%
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeFile read: C:\Users\user\Desktop\ru52XOQ1p7.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\ru52XOQ1p7.exe "C:\Users\user\Desktop\ru52XOQ1p7.exe"
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeProcess created: C:\Users\user\AppData\Local\biopsies\indivinity.exe "C:\Users\user\Desktop\ru52XOQ1p7.exe"
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\ru52XOQ1p7.exe"
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\indivinity.vbs"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\biopsies\indivinity.exe "C:\Users\user\AppData\Local\biopsies\indivinity.exe"
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\biopsies\indivinity.exe"
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeProcess created: C:\Users\user\AppData\Local\biopsies\indivinity.exe "C:\Users\user\Desktop\ru52XOQ1p7.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\ru52XOQ1p7.exe"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\biopsies\indivinity.exe "C:\Users\user\AppData\Local\biopsies\indivinity.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\biopsies\indivinity.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                  Source: Binary string: wntdll.pdbUGP source: indivinity.exe, 00000002.00000003.1454373481.0000000004150000.00000004.00001000.00020000.00000000.sdmp, indivinity.exe, 00000002.00000003.1455466766.00000000042F0000.00000004.00001000.00020000.00000000.sdmp, indivinity.exe, 00000005.00000003.1550880761.0000000003570000.00000004.00001000.00020000.00000000.sdmp, indivinity.exe, 00000005.00000003.1551623370.0000000003710000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: indivinity.exe, 00000002.00000003.1454373481.0000000004150000.00000004.00001000.00020000.00000000.sdmp, indivinity.exe, 00000002.00000003.1455466766.00000000042F0000.00000004.00001000.00020000.00000000.sdmp, indivinity.exe, 00000005.00000003.1550880761.0000000003570000.00000004.00001000.00020000.00000000.sdmp, indivinity.exe, 00000005.00000003.1551623370.0000000003710000.00000004.00001000.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_00214B37 LoadLibraryA,GetProcAddress,0_2_00214B37
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_0021C508 push A30021BAh; retn 0021h0_2_0021C50D
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_00238945 push ecx; ret 0_2_00238958
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_000FC4FE push A3000FBAh; retn 000Fh2_2_000FC50D
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_00118945 push ecx; ret 2_2_00118958
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_02810C6D push edi; retf 3_2_02810C7A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_061EABF9 push ecx; iretd 3_2_061EAC00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C0C6D push edi; retf 6_2_014C0C7A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_06A4ABF9 push ecx; iretd 6_2_06A4AC00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_06B98C70 push es; ret 6_2_06B98C80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_06B9F8E7 push ebx; iretd 6_2_06B9F8EA
                  Source: initial sampleStatic PE information: section name: UPX0
                  Source: initial sampleStatic PE information: section name: UPX1
                  Source: initial sampleStatic PE information: section name: UPX0
                  Source: initial sampleStatic PE information: section name: UPX1
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeFile created: C:\Users\user\AppData\Local\biopsies\indivinity.exeJump to dropped file

                  Boot Survival

                  barindex
                  Drops VBS files to the startup folder
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\indivinity.vbsJump to dropped file
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\indivinity.vbsJump to behavior
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\indivinity.vbsJump to behavior
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_002148D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_002148D7
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_00295376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00295376
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_000F48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,2_2_000F48D7
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_00175376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,2_2_00175376
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_00233187 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00233187
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Switches to a custom stack to bypass stack traces
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeAPI/Special instruction interceptor: Address: 14648DC
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeAPI/Special instruction interceptor: Address: BD4DDC
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_000F96E0 sldt word ptr [esp+esi*8]2_2_000F96E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2329Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7469Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2192Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7628Jump to behavior
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-102515
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeAPI coverage: 5.1 %
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeAPI coverage: 5.3 %
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_0027445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0027445A
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_0027C6D1 FindFirstFileW,FindClose,0_2_0027C6D1
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_0027C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0027C75C
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_0027EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0027EF95
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_0027F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0027F0F2
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_0027F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0027F3F3
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_002737EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_002737EF
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_00273B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00273B12
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_0027BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0027BCBC
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_0015445A GetFileAttributesW,FindFirstFileW,FindClose,2_2_0015445A
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_0015C6D1 FindFirstFileW,FindClose,2_2_0015C6D1
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_0015C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_0015C75C
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_0015EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0015EF95
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_0015F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0015F0F2
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_0015F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0015F3F3
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_001537EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_001537EF
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_00153B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00153B12
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_0015BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0015BCBC
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_002149A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_002149A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99875Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99766Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99656Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99382Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99272Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99156Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99047Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98938Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98828Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98719Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98609Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98500Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98391Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98281Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98172Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98063Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97938Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97813Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97688Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97577Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97468Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97359Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97247Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97140Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97031Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96893Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96766Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96647Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96531Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96422Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96313Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96188Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96063Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95953Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95843Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95734Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95625Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95516Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95391Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99890Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99781Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99671Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99562Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99453Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99343Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99234Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99124Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99015Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99891Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99781Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99672Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99563Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99453Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99344Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99219Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99110Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98985Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98797Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98391Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98031Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97906Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97797Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97688Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97563Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97438Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97313Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97203Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97093Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96985Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96875Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96765Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96656Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96547Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96437Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96328Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96219Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96110Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95985Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95860Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95735Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95532Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95405Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94883Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94765Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94655Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94547Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94422Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94313Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94188Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94078Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 93969Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 93844Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 93735Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 93610Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 93485Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 93360Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 93235Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 93110Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 92985Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 92860Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 92735Jump to behavior
                  Source: RegSvcs.exe, 00000003.00000002.1568699970.0000000005BD0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2683342127.0000000006200000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeAPI call chain: ExitProcess graph end nodegraph_0-101267
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeAPI call chain: ExitProcess graph end node
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeAPI call chain: ExitProcess graph end node
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_00283F09 BlockInput,0_2_00283F09
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_00213B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00213B3A
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_00245A7C RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,0_2_00245A7C
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_00214B37 LoadLibraryA,GetProcAddress,0_2_00214B37
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_015A43C8 mov eax, dword ptr fs:[00000030h]0_2_015A43C8
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_015A4428 mov eax, dword ptr fs:[00000030h]0_2_015A4428
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_015A2D98 mov eax, dword ptr fs:[00000030h]0_2_015A2D98
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_01463518 mov eax, dword ptr fs:[00000030h]2_2_01463518
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_01464B48 mov eax, dword ptr fs:[00000030h]2_2_01464B48
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_01464BA8 mov eax, dword ptr fs:[00000030h]2_2_01464BA8
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 5_2_00BD50A8 mov eax, dword ptr fs:[00000030h]5_2_00BD50A8
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 5_2_00BD3A18 mov eax, dword ptr fs:[00000030h]5_2_00BD3A18
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 5_2_00BD5048 mov eax, dword ptr fs:[00000030h]5_2_00BD5048
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_002680A9 GetTokenInformation,GetLastError,GetProcessHeap,RtlAllocateHeap,GetTokenInformation,0_2_002680A9
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_0023A124 SetUnhandledExceptionFilter,0_2_0023A124
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_0023A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0023A155
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_0011A124 SetUnhandledExceptionFilter,2_2_0011A124
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_0011A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_0011A155
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Maps a DLL or memory area into another process
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 88A008Jump to behavior
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: E6F008Jump to behavior
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_002687B1 LogonUserW,0_2_002687B1
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_00213B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00213B3A
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_002148D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_002148D7
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_00274C27 mouse_event,0_2_00274C27
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\ru52XOQ1p7.exe"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\biopsies\indivinity.exe "C:\Users\user\AppData\Local\biopsies\indivinity.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\biopsies\indivinity.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_00267CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00267CAF
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_0026874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_0026874B
                  Source: ru52XOQ1p7.exe, 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmp, indivinity.exe, 00000002.00000002.1455991224.00000000001A4000.00000040.00000001.01000000.00000004.sdmp, indivinity.exe, 00000005.00000002.1555654136.00000000001A4000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                  Source: ru52XOQ1p7.exe, indivinity.exeBinary or memory string: Shell_TrayWnd
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_0023862B cpuid 0_2_0023862B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_00244E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00244E87
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_00251E06 GetUserNameW,0_2_00251E06
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_00243F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00243F3A
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_002149A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_002149A0
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 5.2.indivinity.exe.18a0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.indivinity.exe.3c70000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.indivinity.exe.3c70000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.indivinity.exe.18a0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000002.1559657826.00000000018A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.1559661926.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.2678830148.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.1457730606.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.1559661926.0000000002A9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.2678830148.000000000302C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.1554465859.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: indivinity.exe PID: 7884, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7928, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: indivinity.exe PID: 8184, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7216, type: MEMORYSTR
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqliteJump to behavior
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: indivinity.exeBinary or memory string: WIN_81
                  Source: indivinity.exeBinary or memory string: WIN_XP
                  Source: indivinity.exeBinary or memory string: WIN_XPe
                  Source: indivinity.exeBinary or memory string: WIN_VISTA
                  Source: indivinity.exeBinary or memory string: WIN_7
                  Source: indivinity.exeBinary or memory string: WIN_8
                  Source: indivinity.exe, 00000005.00000002.1555654136.00000000001A4000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
                  Source: Yara matchFile source: 5.2.indivinity.exe.18a0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.indivinity.exe.3c70000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.indivinity.exe.3c70000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.indivinity.exe.18a0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000002.1559657826.00000000018A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.1559661926.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.2678830148.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.1457730606.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.1554465859.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: indivinity.exe PID: 7884, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7928, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: indivinity.exe PID: 8184, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7216, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 5.2.indivinity.exe.18a0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.indivinity.exe.3c70000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.indivinity.exe.3c70000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.indivinity.exe.18a0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000002.1559657826.00000000018A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.1559661926.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.2678830148.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.1457730606.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.1559661926.0000000002A9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.2678830148.000000000302C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.1554465859.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: indivinity.exe PID: 7884, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7928, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: indivinity.exe PID: 8184, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7216, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_00286283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00286283
                  Source: C:\Users\user\Desktop\ru52XOQ1p7.exeCode function: 0_2_00286747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00286747
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_00166283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,2_2_00166283
                  Source: C:\Users\user\AppData\Local\biopsies\indivinity.exeCode function: 2_2_00166747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,2_2_00166747

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information111
                  Scripting                  		2
                  Valid Accounts                  		121
                  Windows Management Instrumentation                  		111
                  Scripting                  		1
                  Exploitation for Privilege Escalation                  		11
                  Disable or Modify Tools                  		2
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		2
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts2
                  Native API                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Deobfuscate/Decode Files or Information                  		121
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol2
                  Data from Local System                  		11
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAt2
                  Valid Accounts                  		2
                  Valid Accounts                  		21
                  Obfuscated Files or Information                  		1
                  Credentials in Registry                  		2
                  File and Directory Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		2
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCron2
                  Registry Run Keys / Startup Folder                  		21
                  Access Token Manipulation                  		1
                  Software Packing                  		NTDS138
                  System Information Discovery                  		Distributed Component Object Model121
                  Input Capture                  		13
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                  Process Injection                  		1
                  DLL Side-Loading                  		LSA Secrets341
                  Security Software Discovery                  		SSH3
                  Clipboard Data                  		Fallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
                  Registry Run Keys / Startup Folder                  		1
                  Masquerading                  		Cached Domain Credentials131
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                  Valid Accounts                  		DCSync2
                  Process Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job131
                  Virtualization/Sandbox Evasion                  		Proc Filesystem11
                  Application Window Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
                  Access Token Manipulation                  		/etc/passwd and /etc/shadow1
                  System Owner/User Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron212
                  Process Injection                  		Network Sniffing1
                  System Network Configuration Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1588343 Sample: ru52XOQ1p7.exe Startdate: 11/01/2025 Architecture: WINDOWS Score: 100 30 mail.alltoursegypt.com 2->30 32 alltoursegypt.com 2->32 34 2 other IPs or domains 2->34 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 6 other signatures 2->46 8 ru52XOQ1p7.exe 6 2->8         started        12 wscript.exe 1 2->12         started        signatures3 process4 file5 26 C:\Users\user\AppData\...\indivinity.exe, PE32 8->26 dropped 58 Binary is likely a compiled AutoIt script file 8->58 14 indivinity.exe 3 8->14         started        60 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->60 18 indivinity.exe 2 12->18         started        signatures6 process7 file8 28 C:\Users\user\AppData\...\indivinity.vbs, data 14->28 dropped 62 Multi AV Scanner detection for dropped file 14->62 64 Binary is likely a compiled AutoIt script file 14->64 66 Machine Learning detection for dropped file 14->66 72 2 other signatures 14->72 20 RegSvcs.exe 15 2 14->20         started        68 Writes to foreign memory regions 18->68 70 Maps a DLL or memory area into another process 18->70 24 RegSvcs.exe 2 18->24         started        signatures9 process10 dnsIp11 36 alltoursegypt.com 192.254.186.165, 49714, 49715, 49717 UNIFIEDLAYER-AS-1US United States 20->36 38 api.ipify.org 172.67.74.152, 443, 49713, 49716 CLOUDFLARENETUS United States 20->38 48 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 20->48 50 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->50 52 Tries to steal Mail credentials (via file / registry access) 24->52 54 Tries to harvest and steal ftp login credentials 24->54 56 2 other signatures 24->56 signatures12

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  ru52XOQ1p7.exe71%ReversingLabsWin32.Trojan.AutoitInject
                  ru52XOQ1p7.exe69%VirustotalBrowse
                  ru52XOQ1p7.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\biopsies\indivinity.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\biopsies\indivinity.exe71%ReversingLabsWin32.Trojan.AutoitInject

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://x1.cu0%Avira URL Cloudsafe
                  http://alltoursegypt.com0%Avira URL Cloudsafe
                  http://mail.alltoursegypt.com0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  api.ipify.org
                  		172.67.74.152
                  		truefalse
                    		high
                    alltoursegypt.com
                    		192.254.186.165
                    		truetrue
                      		unknown
                      mail.alltoursegypt.com
                      		unknown
                      		unknowntrue
                        		unknown
                        18.31.95.13.in-addr.arpa
                        		unknown
                        		unknownfalse
                          		high

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://api.ipify.org/false
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://api.ipify.orgindivinity.exe, 00000002.00000002.1457730606.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1559661926.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1554465859.0000000000402000.00000040.80000000.00040000.00000000.sdmp, indivinity.exe, 00000005.00000002.1559657826.00000000018A0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2678830148.0000000002FBC000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://r10.i.lencr.org/01RegSvcs.exe, 00000003.00000002.1568699970.0000000005C7B000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1559661926.0000000002AA4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1555345301.0000000000B00000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1559661926.0000000002C34000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1568699970.0000000005BD0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1555345301.0000000000AF9000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2683342127.0000000006200000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2678830148.0000000003034000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2678830148.00000000031C5000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://account.dyn.com/indivinity.exe, 00000002.00000002.1457730606.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1554465859.0000000000402000.00000040.80000000.00040000.00000000.sdmp, indivinity.exe, 00000005.00000002.1559657826.00000000018A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                  		high
                                  http://x1.cuRegSvcs.exe, 00000006.00000002.2683342127.0000000006200000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://x1.c.lencr.org/0RegSvcs.exe, 00000003.00000002.1568699970.0000000005C7B000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1559661926.0000000002AA4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1555345301.0000000000B00000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1559661926.0000000002C34000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1568699970.0000000005BD0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1555345301.0000000000AF9000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2683342127.0000000006200000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2678830148.0000000003034000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2678125518.00000000012D2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2678830148.00000000031C5000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://x1.i.lencr.org/0RegSvcs.exe, 00000003.00000002.1568699970.0000000005C7B000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1559661926.0000000002AA4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1555345301.0000000000B00000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1559661926.0000000002C34000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1568699970.0000000005BD0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1555345301.0000000000AF9000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2683342127.0000000006200000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2678830148.0000000003034000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2678125518.00000000012D2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2678830148.00000000031C5000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://alltoursegypt.comRegSvcs.exe, 00000003.00000002.1559661926.0000000002C34000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1559661926.0000000002A9C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2678830148.000000000302C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2678830148.00000000031C5000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://mail.alltoursegypt.comRegSvcs.exe, 00000003.00000002.1559661926.0000000002C34000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1559661926.0000000002A9C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2678830148.000000000302C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2678830148.00000000031C5000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://r10.o.lencr.org0#RegSvcs.exe, 00000003.00000002.1568699970.0000000005C7B000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1559661926.0000000002AA4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1555345301.0000000000B00000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1559661926.0000000002C34000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1568699970.0000000005BD0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1555345301.0000000000AF9000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2683342127.0000000006200000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2678830148.0000000003034000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2678830148.00000000031C5000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://api.ipify.org/tRegSvcs.exe, 00000003.00000002.1559661926.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2678830148.0000000002FBC000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000003.00000002.1559661926.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2678830148.0000000002FBC000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://crl.microsRegSvcs.exe, 00000003.00000002.1568699970.0000000005BD0000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              172.67.74.152
                                              		api.ipify.orgUnited States
                                              		13335CLOUDFLARENETUSfalse
                                              192.254.186.165
                                              		alltoursegypt.comUnited States
                                              		46606UNIFIEDLAYER-AS-1UStrue

                                              General Information

                                              Joe Sandbox version:42.0.0 Malachite
                                              Analysis ID:1588343
                                              Start date and time:2025-01-11 00:47:52 +01:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 7m 38s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Number of analysed new started processes analysed:11
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:ru52XOQ1p7.exe
                                              renamed because original name is a hash value
                                              Original Sample Name:98b6476344625f6f4510212eaa5e7b73343c136775e17c12ebebb0fc1da55427.exe
                                              Detection:MAL
                                              Classification:mal100.troj.spyw.expl.evad.winEXE@10/10@3/2
                                              EGA Information:
                                              • Successful, ratio: 100%
                                              HCA Information:
                                              • Successful, ratio: 100%
                                              • Number of executed functions: 62
                                              • Number of non-executed functions: 289
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe

                                              Warnings

                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                              • Excluded IPs from analysis (whitelisted): 184.28.90.27, 4.245.163.56, 13.95.31.18, 20.109.210.53
                                              • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                              • Report size getting too big, too many NtReadVirtualMemory calls found.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              18:48:56API Interceptor1563410x Sleep call for process: RegSvcs.exe modified
                                              23:48:54AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\indivinity.vbs

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              172.67.74.152jgbC220X2U.exeGet hashmaliciousUnknownBrowse
                                              • api.ipify.org/?format=text
                                              malware.exeGet hashmaliciousTargeted Ransomware, TrojanRansomBrowse
                                              • api.ipify.org/
                                              Simple1.exeGet hashmaliciousUnknownBrowse
                                              • api.ipify.org/
                                              Simple2.exeGet hashmaliciousUnknownBrowse
                                              • api.ipify.org/
                                              systemConfigChecker.exeGet hashmaliciousUnknownBrowse
                                              • api.ipify.org/
                                              systemConfigChecker.exeGet hashmaliciousUnknownBrowse
                                              • api.ipify.org/
                                              2b7cu0KwZl.exeGet hashmaliciousUnknownBrowse
                                              • api.ipify.org/
                                              Zc9eO57fgF.elfGet hashmaliciousUnknownBrowse
                                              • api.ipify.org/
                                              67065b4c84713_Javiles.exeGet hashmaliciousRDPWrap ToolBrowse
                                              • api.ipify.org/
                                              Yc9hcFC1ux.exeGet hashmaliciousUnknownBrowse
                                              • api.ipify.org/
                                              192.254.186.165Y8Q1voljvb.exeGet hashmaliciousAgentTeslaBrowse
                                                EZZGTmJj4O.exeGet hashmaliciousAgentTeslaBrowse
                                                  4089137200.exeGet hashmaliciousAgentTeslaBrowse
                                                    rDOC24INV0616.exeGet hashmaliciousAgentTeslaBrowse
                                                      INVOICE NO. USF23-24072 IGR23110.exeGet hashmaliciousAgentTeslaBrowse
                                                        Shipping Documents 72908672134.exeGet hashmaliciousAgentTeslaBrowse
                                                          PUK ITALIA PO 120610549.EXE.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse

                                                            Domains

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            api.ipify.orgxJZHVgxQul.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 104.26.12.205
                                                            jG8N6WDJOx.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 104.26.13.205
                                                            HGhGAjCVw5.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 104.26.13.205
                                                            https://glfbanks.com/Get hashmaliciousHTMLPhisherBrowse
                                                            • 104.26.12.205
                                                            s2Jg1MAahY.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 104.26.12.205
                                                            Y8Q1voljvb.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 104.26.12.205
                                                            IUqsn1SBGy.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 104.26.13.205
                                                            DpTbBYeE7J.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 104.26.12.205
                                                            RJKUWSGxej.exeGet hashmaliciousAgentTesla, RedLineBrowse
                                                            • 104.26.13.205
                                                            7DpzcPcsTS.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 172.67.74.152

                                                            ASNs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            UNIFIEDLAYER-AS-1US28uMwHvbTD.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 162.241.62.63
                                                            https://atpscan.global.hornetsecurity.com/?d=W3rdHn1Og9hhUJnVJzqWF36wMmxswAZldvtx3E21ybg&f=v8m9AqGfgV2Ri7cjqmfsuyl2V2Mu_lVW0BRsqcFw4upagWAQ1C-MqANvN6gf4zNV&i=&k=xREg&m=b_ORYMkPffImCXbCPli-aiR7Ga6rGe55sar2xtigCL4MrowDPSzt7ABKETTGxzegakAfoZ57KD02aVix8V8TVmZ2VcxzjeybXYrPiS2SB73LCKYktj5jv2aw6VcPRslz&n=s4crRkyHC4bab6S3yrgn1E3n-VmdqgfSqNiaCJyPrf6hnyL_SE4PHEo5SUcwwsFGV6rnB35iQFM5FLsE91obvZ0HTAEiqHnB8ROLzY5JVgg&r=oMs_cp4DXIjeQhcPWsPLyR3_oxBVUN4Iok_tSVE4DNNtzqeot7ZzvdXkh4vatwpC&s=bd82eb507a358fd35f72f18b86e67f3bfc1ce64bbeab0c01d700897b1b678efb&u=https%3A%2F%2Fe.trustifi.com%2F%23%2Ffff2af%2F32054d%2F67960f%2Fee6fed%2F5d1d11%2F46c760%2Ff79190%2Fc5ec40%2Fe8666a%2Fef542d%2F85972d%2F627493%2F9a11d6%2F1f4096%2F1d247f%2F818e78%2Fc53383%2Fd59aa0%2Fedfa57%2F7914c7%2Fc38cf6%2Ff74f56%2Ff45915%2F39dbbd%2Ff48710%2F1ddf22%2F37d5f2%2F9de9f7%2F96109e%2F882355%2F854b66%2F9d606d%2F2d0447%2Fad3b01%2F637d1c%2F3c0f2b%2F606f48%2Fa6d904%2F8fefe3%2F00a4bb%2F6520c6%2F9b795c%2Fb7de1a%2Fb5dde6%2F3f5692%2F997c7d%2Fc00925%2F782cce%2F511459%2Fab5aa8%2F91722a%2Feec933%2F3f4f91%2F894088%2F43adfa%2Fb78195%2F0407d0%2F56f022%2Fddf20e%2F946567%2Faa271a%2F507b7a%2Faccd06%2F50d63c%2F485c4b%2F07ced8%2Fd0ec21%2F260ce6%2Fb5edbb%2F79a81e%2F1fd160%2Ff4da41%2F7073e0%2F8a5e9a%2Fdac829%2F521e52%2Fa1a847%2F13ea63%2Fabb5a3%2Fe1901e%2Fd876f6%2F7b0bf4%2Fbd19df%2F89bdcd%2F1874d8%2F0fb7f3%2F72f438%2Fa098c5%2F4e2214%2F4b6e54%2F0c4a8fGet hashmaliciousHTMLPhisherBrowse
                                                            • 162.241.149.91
                                                            https://atpscan.global.hornetsecurity.com/?d=W3rdHn1Og9hhUJnVJzqWF36wMmxswAZldvtx3E21ybg&f=v8m9AqGfgV2Ri7cjqmfsuyl2V2Mu_lVW0BRsqcFw4upagWAQ1C-MqANvN6gf4zNV&i=&k=xREg&m=b_ORYMkPffImCXbCPli-aiR7Ga6rGe55sar2xtigCL4MrowDPSzt7ABKETTGxzegakAfoZ57KD02aVix8V8TVmZ2VcxzjeybXYrPiS2SB73LCKYktj5jv2aw6VcPRslz&n=s4crRkyHC4bab6S3yrgn1E3n-VmdqgfSqNiaCJyPrf6hnyL_SE4PHEo5SUcwwsFGV6rnB35iQFM5FLsE91obvZ0HTAEiqHnB8ROLzY5JVgg&r=oMs_cp4DXIjeQhcPWsPLyR3_oxBVUN4Iok_tSVE4DNNtzqeot7ZzvdXkh4vatwpC&s=bd82eb507a358fd35f72f18b86e67f3bfc1ce64bbeab0c01d700897b1b678efb&u=https%3A%2F%2Fe.trustifi.com%2F%23%2Ffff2af%2F32054d%2F67960f%2Fee6fed%2F5d1d11%2F46c760%2Ff79190%2Fc5ec40%2Fe8666a%2Fef542d%2F85972d%2F627493%2F9a11d6%2F1f4096%2F1d247f%2F818e78%2Fc53383%2Fd59aa0%2Fedfa57%2F7914c7%2Fc38cf6%2Ff74f56%2Ff45915%2F39dbbd%2Ff48710%2F1ddf22%2F37d5f2%2F9de9f7%2F96109e%2F882355%2F854b66%2F9d606d%2F2d0447%2Fad3b01%2F637d1c%2F3c0f2b%2F606f48%2Fa6d904%2F8fefe3%2F00a4bb%2F6520c6%2F9b795c%2Fb7de1a%2Fb5dde6%2F3f5692%2F997c7d%2Fc00925%2F782cce%2F511459%2Fab5aa8%2F91722a%2Feec933%2F3f4f91%2F894088%2F43adfa%2Fb78195%2F0407d0%2F56f022%2Fddf20e%2F946567%2Faa271a%2F507b7a%2Faccd06%2F50d63c%2F485c4b%2F07ced8%2Fd0ec21%2F260ce6%2Fb5edbb%2F79a81e%2F1fd160%2Ff4da41%2F7073e0%2F8a5e9a%2Fdac829%2F521e52%2Fa1a847%2F13ea63%2Fabb5a3%2Fe1901e%2Fd876f6%2F7b0bf4%2Fbd19df%2F89bdcd%2F1874d8%2F0fb7f3%2F72f438%2Fa098c5%2F4e2214%2F4b6e54%2F0c4a8fGet hashmaliciousHTMLPhisherBrowse
                                                            • 162.241.149.91
                                                            Bontrageroutdoors_Project_Update_202557516.pdfGet hashmaliciousUnknownBrowse
                                                            • 108.179.241.236
                                                            e4Iw3lwFJ5.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 162.241.62.63
                                                            https://probashkontho.com/work/Organization/privacy/index_.htmlGet hashmaliciousUnknownBrowse
                                                            • 192.185.57.31
                                                            Y8Q1voljvb.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 192.254.186.165
                                                            secured File__esperion.com.htmlGet hashmaliciousPhisherBrowse
                                                            • 162.241.149.91
                                                            secured File__esperion.com.htmlGet hashmaliciousPhisherBrowse
                                                            • 162.241.149.91
                                                            XoRPyi5s1i.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 162.241.62.63
                                                            CLOUDFLARENETUStVuAoupHhZ.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            • 104.21.32.1
                                                            TjoY7n65om.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            • 104.21.80.1
                                                            phish_alert_sp2_2.0.0.0(4).emlGet hashmaliciousUnknownBrowse
                                                            • 172.66.0.227
                                                            https://app.online.mt.com/e/es?s=961579678&e=14507707&elqTrackId=4f40dcb3a3854013ad3a46d461cc3aff&elq=5140e028df1a42afab491350388fd129&elqaid=221811&elqat=1&elqcst=272&elqcsid=2325629&elqak=8AF5D97DFF9E423CC7C7524F5CA3C1A86F5F67341B9DF612D5A2FB20DE928F2AA351Get hashmaliciousUnknownBrowse
                                                            • 172.66.0.227
                                                            https://app.online.mt.com/e/es?s=961579678&e=14507707&elqTrackId=4f40dcb3a3854013ad3a46d461cc3aff&elq=5140e028df1a42afab491350388fd129&elqaid=221811&elqat=1&elqcst=272&elqcsid=2325629&elqak=8AF5D97DFF9E423CC7C7524F5CA3C1A86F5F67341B9DF612D5A2FB20DE928F2AA351Get hashmaliciousUnknownBrowse
                                                            • 172.66.0.227
                                                            https://maya-lopez.filemail.com/t/XhcWEjoRGet hashmaliciousUnknownBrowse
                                                            • 188.114.96.3
                                                            25IvlOVEB1.exeGet hashmaliciousFormBookBrowse
                                                            • 104.21.32.1
                                                            Kb94RzMYNf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 104.21.16.1
                                                            WGi85dsMNp.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                            • 104.21.16.1
                                                            wymvwQ4mC4.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            • 104.21.96.1

                                                            JA3 Fingerprints

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            3b5074b1b5d032e5620f69f9f700ff0eTjoY7n65om.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            • 172.67.74.152
                                                            Kb94RzMYNf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 172.67.74.152
                                                            WGi85dsMNp.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                            • 172.67.74.152
                                                            4z8Td6Kv8R.exeGet hashmaliciousUnknownBrowse
                                                            • 172.67.74.152
                                                            4z8Td6Kv8R.exeGet hashmaliciousUnknownBrowse
                                                            • 172.67.74.152
                                                            cOH7jKmo25.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                            • 172.67.74.152
                                                            3i1gMM8K4z.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                            • 172.67.74.152
                                                            2NJzy3tiny.exeGet hashmaliciousMassLogger RATBrowse
                                                            • 172.67.74.152
                                                            z87sammylastborn.exeGet hashmaliciousMassLogger RATBrowse
                                                            • 172.67.74.152
                                                            vnV17JImCH.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 172.67.74.152

                                                            Dropped Files

                                                            No context

                                                            Created / dropped Files

                                                            C:\Users\user\AppData\Local\Temp\antiprimer

                                                            Download File
                                                            Process:C:\Users\user\Desktop\ru52XOQ1p7.exe
                                                            File Type:ASCII text, with very long lines (65536), with no line terminators
                                                            Category:dropped
                                                            Size (bytes):143378
                                                            Entropy (8bit):2.7943872939386707
                                                            Encrypted:false
                                                            SSDEEP:192:mNxyGyDZFuiZynd9SMMVQc3GkcVoudfSq5+vLkF5iglNWO/qb35mwBgZ4mJahYy1:z
                                                            MD5:9B641A4680D56BC0C335420594417883
                                                            SHA1:46351F26B06922FF11595B9F824C80FC03FB19AA
                                                            SHA-256:A6C34531B781B5A5CD6F658C8529988B28A5B79411838F0AF604DE611A361FA5
                                                            SHA-512:9E6060598999F27D968F421730A72C28255248630553A10602CD46121BDE9B941E44D616A1A01FBB1E1D1768D38782B8C64D741840BC8449C046FA61621D6895
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview:2d0w02d0wx2d0w52d0w52d0w82d0wb2d0we2d0wc2d0w82d0w12d0we2d0wc2d0wc2d0wc2d0w02d0w22d0w02d0w02d0w02d0w02d0w52d0w62d0w52d0w72d0wb2d0w82d0w62d0wb2d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w42d0w52d0w82d0w42d0wb2d0w92d0w62d0w52d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w42d0wd2d0w82d0w62d0wb2d0wa2d0w72d0w22d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w52d0w52d0w82d0w82d0wb2d0w82d0w62d0we2d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w42d0w52d0w82d0wa2d0wb2d0w92d0w62d0w52d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w42d0wd2d0w82d0wc2d0wb2d0wa2d0w62d0wc2d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w52d0w52d0w82d0we2d0wb2d0w82d0w32d0w32d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w42d0w52d0w92d0w02d0wb2d0w92d0w32d0w22d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w42d0wd2d0w92d0w22d0wb2d0wa2d0w22d0we2d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w52d0w52d0w92d0w42d0wb2d0w82d0w62d0w42d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w9

                                                            C:\Users\user\AppData\Local\Temp\aut1E7E.tmp

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\biopsies\indivinity.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):147956
                                                            Entropy (8bit):7.750495102975612
                                                            Encrypted:false
                                                            SSDEEP:3072:IzSWBO2S8uTgoZisbTTC0Aw2Iz+XUtfyAllwMlLh7SgMgpRx+5C4NzRZi2BigliE:hgdBszksv/j2/Z0LUg3J4NzfHBi1E
                                                            MD5:92A52FE93BA76EB858AFE87B2546B1BB
                                                            SHA1:201477F3A03930F41AE589EC0503AD2492A6022C
                                                            SHA-256:DEE80530A29730DF5621128F7C20560E1455BD4F426030196BDF60B3CCE1010A
                                                            SHA-512:6B1862FB39B975C425334BAA8ADC8EC848411208456DB06CFD385B570C6A6E8D6629903D04769C1D0C447AAAB7DF65EABF3E486A05737F1E282A99A8E0E03AF7
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview:EA06......zu:.j.3.Q.3-.&.V.U.u:......(.j.Zl.!. ......'...v...........O..K..U5..d...FMX.NhWy...(..l..|J.y..s.<..W..l....D.u8.n.3.z5.p..n+U).>.J.Q.U......r.2.......@.L.p..iZ.L.$3@....S.V.(1E.F.sj.N.X...5...L...@..k...N.. ..S(....... .P....@S..;L..!....L.......h.....B...=g.V..,.C;.. T .... T@..%L....V..;T.I^.UkUi...T..(.......A...........`.._.X....2.Q.....4.P.....3+...x..b..._..Y....p...E.-..k..?wM....8.w........s......;.M.l?^..n.3.P.<...g|..t..&C..H..^.~...X(.{.X.N}.?............5.m\ry0..y=j..U.K...T..!..r.......j@...o..x.]..~_...k5.m.9.{4.\...;...[.......`.@..r.`@...@..X..$..............@.......$.A.<.=..vS./.x.!\t.H.6....!..'7....s3.L.....f~X...U.w)............c..T........4z.j.T.R/T.....*`........{.......E)..P..5.:'....v.....Z.L.........*}..Bg...*....EY..f...!..l.;5.MD.N.p1F..hs..x.A.V/..%.....`.i.O{F.0&3...eC...6....N...3kn..(...u.,.....d4y.B.4..o...Z.{..f.....}..dr....c.Q)r......A..:p..F.Ah...W[Y.F.q.=.p..T.......[...p..v.U.588..R..#.YM:......

                                                            C:\Users\user\AppData\Local\Temp\aut1EDC.tmp

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\biopsies\indivinity.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):14564
                                                            Entropy (8bit):7.630894401294278
                                                            Encrypted:false
                                                            SSDEEP:384:dTYznwBBBovGolp7mvT9Kh+i/RrHuJyzas6jbWp3isCLA:dAwrBoesJmvZqHrHumObZsCk
                                                            MD5:DFF027D3C52EAD33CA2D6EDFD8F64FA2
                                                            SHA1:4D790EC29871235552A6FAA2B2EDC704A30DFD3E
                                                            SHA-256:200BE026075164FA7A01E90206FAB5866BF939A4D59244F014BF426403500B84
                                                            SHA-512:A6239B3B6AA5BA09F5DD15B7D46DA2DFCA48C42A0EA1C505FA294475CE8E8D59702B25A6BFC954727E3878F83B61E775F259AF1A6708E72CD55CC51427F0245C
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview:EA06..0..Y&.y..+x..f....... .V......71...@.x..L.......*.`......8............`.......Z|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h|!._....ga._.5.1.....`v/.......NA*...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

                                                            C:\Users\user\AppData\Local\Temp\autEFFB.tmp

                                                            Download File
                                                            Process:C:\Users\user\Desktop\ru52XOQ1p7.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):147956
                                                            Entropy (8bit):7.750495102975612
                                                            Encrypted:false
                                                            SSDEEP:3072:IzSWBO2S8uTgoZisbTTC0Aw2Iz+XUtfyAllwMlLh7SgMgpRx+5C4NzRZi2BigliE:hgdBszksv/j2/Z0LUg3J4NzfHBi1E
                                                            MD5:92A52FE93BA76EB858AFE87B2546B1BB
                                                            SHA1:201477F3A03930F41AE589EC0503AD2492A6022C
                                                            SHA-256:DEE80530A29730DF5621128F7C20560E1455BD4F426030196BDF60B3CCE1010A
                                                            SHA-512:6B1862FB39B975C425334BAA8ADC8EC848411208456DB06CFD385B570C6A6E8D6629903D04769C1D0C447AAAB7DF65EABF3E486A05737F1E282A99A8E0E03AF7
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview:EA06......zu:.j.3.Q.3-.&.V.U.u:......(.j.Zl.!. ......'...v...........O..K..U5..d...FMX.NhWy...(..l..|J.y..s.<..W..l....D.u8.n.3.z5.p..n+U).>.J.Q.U......r.2.......@.L.p..iZ.L.$3@....S.V.(1E.F.sj.N.X...5...L...@..k...N.. ..S(....... .P....@S..;L..!....L.......h.....B...=g.V..,.C;.. T .... T@..%L....V..;T.I^.UkUi...T..(.......A...........`.._.X....2.Q.....4.P.....3+...x..b..._..Y....p...E.-..k..?wM....8.w........s......;.M.l?^..n.3.P.<...g|..t..&C..H..^.~...X(.{.X.N}.?............5.m\ry0..y=j..U.K...T..!..r.......j@...o..x.]..~_...k5.m.9.{4.\...;...[.......`.@..r.`@...@..X..$..............@.......$.A.<.=..vS./.x.!\t.H.6....!..'7....s3.L.....f~X...U.w)............c..T........4z.j.T.R/T.....*`........{.......E)..P..5.:'....v.....Z.L.........*}..Bg...*....EY..f...!..l.;5.MD.N.p1F..hs..x.A.V/..%.....`.i.O{F.0&3...eC...6....N...3kn..(...u.,.....d4y.B.4..o...Z.{..f.....}..dr....c.Q)r......A..:p..F.Ah...W[Y.F.q.=.p..T.......[...p..v.U.588..R..#.YM:......

                                                            C:\Users\user\AppData\Local\Temp\autF06A.tmp

                                                            Download File
                                                            Process:C:\Users\user\Desktop\ru52XOQ1p7.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):14564
                                                            Entropy (8bit):7.630894401294278
                                                            Encrypted:false
                                                            SSDEEP:384:dTYznwBBBovGolp7mvT9Kh+i/RrHuJyzas6jbWp3isCLA:dAwrBoesJmvZqHrHumObZsCk
                                                            MD5:DFF027D3C52EAD33CA2D6EDFD8F64FA2
                                                            SHA1:4D790EC29871235552A6FAA2B2EDC704A30DFD3E
                                                            SHA-256:200BE026075164FA7A01E90206FAB5866BF939A4D59244F014BF426403500B84
                                                            SHA-512:A6239B3B6AA5BA09F5DD15B7D46DA2DFCA48C42A0EA1C505FA294475CE8E8D59702B25A6BFC954727E3878F83B61E775F259AF1A6708E72CD55CC51427F0245C
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview:EA06..0..Y&.y..+x..f....... .V......71...@.x..L.......*.`......8............`.......Z|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h|!._....ga._.5.1.....`v/.......NA*...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

                                                            C:\Users\user\AppData\Local\Temp\autF357.tmp

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\biopsies\indivinity.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):147956
                                                            Entropy (8bit):7.750495102975612
                                                            Encrypted:false
                                                            SSDEEP:3072:IzSWBO2S8uTgoZisbTTC0Aw2Iz+XUtfyAllwMlLh7SgMgpRx+5C4NzRZi2BigliE:hgdBszksv/j2/Z0LUg3J4NzfHBi1E
                                                            MD5:92A52FE93BA76EB858AFE87B2546B1BB
                                                            SHA1:201477F3A03930F41AE589EC0503AD2492A6022C
                                                            SHA-256:DEE80530A29730DF5621128F7C20560E1455BD4F426030196BDF60B3CCE1010A
                                                            SHA-512:6B1862FB39B975C425334BAA8ADC8EC848411208456DB06CFD385B570C6A6E8D6629903D04769C1D0C447AAAB7DF65EABF3E486A05737F1E282A99A8E0E03AF7
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview:EA06......zu:.j.3.Q.3-.&.V.U.u:......(.j.Zl.!. ......'...v...........O..K..U5..d...FMX.NhWy...(..l..|J.y..s.<..W..l....D.u8.n.3.z5.p..n+U).>.J.Q.U......r.2.......@.L.p..iZ.L.$3@....S.V.(1E.F.sj.N.X...5...L...@..k...N.. ..S(....... .P....@S..;L..!....L.......h.....B...=g.V..,.C;.. T .... T@..%L....V..;T.I^.UkUi...T..(.......A...........`.._.X....2.Q.....4.P.....3+...x..b..._..Y....p...E.-..k..?wM....8.w........s......;.M.l?^..n.3.P.<...g|..t..&C..H..^.~...X(.{.X.N}.?............5.m\ry0..y=j..U.K...T..!..r.......j@...o..x.]..~_...k5.m.9.{4.\...;...[.......`.@..r.`@...@..X..$..............@.......$.A.<.=..vS./.x.!\t.H.6....!..'7....s3.L.....f~X...U.w)............c..T........4z.j.T.R/T.....*`........{.......E)..P..5.:'....v.....Z.L.........*}..Bg...*....EY..f...!..l.;5.MD.N.p1F..hs..x.A.V/..%.....`.i.O{F.0&3...eC...6....N...3kn..(...u.,.....d4y.B.4..o...Z.{..f.....}..dr....c.Q)r......A..:p..F.Ah...W[Y.F.q.=.p..T.......[...p..v.U.588..R..#.YM:......

                                                            C:\Users\user\AppData\Local\Temp\autF396.tmp

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\biopsies\indivinity.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):14564
                                                            Entropy (8bit):7.630894401294278
                                                            Encrypted:false
                                                            SSDEEP:384:dTYznwBBBovGolp7mvT9Kh+i/RrHuJyzas6jbWp3isCLA:dAwrBoesJmvZqHrHumObZsCk
                                                            MD5:DFF027D3C52EAD33CA2D6EDFD8F64FA2
                                                            SHA1:4D790EC29871235552A6FAA2B2EDC704A30DFD3E
                                                            SHA-256:200BE026075164FA7A01E90206FAB5866BF939A4D59244F014BF426403500B84
                                                            SHA-512:A6239B3B6AA5BA09F5DD15B7D46DA2DFCA48C42A0EA1C505FA294475CE8E8D59702B25A6BFC954727E3878F83B61E775F259AF1A6708E72CD55CC51427F0245C
                                                            Malicious:false
                                                            Preview:EA06..0..Y&.y..+x..f....... .V......71...@.x..L.......*.`......8............`.......Z|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h|!._....ga._.5.1.....`v/.......NA*...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

                                                            C:\Users\user\AppData\Local\Temp\jailless

                                                            Download File
                                                            Process:C:\Users\user\Desktop\ru52XOQ1p7.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):247296
                                                            Entropy (8bit):6.617189993390866
                                                            Encrypted:false
                                                            SSDEEP:6144:wCyEtWEVXgd4ne/yAbpWodkZMqZ6c1dxwPNCu:wCiEVe4e/yAtnAM06MONCu
                                                            MD5:78D1D29B74B3C9BF3805CB2A1636CAA1
                                                            SHA1:B542B8F638D9F1352A506EAE2DF329A82D9EABC5
                                                            SHA-256:EBBE2805B12EE27B3DAA2A292346E360702BE0CC775842B8F0112E90E6383144
                                                            SHA-512:C96496CBD4F4CBCAA5AE5BEAD5EBCFF6188BCA42FBCF1B82E45D53E83706C9B4AD316E3EECB598D6E2B08D6600B7DD632C6EDFCFD1A50F6F6E2DCF1276CE651D
                                                            Malicious:false
                                                            Preview:{..S[ZP3@GA2..ZV.WCSXZP3.GA2G6ZV6WCSXZP3DGA2G6ZV6WCSXZP3DGA2.6ZV8H.]X.Y.e.@~...>_$c#*57A%*aQ&X49Bw!6x(%]d./..y.v[8'6vW]9`GA2G6ZVf.CS.[S30.WG6ZV6WCS.ZR2OFJ2G.YV6_CSXZP3..B2G.ZV6.@SXZ.3DgA2G4ZV2WCSXZP3@GA2G6ZV6wGSXXP3DGA2E6..6WSSXJP3DGQ2G&ZV6WCSHZP3DGA2G6ZV^.@S.ZP3D.B2.3ZV6WCSXZP3DGA2G6ZV6WGSTZP3DGA2G6ZV6WCSXZP3DGA2G6ZV6WCSXZP3DGA2G6ZV6WCSXZP3DgA2O6ZV6WCSXZP3LgA2.6ZV6WCSXZP3j3$J36ZV..@SXzP3D.B2G4ZV6WCSXZP3DGA2g6Z6.%0!;ZP3.BA2G.YV6QCSX.S3DGA2G6ZV6WCS.ZPsj5$^(UZV:WCSXZT3DEA2G.YV6WCSXZP3DGA2.6Z.6WCSXZP3DGA2G6ZV..@SXZP3.GA2E6_Vb.ASLaQ3GGA2F6ZP6WCSXZP3DGA2G6ZV6WCSXZP3DGA2G6ZV6WCSXZP3DGA2G6ZV+......:.8%1.p.0.P..C..>.}HwO.MC...]....`C\..W.\h...M...C.^3.B....|'JCI^.!.X".E..o.z`F.}.PX.9......)G.....q`....<0....B..U8.}9* _!i.S!W(?.U.RXZP3......._/..uY_-pU9d...E;....:GA2#6ZVDWCS9ZP3.GA2(6ZVXWCS&ZP3:GA2.6ZVvWCSoZP3aGA2*6ZV.WCS&ZP3.:N=..?E..SXZP3q....[.....d...5.?i%....3....U`.H).0u...M.1..S.*4dx.Q7QGVZ]T0HzOy..w4SGVZ]T0HzOy..w.q.a..5....L.*6WCSXZ.3D.A2G..V.WCS.Z.3..A2G..V.W.S...3

                                                            C:\Users\user\AppData\Local\biopsies\indivinity.exe

                                                            Download File
                                                            Process:C:\Users\user\Desktop\ru52XOQ1p7.exe
                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                            Category:dropped
                                                            Size (bytes):563200
                                                            Entropy (8bit):7.924678148332782
                                                            Encrypted:false
                                                            SSDEEP:12288:oquErHF6xC9D6DmR1J98w4oknqOOCyQfqdXvlK9inAp61HOfu4:prl6kD68JmlotQfwo9y1ud
                                                            MD5:692089076DEAFF03DA7F7C4977B68EF7
                                                            SHA1:FCB8330A1B16A57A8D81C1B0EE584781B6C8E4D5
                                                            SHA-256:98B6476344625F6F4510212EAA5E7B73343C136775E17C12EBEBB0FC1DA55427
                                                            SHA-512:B746FABEFAB0A6E5CB2FE2C8EAC9B540432A5B2BC6B3A90C894F3517D05195FF62C6838FBD9B8019BD0F717C284F23B2E82CDD30E1312F06E26602162D7D1E5E
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            • Antivirus: ReversingLabs, Detection: 71%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L.....Vg.........."......`...@...P......`........@.......................................@...@.......@.....................$...$.......$2..................H...........................................H...........................................UPX0.....P..............................UPX1.....`...`...\..................@....rsrc....@.......8...`..............@..............................................................................................................................................................................................................................................................................................................................................................3.91.UPX!....

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\indivinity.vbs

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\biopsies\indivinity.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):276
                                                            Entropy (8bit):3.418392106115167
                                                            Encrypted:false
                                                            SSDEEP:6:DMM8lfm3OOQdUfclgMsUEZ+lX1JUZi2kpmhDdnriIM8lfQVn:DsO+vNlgMsQ1voFmA2n
                                                            MD5:6C07D9CA034B541F6A0E1ABDC36ABB45
                                                            SHA1:1D764772C53F4603FC6B01E17BCBC3C27E1C16D0
                                                            SHA-256:0B83222341A2F878452B0A11AAA4C71217087BFF305F389604EF9E278A7E955A
                                                            SHA-512:38761524D47745F31A52ADF6287285E979ABECD540A74442012ED5B5DCE0CDBB191D57AF3CE9F1AEF4262D9FBE4881ED358CFB0E4F628CE81BB58D8768E953A8
                                                            Malicious:true
                                                            Preview:S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.t.i.n.a.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.b.i.o.p.s.i.e.s.\.i.n.d.i.v.i.n.i.t.y...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

                                                            Static File Info

                                                            General

                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                            Entropy (8bit):7.924678148332782
                                                            TrID:
                                                            • Win32 Executable (generic) a (10002005/4) 99.39%
                                                            • UPX compressed Win32 Executable (30571/9) 0.30%
                                                            • Win32 EXE Yoda's Crypter (26571/9) 0.26%
                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                            • DOS Executable Generic (2002/1) 0.02%
                                                            File name:ru52XOQ1p7.exe
                                                            File size:563'200 bytes
                                                            MD5:692089076deaff03da7f7c4977b68ef7
                                                            SHA1:fcb8330a1b16a57a8d81c1b0ee584781b6c8e4d5
                                                            SHA256:98b6476344625f6f4510212eaa5e7b73343c136775e17c12ebebb0fc1da55427
                                                            SHA512:b746fabefab0a6e5cb2fe2c8eac9b540432a5b2bc6b3a90c894f3517d05195ff62c6838fbd9b8019bd0f717c284f23b2e82cdd30e1312f06e26602162d7d1e5e
                                                            SSDEEP:12288:oquErHF6xC9D6DmR1J98w4oknqOOCyQfqdXvlK9inAp61HOfu4:prl6kD68JmlotQfwo9y1ud
                                                            TLSH:D5C4138996E5CD36C6652371853ACD9049A57833DE88BB6ECB24F20FFC21303E51B62D
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

                                                            File Icon

                                                            Icon Hash:aaf3e3e3938382a0

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x50b9d0
                                                            Entrypoint Section:UPX1
                                                            Digitally signed:false
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                            Time Stamp:0x6756DAC8 [Mon Dec 9 11:55:52 2024 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:5
                                                            OS Version Minor:1
                                                            File Version Major:5
                                                            File Version Minor:1
                                                            Subsystem Version Major:5
                                                            Subsystem Version Minor:1
                                                            Import Hash:fc6683d30d9f25244a50fd5357825e79

                                                            Entrypoint Preview

                                                            Instruction
                                                            pushad
                                                            mov esi, 004B6000h
                                                            lea edi, dword ptr [esi-000B5000h]
                                                            push edi
                                                            jmp 00007F69A4B1C74Dh
                                                            nop
                                                            mov al, byte ptr [esi]
                                                            inc esi
                                                            mov byte ptr [edi], al
                                                            inc edi
                                                            add ebx, ebx
                                                            jne 00007F69A4B1C749h
                                                            mov ebx, dword ptr [esi]
                                                            sub esi, FFFFFFFCh
                                                            adc ebx, ebx
                                                            jc 00007F69A4B1C72Fh
                                                            mov eax, 00000001h
                                                            add ebx, ebx
                                                            jne 00007F69A4B1C749h
                                                            mov ebx, dword ptr [esi]
                                                            sub esi, FFFFFFFCh
                                                            adc ebx, ebx
                                                            adc eax, eax
                                                            add ebx, ebx
                                                            jnc 00007F69A4B1C74Dh
                                                            jne 00007F69A4B1C76Ah
                                                            mov ebx, dword ptr [esi]
                                                            sub esi, FFFFFFFCh
                                                            adc ebx, ebx
                                                            jc 00007F69A4B1C761h
                                                            dec eax
                                                            add ebx, ebx
                                                            jne 00007F69A4B1C749h
                                                            mov ebx, dword ptr [esi]
                                                            sub esi, FFFFFFFCh
                                                            adc ebx, ebx
                                                            adc eax, eax
                                                            jmp 00007F69A4B1C716h
                                                            add ebx, ebx
                                                            jne 00007F69A4B1C749h
                                                            mov ebx, dword ptr [esi]
                                                            sub esi, FFFFFFFCh
                                                            adc ebx, ebx
                                                            adc ecx, ecx
                                                            jmp 00007F69A4B1C794h
                                                            xor ecx, ecx
                                                            sub eax, 03h
                                                            jc 00007F69A4B1C753h
                                                            shl eax, 08h
                                                            mov al, byte ptr [esi]
                                                            inc esi
                                                            xor eax, FFFFFFFFh
                                                            je 00007F69A4B1C7B7h
                                                            sar eax, 1
                                                            mov ebp, eax
                                                            jmp 00007F69A4B1C74Dh
                                                            add ebx, ebx
                                                            jne 00007F69A4B1C749h
                                                            mov ebx, dword ptr [esi]
                                                            sub esi, FFFFFFFCh
                                                            adc ebx, ebx
                                                            jc 00007F69A4B1C70Eh
                                                            inc ecx
                                                            add ebx, ebx
                                                            jne 00007F69A4B1C749h
                                                            mov ebx, dword ptr [esi]
                                                            sub esi, FFFFFFFCh
                                                            adc ebx, ebx
                                                            jc 00007F69A4B1C700h
                                                            add ebx, ebx
                                                            jne 00007F69A4B1C749h
                                                            mov ebx, dword ptr [esi]
                                                            sub esi, FFFFFFFCh
                                                            adc ebx, ebx
                                                            adc ecx, ecx
                                                            add ebx, ebx
                                                            jnc 00007F69A4B1C731h
                                                            jne 00007F69A4B1C74Bh
                                                            mov ebx, dword ptr [esi]
                                                            sub esi, FFFFFFFCh
                                                            adc ebx, ebx
                                                            jnc 00007F69A4B1C726h
                                                            add ecx, 02h
                                                            cmp ebp, FFFFFB00h
                                                            adc ecx, 02h
                                                            lea edx, dword ptr [edi+ebp]
                                                            cmp ebp, FFFFFFFCh
                                                            jbe 00007F69A4B1C750h
                                                            mov al, byte ptr [edx]

                                                            Rich Headers

                                                            Programming Language:
                                                            • [ASM] VS2013 build 21005
                                                            • [ C ] VS2013 build 21005
                                                            • [C++] VS2013 build 21005
                                                            • [ C ] VS2008 SP1 build 30729
                                                            • [IMP] VS2008 SP1 build 30729
                                                            • [ASM] VS2013 UPD4 build 31101
                                                            • [RES] VS2013 build 21005
                                                            • [LNK] VS2013 UPD4 build 31101

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x13f2240x424.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x10c0000x33224.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x13f6480xc.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x10bbb40x48UPX1
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            UPX00x10000xb50000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            UPX10xb60000x560000x55c0095c5b2691e647083f16a3f6789d6ca6fFalse0.9884065233236151data7.936730189585585IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .rsrc0x10c0000x340000x3380021fa6efc08e32346abe2e533c605cfbcFalse0.9001820388349514data7.830338685287629IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                            Resources

                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            RT_ICON0x10c5ac0x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                            RT_ICON0x10c6d80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                            RT_ICON0x10c8040x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                            RT_ICON0x10c9300x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                            RT_ICON0x10cc1c0x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                            RT_ICON0x10cd480xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                            RT_ICON0x10dbf40x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                            RT_ICON0x10e4a00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                            RT_ICON0x10ea0c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                            RT_ICON0x110fb80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                            RT_ICON0x1120640x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                            RT_MENU0xcd4a00x50SysEx File - OberheimEnglishGreat Britain1.1375
                                                            RT_STRING0xcd4f00x594dataEnglishGreat Britain1.007703081232493
                                                            RT_STRING0xcda840x68adataEnglishGreat Britain1.0065710872162486
                                                            RT_STRING0xce1100x490dataEnglishGreat Britain1.009417808219178
                                                            RT_STRING0xce5a00x5fcdataEnglishGreat Britain1.0071801566579635
                                                            RT_STRING0xceb9c0x65cdataEnglishGreat Britain1.0067567567567568
                                                            RT_STRING0xcf1f80x466dataEnglishGreat Britain1.0097690941385435
                                                            RT_STRING0xcf6600x158dataEnglishGreat Britain1.0319767441860466
                                                            RT_RCDATA0x1124d00x2c7badata1.000362235321237
                                                            RT_GROUP_ICON0x13ec900x76dataEnglishGreat Britain0.6610169491525424
                                                            RT_GROUP_ICON0x13ed0c0x14dataEnglishGreat Britain1.25
                                                            RT_GROUP_ICON0x13ed240x14dataEnglishGreat Britain1.15
                                                            RT_GROUP_ICON0x13ed3c0x14dataEnglishGreat Britain1.25
                                                            RT_VERSION0x13ed540xdcdataEnglishGreat Britain0.6181818181818182
                                                            RT_MANIFEST0x13ee340x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                            Imports

                                                            DLLImport
                                                            KERNEL32.DLLLoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
                                                            ADVAPI32.dllGetAce
                                                            COMCTL32.dllImageList_Remove
                                                            COMDLG32.dllGetOpenFileNameW
                                                            GDI32.dllLineTo
                                                            IPHLPAPI.DLLIcmpSendEcho
                                                            MPR.dllWNetUseConnectionW
                                                            ole32.dllCoGetObject
                                                            OLEAUT32.dllVariantInit
                                                            PSAPI.DLLGetProcessMemoryInfo
                                                            SHELL32.dllDragFinish
                                                            USER32.dllGetDC
                                                            USERENV.dllLoadUserProfileW
                                                            UxTheme.dllIsThemeActive
                                                            VERSION.dllVerQueryValueW
                                                            WININET.dllFtpOpenFileW
                                                            WINMM.dlltimeGetTime
                                                            WSOCK32.dllconnect

                                                            Possible Origin

                                                            Language of compilation systemCountry where language is spokenMap
                                                            EnglishGreat Britain

                                                            Network Behavior

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Jan 11, 2025 00:48:56.778037071 CET49713443192.168.2.9172.67.74.152
                                                            Jan 11, 2025 00:48:56.778070927 CET44349713172.67.74.152192.168.2.9
                                                            Jan 11, 2025 00:48:56.778238058 CET49713443192.168.2.9172.67.74.152
                                                            Jan 11, 2025 00:48:56.786180973 CET49713443192.168.2.9172.67.74.152
                                                            Jan 11, 2025 00:48:56.786216021 CET44349713172.67.74.152192.168.2.9
                                                            Jan 11, 2025 00:48:57.248955011 CET44349713172.67.74.152192.168.2.9
                                                            Jan 11, 2025 00:48:57.249026060 CET49713443192.168.2.9172.67.74.152
                                                            Jan 11, 2025 00:48:57.252734900 CET49713443192.168.2.9172.67.74.152
                                                            Jan 11, 2025 00:48:57.252743959 CET44349713172.67.74.152192.168.2.9
                                                            Jan 11, 2025 00:48:57.253047943 CET44349713172.67.74.152192.168.2.9
                                                            Jan 11, 2025 00:48:57.300015926 CET49713443192.168.2.9172.67.74.152
                                                            Jan 11, 2025 00:48:57.307073116 CET49713443192.168.2.9172.67.74.152
                                                            Jan 11, 2025 00:48:57.347358942 CET44349713172.67.74.152192.168.2.9
                                                            Jan 11, 2025 00:48:57.417040110 CET44349713172.67.74.152192.168.2.9
                                                            Jan 11, 2025 00:48:57.417104959 CET44349713172.67.74.152192.168.2.9
                                                            Jan 11, 2025 00:48:57.417469025 CET49713443192.168.2.9172.67.74.152
                                                            Jan 11, 2025 00:48:57.423126936 CET49713443192.168.2.9172.67.74.152
                                                            Jan 11, 2025 00:48:58.477252007 CET49714587192.168.2.9192.254.186.165
                                                            Jan 11, 2025 00:48:58.486666918 CET58749714192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:48:58.486764908 CET49714587192.168.2.9192.254.186.165
                                                            Jan 11, 2025 00:48:59.154284954 CET58749714192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:48:59.154521942 CET49714587192.168.2.9192.254.186.165
                                                            Jan 11, 2025 00:48:59.161679983 CET58749714192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:48:59.304987907 CET58749714192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:48:59.305182934 CET49714587192.168.2.9192.254.186.165
                                                            Jan 11, 2025 00:48:59.311903000 CET58749714192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:48:59.457313061 CET58749714192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:48:59.457808971 CET49714587192.168.2.9192.254.186.165
                                                            Jan 11, 2025 00:48:59.464227915 CET58749714192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:48:59.631319046 CET58749714192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:48:59.631335974 CET58749714192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:48:59.631349087 CET58749714192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:48:59.631387949 CET49714587192.168.2.9192.254.186.165
                                                            Jan 11, 2025 00:48:59.650724888 CET49714587192.168.2.9192.254.186.165
                                                            Jan 11, 2025 00:48:59.657702923 CET58749714192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:48:59.800717115 CET58749714192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:48:59.803484917 CET49714587192.168.2.9192.254.186.165
                                                            Jan 11, 2025 00:48:59.810187101 CET58749714192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:48:59.953598022 CET58749714192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:48:59.954720020 CET49714587192.168.2.9192.254.186.165
                                                            Jan 11, 2025 00:48:59.961572886 CET58749714192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:00.125086069 CET58749714192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:00.126065016 CET49714587192.168.2.9192.254.186.165
                                                            Jan 11, 2025 00:49:00.132937908 CET58749714192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:02.353432894 CET58749714192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:02.353774071 CET49714587192.168.2.9192.254.186.165
                                                            Jan 11, 2025 00:49:02.359870911 CET58749714192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:02.515197992 CET58749714192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:02.516465902 CET58749714192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:02.516550064 CET49714587192.168.2.9192.254.186.165
                                                            Jan 11, 2025 00:49:02.680985928 CET49714587192.168.2.9192.254.186.165
                                                            Jan 11, 2025 00:49:02.688183069 CET58749714192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:02.743400097 CET49715587192.168.2.9192.254.186.165
                                                            Jan 11, 2025 00:49:02.749824047 CET58749715192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:02.749891043 CET49715587192.168.2.9192.254.186.165
                                                            Jan 11, 2025 00:49:03.326817036 CET58749715192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:03.327018023 CET49715587192.168.2.9192.254.186.165
                                                            Jan 11, 2025 00:49:03.334974051 CET58749715192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:03.483195066 CET58749715192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:03.489258051 CET49715587192.168.2.9192.254.186.165
                                                            Jan 11, 2025 00:49:03.496325970 CET58749715192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:03.639029026 CET58749715192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:03.639539957 CET49715587192.168.2.9192.254.186.165
                                                            Jan 11, 2025 00:49:03.644402981 CET58749715192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:03.803416014 CET58749715192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:03.803436041 CET58749715192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:03.803448915 CET58749715192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:03.803575039 CET49715587192.168.2.9192.254.186.165
                                                            Jan 11, 2025 00:49:03.805187941 CET49715587192.168.2.9192.254.186.165
                                                            Jan 11, 2025 00:49:03.810039997 CET58749715192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:03.952960014 CET58749715192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:03.963442087 CET49715587192.168.2.9192.254.186.165
                                                            Jan 11, 2025 00:49:03.968803883 CET58749715192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:04.110399008 CET58749715192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:04.110779047 CET49715587192.168.2.9192.254.186.165
                                                            Jan 11, 2025 00:49:04.115607977 CET58749715192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:07.332067966 CET49716443192.168.2.9172.67.74.152
                                                            Jan 11, 2025 00:49:07.332123041 CET44349716172.67.74.152192.168.2.9
                                                            Jan 11, 2025 00:49:07.332602978 CET49716443192.168.2.9172.67.74.152
                                                            Jan 11, 2025 00:49:07.335876942 CET49716443192.168.2.9172.67.74.152
                                                            Jan 11, 2025 00:49:07.335892916 CET44349716172.67.74.152192.168.2.9
                                                            Jan 11, 2025 00:49:07.751882076 CET49715587192.168.2.9192.254.186.165
                                                            Jan 11, 2025 00:49:07.803118944 CET44349716172.67.74.152192.168.2.9
                                                            Jan 11, 2025 00:49:07.803196907 CET49716443192.168.2.9172.67.74.152
                                                            Jan 11, 2025 00:49:07.804965019 CET49716443192.168.2.9172.67.74.152
                                                            Jan 11, 2025 00:49:07.804972887 CET44349716172.67.74.152192.168.2.9
                                                            Jan 11, 2025 00:49:07.805233955 CET44349716172.67.74.152192.168.2.9
                                                            Jan 11, 2025 00:49:07.847343922 CET49716443192.168.2.9172.67.74.152
                                                            Jan 11, 2025 00:49:07.863408089 CET49716443192.168.2.9172.67.74.152
                                                            Jan 11, 2025 00:49:07.907325029 CET44349716172.67.74.152192.168.2.9
                                                            Jan 11, 2025 00:49:07.969105959 CET44349716172.67.74.152192.168.2.9
                                                            Jan 11, 2025 00:49:07.969186068 CET44349716172.67.74.152192.168.2.9
                                                            Jan 11, 2025 00:49:07.969418049 CET49716443192.168.2.9172.67.74.152
                                                            Jan 11, 2025 00:49:07.972230911 CET49716443192.168.2.9172.67.74.152
                                                            Jan 11, 2025 00:49:08.537220955 CET49717587192.168.2.9192.254.186.165
                                                            Jan 11, 2025 00:49:08.543389082 CET58749717192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:08.543474913 CET49717587192.168.2.9192.254.186.165
                                                            Jan 11, 2025 00:49:09.203155041 CET58749717192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:09.204207897 CET49717587192.168.2.9192.254.186.165
                                                            Jan 11, 2025 00:49:09.210325003 CET58749717192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:09.353482962 CET58749717192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:09.353682041 CET49717587192.168.2.9192.254.186.165
                                                            Jan 11, 2025 00:49:09.360356092 CET58749717192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:09.504576921 CET58749717192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:09.505363941 CET49717587192.168.2.9192.254.186.165
                                                            Jan 11, 2025 00:49:09.512934923 CET58749717192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:09.671339035 CET58749717192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:09.671361923 CET58749717192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:09.671374083 CET58749717192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:09.671442986 CET49717587192.168.2.9192.254.186.165
                                                            Jan 11, 2025 00:49:09.673501015 CET49717587192.168.2.9192.254.186.165
                                                            Jan 11, 2025 00:49:09.680212021 CET58749717192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:09.823656082 CET58749717192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:09.878175020 CET49717587192.168.2.9192.254.186.165
                                                            Jan 11, 2025 00:49:10.001884937 CET49717587192.168.2.9192.254.186.165
                                                            Jan 11, 2025 00:49:10.009628057 CET58749717192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:10.152703047 CET58749717192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:10.153038025 CET49717587192.168.2.9192.254.186.165
                                                            Jan 11, 2025 00:49:10.159945965 CET58749717192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:11.780502081 CET5279253192.168.2.91.1.1.1
                                                            Jan 11, 2025 00:49:11.786796093 CET53527921.1.1.1192.168.2.9
                                                            Jan 11, 2025 00:49:11.788012981 CET5279253192.168.2.91.1.1.1
                                                            Jan 11, 2025 00:49:11.794574976 CET53527921.1.1.1192.168.2.9
                                                            Jan 11, 2025 00:49:12.249860048 CET5279253192.168.2.91.1.1.1
                                                            Jan 11, 2025 00:49:12.257216930 CET53527921.1.1.1192.168.2.9
                                                            Jan 11, 2025 00:49:12.257287979 CET5279253192.168.2.91.1.1.1
                                                            Jan 11, 2025 00:49:18.306803942 CET58749717192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:18.307203054 CET49717587192.168.2.9192.254.186.165
                                                            Jan 11, 2025 00:49:18.312139034 CET58749717192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:20.471520901 CET58749717192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:20.472143888 CET49717587192.168.2.9192.254.186.165
                                                            Jan 11, 2025 00:49:20.476969004 CET58749717192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:20.619926929 CET58749717192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:20.621608973 CET58749717192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:20.621715069 CET49717587192.168.2.9192.254.186.165
                                                            Jan 11, 2025 00:49:20.625447035 CET49717587192.168.2.9192.254.186.165
                                                            Jan 11, 2025 00:49:20.630276918 CET58749717192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:20.666387081 CET52793587192.168.2.9192.254.186.165
                                                            Jan 11, 2025 00:49:20.671263933 CET58752793192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:20.671369076 CET52793587192.168.2.9192.254.186.165
                                                            Jan 11, 2025 00:49:21.264688969 CET58752793192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:21.264879942 CET52793587192.168.2.9192.254.186.165
                                                            Jan 11, 2025 00:49:21.269745111 CET58752793192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:21.424336910 CET58752793192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:21.424547911 CET52793587192.168.2.9192.254.186.165
                                                            Jan 11, 2025 00:49:21.429498911 CET58752793192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:21.577625036 CET58752793192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:21.578229904 CET52793587192.168.2.9192.254.186.165
                                                            Jan 11, 2025 00:49:21.583098888 CET58752793192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:21.750802994 CET58752793192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:21.750843048 CET58752793192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:21.750878096 CET58752793192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:21.750925064 CET52793587192.168.2.9192.254.186.165
                                                            Jan 11, 2025 00:49:21.755635023 CET52793587192.168.2.9192.254.186.165
                                                            Jan 11, 2025 00:49:21.760449886 CET58752793192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:21.905654907 CET58752793192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:21.906800985 CET52793587192.168.2.9192.254.186.165
                                                            Jan 11, 2025 00:49:21.911622047 CET58752793192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:22.056723118 CET58752793192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:22.056946993 CET52793587192.168.2.9192.254.186.165
                                                            Jan 11, 2025 00:49:22.063879013 CET58752793192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:25.324743986 CET5987753192.168.2.91.1.1.1
                                                            Jan 11, 2025 00:49:25.331252098 CET53598771.1.1.1192.168.2.9
                                                            Jan 11, 2025 00:49:25.331341982 CET5987753192.168.2.91.1.1.1
                                                            Jan 11, 2025 00:49:25.337970972 CET53598771.1.1.1192.168.2.9
                                                            Jan 11, 2025 00:49:25.796288967 CET5987753192.168.2.91.1.1.1
                                                            Jan 11, 2025 00:49:25.803217888 CET53598771.1.1.1192.168.2.9
                                                            Jan 11, 2025 00:49:25.803396940 CET5987753192.168.2.91.1.1.1
                                                            Jan 11, 2025 00:49:26.338941097 CET5569653192.168.2.9162.159.36.2
                                                            Jan 11, 2025 00:49:26.343795061 CET5355696162.159.36.2192.168.2.9
                                                            Jan 11, 2025 00:49:26.343873978 CET5569653192.168.2.9162.159.36.2
                                                            Jan 11, 2025 00:49:26.348699093 CET5355696162.159.36.2192.168.2.9
                                                            Jan 11, 2025 00:49:26.798562050 CET5569653192.168.2.9162.159.36.2
                                                            Jan 11, 2025 00:49:26.804920912 CET5355696162.159.36.2192.168.2.9
                                                            Jan 11, 2025 00:49:26.804970980 CET5569653192.168.2.9162.159.36.2
                                                            Jan 11, 2025 00:49:30.211424112 CET58752793192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:30.211806059 CET52793587192.168.2.9192.254.186.165
                                                            Jan 11, 2025 00:49:30.218513012 CET58752793192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:32.501395941 CET58752793192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:32.501622915 CET52793587192.168.2.9192.254.186.165
                                                            Jan 11, 2025 00:49:32.508274078 CET58752793192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:32.654470921 CET58752793192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:32.655018091 CET52793587192.168.2.9192.254.186.165
                                                            Jan 11, 2025 00:49:32.656054974 CET58752793192.254.186.165192.168.2.9
                                                            Jan 11, 2025 00:49:32.656127930 CET52793587192.168.2.9192.254.186.165
                                                            Jan 11, 2025 00:49:32.661360979 CET58752793192.254.186.165192.168.2.9

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Jan 11, 2025 00:48:56.765347004 CET5418453192.168.2.91.1.1.1
                                                            Jan 11, 2025 00:48:56.772442102 CET53541841.1.1.1192.168.2.9
                                                            Jan 11, 2025 00:48:57.989703894 CET5565853192.168.2.91.1.1.1
                                                            Jan 11, 2025 00:48:58.424763918 CET53556581.1.1.1192.168.2.9
                                                            Jan 11, 2025 00:49:11.777673006 CET53565541.1.1.1192.168.2.9
                                                            Jan 11, 2025 00:49:25.324371099 CET53629241.1.1.1192.168.2.9
                                                            Jan 11, 2025 00:49:26.338366032 CET5357930162.159.36.2192.168.2.9
                                                            Jan 11, 2025 00:49:26.824213982 CET5947753192.168.2.91.1.1.1
                                                            Jan 11, 2025 00:49:26.832984924 CET53594771.1.1.1192.168.2.9

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Jan 11, 2025 00:48:56.765347004 CET192.168.2.91.1.1.10x5895Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                            Jan 11, 2025 00:48:57.989703894 CET192.168.2.91.1.1.10x5d32Standard query (0)mail.alltoursegypt.comA (IP address)IN (0x0001)false
                                                            Jan 11, 2025 00:49:26.824213982 CET192.168.2.91.1.1.10x71e8Standard query (0)18.31.95.13.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Jan 11, 2025 00:48:56.772442102 CET1.1.1.1192.168.2.90x5895No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                            Jan 11, 2025 00:48:56.772442102 CET1.1.1.1192.168.2.90x5895No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                            Jan 11, 2025 00:48:56.772442102 CET1.1.1.1192.168.2.90x5895No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                            Jan 11, 2025 00:48:58.424763918 CET1.1.1.1192.168.2.90x5d32No error (0)mail.alltoursegypt.comalltoursegypt.comCNAME (Canonical name)IN (0x0001)false
                                                            Jan 11, 2025 00:48:58.424763918 CET1.1.1.1192.168.2.90x5d32No error (0)alltoursegypt.com192.254.186.165A (IP address)IN (0x0001)false
                                                            Jan 11, 2025 00:49:26.832984924 CET1.1.1.1192.168.2.90x71e8Name error (3)18.31.95.13.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                                                            HTTP Request Dependency Graph

                                                            • api.ipify.org

                                                            HTTPS Proxied Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.949713172.67.74.1524437928C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                            TimestampBytes transferredDirectionData
                                                            2025-01-10 23:48:57 UTC155OUTGET / HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                            Host: api.ipify.org
                                                            Connection: Keep-Alive
                                                            2025-01-10 23:48:57 UTC424INHTTP/1.1 200 OK
                                                            Date: Fri, 10 Jan 2025 23:48:57 GMT
                                                            Content-Type: text/plain
                                                            Content-Length: 12
                                                            Connection: close
                                                            Vary: Origin
                                                            CF-Cache-Status: DYNAMIC
                                                            Server: cloudflare
                                                            CF-RAY: 90008f927bdd8c53-EWR
                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1906&min_rtt=1903&rtt_var=720&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2819&recv_bytes=769&delivery_rate=1512953&cwnd=213&unsent_bytes=0&cid=dbd97c723b7b74e4&ts=177&x=0"
                                                            2025-01-10 23:48:57 UTC12INData Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39
                                                            Data Ascii: 8.46.123.189


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            1192.168.2.949716172.67.74.1524437216C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                            TimestampBytes transferredDirectionData
                                                            2025-01-10 23:49:07 UTC155OUTGET / HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                            Host: api.ipify.org
                                                            Connection: Keep-Alive
                                                            2025-01-10 23:49:07 UTC424INHTTP/1.1 200 OK
                                                            Date: Fri, 10 Jan 2025 23:49:07 GMT
                                                            Content-Type: text/plain
                                                            Content-Length: 12
                                                            Connection: close
                                                            Vary: Origin
                                                            CF-Cache-Status: DYNAMIC
                                                            Server: cloudflare
                                                            CF-RAY: 90008fd4789d1871-EWR
                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1614&min_rtt=1549&rtt_var=712&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2820&recv_bytes=769&delivery_rate=1407228&cwnd=187&unsent_bytes=0&cid=217d7e088c75bfd5&ts=170&x=0"
                                                            2025-01-10 23:49:07 UTC12INData Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39
                                                            Data Ascii: 8.46.123.189


                                                            SMTP Packets

                                                            TimestampSource PortDest PortSource IPDest IPCommands
                                                            Jan 11, 2025 00:48:59.154284954 CET58749714192.254.186.165192.168.2.9220-gator3170.hostgator.com ESMTP Exim 4.96.2 #2 Fri, 10 Jan 2025 17:48:59 -0600
                                                            220-We do not authorize the use of this system to transport unsolicited,
                                                            220 and/or bulk e-mail.
                                                            Jan 11, 2025 00:48:59.154521942 CET49714587192.168.2.9192.254.186.165EHLO 632922
                                                            Jan 11, 2025 00:48:59.304987907 CET58749714192.254.186.165192.168.2.9250-gator3170.hostgator.com Hello 632922 [8.46.123.189]
                                                            250-SIZE 52428800
                                                            250-8BITMIME
                                                            250-PIPELINING
                                                            250-PIPECONNECT
                                                            250-AUTH PLAIN LOGIN
                                                            250-STARTTLS
                                                            250 HELP
                                                            Jan 11, 2025 00:48:59.305182934 CET49714587192.168.2.9192.254.186.165STARTTLS
                                                            Jan 11, 2025 00:48:59.457313061 CET58749714192.254.186.165192.168.2.9220 TLS go ahead
                                                            Jan 11, 2025 00:49:03.326817036 CET58749715192.254.186.165192.168.2.9220-gator3170.hostgator.com ESMTP Exim 4.96.2 #2 Fri, 10 Jan 2025 17:49:03 -0600
                                                            220-We do not authorize the use of this system to transport unsolicited,
                                                            220 and/or bulk e-mail.
                                                            Jan 11, 2025 00:49:03.327018023 CET49715587192.168.2.9192.254.186.165EHLO 632922
                                                            Jan 11, 2025 00:49:03.483195066 CET58749715192.254.186.165192.168.2.9250-gator3170.hostgator.com Hello 632922 [8.46.123.189]
                                                            250-SIZE 52428800
                                                            250-8BITMIME
                                                            250-PIPELINING
                                                            250-PIPECONNECT
                                                            250-AUTH PLAIN LOGIN
                                                            250-STARTTLS
                                                            250 HELP
                                                            Jan 11, 2025 00:49:03.489258051 CET49715587192.168.2.9192.254.186.165STARTTLS
                                                            Jan 11, 2025 00:49:03.639029026 CET58749715192.254.186.165192.168.2.9220 TLS go ahead
                                                            Jan 11, 2025 00:49:09.203155041 CET58749717192.254.186.165192.168.2.9220-gator3170.hostgator.com ESMTP Exim 4.96.2 #2 Fri, 10 Jan 2025 17:49:09 -0600
                                                            220-We do not authorize the use of this system to transport unsolicited,
                                                            220 and/or bulk e-mail.
                                                            Jan 11, 2025 00:49:09.204207897 CET49717587192.168.2.9192.254.186.165EHLO 632922
                                                            Jan 11, 2025 00:49:09.353482962 CET58749717192.254.186.165192.168.2.9250-gator3170.hostgator.com Hello 632922 [8.46.123.189]
                                                            250-SIZE 52428800
                                                            250-8BITMIME
                                                            250-PIPELINING
                                                            250-PIPECONNECT
                                                            250-AUTH PLAIN LOGIN
                                                            250-STARTTLS
                                                            250 HELP
                                                            Jan 11, 2025 00:49:09.353682041 CET49717587192.168.2.9192.254.186.165STARTTLS
                                                            Jan 11, 2025 00:49:09.504576921 CET58749717192.254.186.165192.168.2.9220 TLS go ahead
                                                            Jan 11, 2025 00:49:21.264688969 CET58752793192.254.186.165192.168.2.9220-gator3170.hostgator.com ESMTP Exim 4.96.2 #2 Fri, 10 Jan 2025 17:49:21 -0600
                                                            220-We do not authorize the use of this system to transport unsolicited,
                                                            220 and/or bulk e-mail.
                                                            Jan 11, 2025 00:49:21.264879942 CET52793587192.168.2.9192.254.186.165EHLO 632922
                                                            Jan 11, 2025 00:49:21.424336910 CET58752793192.254.186.165192.168.2.9250-gator3170.hostgator.com Hello 632922 [8.46.123.189]
                                                            250-SIZE 52428800
                                                            250-8BITMIME
                                                            250-PIPELINING
                                                            250-PIPECONNECT
                                                            250-AUTH PLAIN LOGIN
                                                            250-STARTTLS
                                                            250 HELP
                                                            Jan 11, 2025 00:49:21.424547911 CET52793587192.168.2.9192.254.186.165STARTTLS
                                                            Jan 11, 2025 00:49:21.577625036 CET58752793192.254.186.165192.168.2.9220 TLS go ahead

                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:18:48:51
                                                            Start date:10/01/2025
                                                            Path:C:\Users\user\Desktop\ru52XOQ1p7.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\ru52XOQ1p7.exe"
                                                            Imagebase:0x210000
                                                            File size:563'200 bytes
                                                            MD5 hash:692089076DEAFF03DA7F7C4977B68EF7
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:2
                                                            Start time:18:48:52
                                                            Start date:10/01/2025
                                                            Path:C:\Users\user\AppData\Local\biopsies\indivinity.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\ru52XOQ1p7.exe"
                                                            Imagebase:0xf0000
                                                            File size:563'200 bytes
                                                            MD5 hash:692089076DEAFF03DA7F7C4977B68EF7
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1457730606.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.1457730606.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000002.00000002.1457730606.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                            Antivirus matches:
                                                            • Detection: 100%, Joe Sandbox ML
                                                            • Detection: 71%, ReversingLabs
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:3
                                                            Start time:18:48:53
                                                            Start date:10/01/2025
                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\ru52XOQ1p7.exe"
                                                            Imagebase:0x630000
                                                            File size:45'984 bytes
                                                            MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.1559661926.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.1559661926.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.1559661926.0000000002A9C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.1554465859.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.1554465859.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:4
                                                            Start time:18:49:02
                                                            Start date:10/01/2025
                                                            Path:C:\Windows\System32\wscript.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\indivinity.vbs"
                                                            Imagebase:0x7ff7aeb40000
                                                            File size:170'496 bytes
                                                            MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:5
                                                            Start time:18:49:03
                                                            Start date:10/01/2025
                                                            Path:C:\Users\user\AppData\Local\biopsies\indivinity.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Local\biopsies\indivinity.exe"
                                                            Imagebase:0xf0000
                                                            File size:563'200 bytes
                                                            MD5 hash:692089076DEAFF03DA7F7C4977B68EF7
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.1559657826.00000000018A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.1559657826.00000000018A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000005.00000002.1559657826.00000000018A0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:6
                                                            Start time:18:49:04
                                                            Start date:10/01/2025
                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Local\biopsies\indivinity.exe"
                                                            Imagebase:0xc10000
                                                            File size:45'984 bytes
                                                            MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2678830148.0000000003001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2678830148.0000000003001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2678830148.000000000302C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            Reputation:high
                                                            Has exited:false

                                                            Disassembly

                                                            Reset < >

                                                              Execution Graph

                                                              Execution Coverage:3.6%
                                                              Dynamic/Decrypted Code Coverage:0.4%
                                                              Signature Coverage:7.9%
                                                              Total number of Nodes:2000
                                                              Total number of Limit Nodes:159
                                                              execution_graph 101101 31b9d0 101103 31b9e0 VirtualProtect VirtualProtect 101101->101103 101104 31bba4 101103->101104 101104->101104 101105 213633 101106 21366a 101105->101106 101107 2136e7 101106->101107 101108 213688 101106->101108 101146 2136e5 101106->101146 101110 24d0cc 101107->101110 101111 2136ed 101107->101111 101112 213695 101108->101112 101113 21374b PostQuitMessage 101108->101113 101109 2136ca NtdllDefWindowProc_W 101114 2136d8 101109->101114 101154 221070 10 API calls Mailbox 101110->101154 101115 2136f2 101111->101115 101116 213715 SetTimer RegisterClipboardFormatW 101111->101116 101118 24d154 101112->101118 101119 2136a0 101112->101119 101113->101114 101120 2136f9 KillTimer 101115->101120 101121 24d06f 101115->101121 101116->101114 101123 21373e CreatePopupMenu 101116->101123 101170 272527 71 API calls _memset 101118->101170 101124 213755 101119->101124 101125 2136a8 101119->101125 101150 21443a Shell_NotifyIconW _memset 101120->101150 101129 24d074 101121->101129 101130 24d0a8 MoveWindow 101121->101130 101122 24d0f3 101155 221093 341 API calls Mailbox 101122->101155 101123->101114 101152 2144a0 64 API calls _memset 101124->101152 101133 2136b3 101125->101133 101134 24d139 101125->101134 101127 24d166 101127->101109 101127->101114 101138 24d097 SetFocus 101129->101138 101139 24d078 101129->101139 101130->101114 101135 24d124 101133->101135 101136 2136be 101133->101136 101134->101109 101169 267c36 59 API calls Mailbox 101134->101169 101168 272d36 81 API calls _memset 101135->101168 101136->101109 101156 21443a Shell_NotifyIconW _memset 101136->101156 101137 213764 101137->101114 101138->101114 101139->101136 101141 24d081 101139->101141 101140 21370c 101151 213114 DeleteObject DestroyWindow Mailbox 101140->101151 101153 221070 10 API calls Mailbox 101141->101153 101146->101109 101148 24d118 101157 21434a 101148->101157 101150->101140 101151->101114 101152->101137 101153->101114 101154->101122 101155->101136 101156->101148 101158 214375 _memset 101157->101158 101171 214182 101158->101171 101161 2143fa 101163 214430 Shell_NotifyIconW 101161->101163 101164 214414 Shell_NotifyIconW 101161->101164 101165 214422 101163->101165 101164->101165 101175 21407c 101165->101175 101167 214429 101167->101146 101168->101137 101169->101146 101170->101127 101172 24d423 101171->101172 101173 214196 101171->101173 101172->101173 101174 24d42c DestroyCursor 101172->101174 101173->101161 101197 272f94 62 API calls _W_store_winword 101173->101197 101174->101173 101176 214098 101175->101176 101177 21416f Mailbox 101175->101177 101198 217a16 101176->101198 101177->101167 101180 2140b3 101203 217bcc 101180->101203 101181 24d3c8 LoadStringW 101184 24d3e2 101181->101184 101183 2140c8 101183->101184 101185 2140d9 101183->101185 101186 217b2e 59 API calls 101184->101186 101187 2140e3 101185->101187 101188 214174 101185->101188 101191 24d3ec 101186->101191 101212 217b2e 101187->101212 101221 218047 101188->101221 101193 2140ed _memset _wcscpy 101191->101193 101225 217cab 101191->101225 101195 214155 Shell_NotifyIconW 101193->101195 101194 24d40e 101196 217cab 59 API calls 101194->101196 101195->101177 101196->101193 101197->101161 101232 230db6 101198->101232 101200 217a3b 101242 218029 101200->101242 101204 217c45 101203->101204 101205 217bd8 __wsetenvp 101203->101205 101274 217d2c 101204->101274 101207 217c13 101205->101207 101208 217bee 101205->101208 101210 218029 59 API calls 101207->101210 101273 217f27 59 API calls Mailbox 101208->101273 101211 217bf6 _memmove 101210->101211 101211->101183 101213 217b40 101212->101213 101214 24ec6b 101212->101214 101282 217a51 101213->101282 101288 267bdb 59 API calls _memmove 101214->101288 101217 24ec75 101219 218047 59 API calls 101217->101219 101218 217b4c 101218->101193 101220 24ec7d Mailbox 101219->101220 101222 218052 101221->101222 101223 21805a 101221->101223 101289 217f77 59 API calls 2 library calls 101222->101289 101223->101193 101226 24ed4a 101225->101226 101227 217cbf 101225->101227 101229 218029 59 API calls 101226->101229 101290 217c50 101227->101290 101231 24ed55 __wsetenvp _memmove 101229->101231 101230 217cca 101230->101194 101234 230dbe 101232->101234 101235 230dd8 101234->101235 101237 230ddc std::exception::exception 101234->101237 101245 23571c 101234->101245 101262 2333a1 RtlDecodePointer 101234->101262 101235->101200 101263 23859b RaiseException 101237->101263 101239 230e06 101264 2384d1 58 API calls _free 101239->101264 101241 230e18 101241->101200 101243 230db6 Mailbox 59 API calls 101242->101243 101244 2140a6 101243->101244 101244->101180 101244->101181 101246 235797 101245->101246 101258 235728 101245->101258 101271 2333a1 RtlDecodePointer 101246->101271 101248 23579d 101272 238b28 58 API calls __getptd_noexit 101248->101272 101251 23575b RtlAllocateHeap 101251->101258 101261 23578f 101251->101261 101253 235783 101269 238b28 58 API calls __getptd_noexit 101253->101269 101257 235733 101257->101258 101265 23a16b 58 API calls 2 library calls 101257->101265 101266 23a1c8 58 API calls 8 library calls 101257->101266 101267 23309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 101257->101267 101258->101251 101258->101253 101258->101257 101259 235781 101258->101259 101268 2333a1 RtlDecodePointer 101258->101268 101270 238b28 58 API calls __getptd_noexit 101259->101270 101261->101234 101262->101234 101263->101239 101264->101241 101265->101257 101266->101257 101268->101258 101269->101259 101270->101261 101271->101248 101272->101261 101273->101211 101275 217d3a 101274->101275 101277 217d43 _memmove 101274->101277 101275->101277 101278 217e4f 101275->101278 101277->101211 101279 217e62 101278->101279 101281 217e5f _memmove 101278->101281 101280 230db6 Mailbox 59 API calls 101279->101280 101280->101281 101281->101277 101283 217a5f 101282->101283 101287 217a85 _memmove 101282->101287 101284 230db6 Mailbox 59 API calls 101283->101284 101283->101287 101285 217ad4 101284->101285 101286 230db6 Mailbox 59 API calls 101285->101286 101286->101287 101287->101218 101288->101217 101289->101223 101291 217c5f __wsetenvp 101290->101291 101292 218029 59 API calls 101291->101292 101293 217c70 _memmove 101291->101293 101294 24ed07 _memmove 101292->101294 101293->101230 101295 15a32d8 101309 15a0ef8 101295->101309 101297 15a3384 101312 15a31c8 101297->101312 101315 15a43c8 GetPEB 101309->101315 101311 15a1583 101311->101297 101313 15a31d1 Sleep 101312->101313 101314 15a31df 101313->101314 101316 15a43f2 101315->101316 101316->101311 101317 211055 101322 212649 101317->101322 101332 217667 101322->101332 101327 212754 101328 21105a 101327->101328 101340 213416 59 API calls 2 library calls 101327->101340 101329 232d40 101328->101329 101348 232c44 101329->101348 101331 211064 101333 230db6 Mailbox 59 API calls 101332->101333 101334 217688 101333->101334 101335 230db6 Mailbox 59 API calls 101334->101335 101336 2126b7 101335->101336 101337 213582 101336->101337 101341 2135b0 101337->101341 101340->101327 101342 2135bd 101341->101342 101343 2135a1 101341->101343 101342->101343 101344 2135c4 RegOpenKeyExW 101342->101344 101343->101327 101344->101343 101345 2135de RegQueryValueExW 101344->101345 101346 213614 RegCloseKey 101345->101346 101347 2135ff 101345->101347 101346->101343 101347->101346 101349 232c50 __setmode 101348->101349 101356 233217 101349->101356 101355 232c77 __setmode 101355->101331 101373 239c0b 101356->101373 101358 232c59 101359 232c88 RtlDecodePointer RtlDecodePointer 101358->101359 101360 232c65 101359->101360 101361 232cb5 101359->101361 101370 232c82 101360->101370 101361->101360 101419 2387a4 59 API calls __wcsnicmp 101361->101419 101363 232cc7 101364 232d18 RtlEncodePointer RtlEncodePointer 101363->101364 101365 232cec 101363->101365 101420 238864 61 API calls 2 library calls 101363->101420 101364->101360 101365->101360 101368 232d06 RtlEncodePointer 101365->101368 101421 238864 61 API calls 2 library calls 101365->101421 101368->101364 101369 232d00 101369->101360 101369->101368 101422 233220 101370->101422 101374 239c2f RtlEnterCriticalSection 101373->101374 101375 239c1c 101373->101375 101374->101358 101380 239c93 101375->101380 101377 239c22 101377->101374 101404 2330b5 58 API calls 3 library calls 101377->101404 101381 239c9f __setmode 101380->101381 101382 239cc0 101381->101382 101383 239ca8 101381->101383 101392 239ce1 __setmode 101382->101392 101408 23881d 58 API calls 2 library calls 101382->101408 101405 23a16b 58 API calls 2 library calls 101383->101405 101386 239cad 101406 23a1c8 58 API calls 8 library calls 101386->101406 101387 239cd5 101390 239ceb 101387->101390 101391 239cdc 101387->101391 101389 239cb4 101407 23309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 101389->101407 101395 239c0b __lock 58 API calls 101390->101395 101409 238b28 58 API calls __getptd_noexit 101391->101409 101392->101377 101397 239cf2 101395->101397 101398 239d17 101397->101398 101399 239cff 101397->101399 101411 232d55 101398->101411 101410 239e2b InitializeCriticalSectionAndSpinCount 101399->101410 101402 239d0b 101417 239d33 RtlLeaveCriticalSection _doexit 101402->101417 101405->101386 101406->101389 101408->101387 101409->101392 101410->101402 101412 232d5e RtlFreeHeap 101411->101412 101416 232d87 _free 101411->101416 101413 232d73 101412->101413 101412->101416 101418 238b28 58 API calls __getptd_noexit 101413->101418 101415 232d79 GetLastError 101415->101416 101416->101402 101417->101392 101418->101415 101419->101363 101420->101365 101421->101369 101425 239d75 RtlLeaveCriticalSection 101422->101425 101424 232c87 101424->101355 101425->101424 101426 237c56 101427 237c62 __setmode 101426->101427 101463 239e08 GetStartupInfoW 101427->101463 101429 237c67 101465 238b7c GetProcessHeap 101429->101465 101431 237cbf 101432 237cca 101431->101432 101548 237da6 58 API calls 3 library calls 101431->101548 101466 239ae6 101432->101466 101435 237cd0 101436 237cdb __RTC_Initialize 101435->101436 101549 237da6 58 API calls 3 library calls 101435->101549 101487 23d5d2 101436->101487 101439 237cea 101440 237cf6 GetCommandLineW 101439->101440 101550 237da6 58 API calls 3 library calls 101439->101550 101506 244f23 GetEnvironmentStringsW 101440->101506 101443 237cf5 101443->101440 101446 237d10 101447 237d1b 101446->101447 101551 2330b5 58 API calls 3 library calls 101446->101551 101516 244d58 101447->101516 101450 237d21 101451 237d2c 101450->101451 101552 2330b5 58 API calls 3 library calls 101450->101552 101530 2330ef 101451->101530 101454 237d34 101455 237d3f __wwincmdln 101454->101455 101553 2330b5 58 API calls 3 library calls 101454->101553 101536 2147d0 101455->101536 101458 237d53 101459 237d62 101458->101459 101554 233358 58 API calls _doexit 101458->101554 101555 2330e0 58 API calls _doexit 101459->101555 101462 237d67 __setmode 101464 239e1e 101463->101464 101464->101429 101465->101431 101556 233187 36 API calls 2 library calls 101466->101556 101468 239aeb 101557 239d3c InitializeCriticalSectionAndSpinCount ___lock_fhandle 101468->101557 101470 239af0 101471 239af4 101470->101471 101559 239d8a TlsAlloc 101470->101559 101558 239b5c 61 API calls 2 library calls 101471->101558 101474 239af9 101474->101435 101475 239b06 101475->101471 101476 239b11 101475->101476 101560 2387d5 101476->101560 101479 239b53 101568 239b5c 61 API calls 2 library calls 101479->101568 101482 239b58 101482->101435 101483 239b32 101483->101479 101484 239b38 101483->101484 101567 239a33 58 API calls 4 library calls 101484->101567 101486 239b40 GetCurrentThreadId 101486->101435 101488 23d5de __setmode 101487->101488 101489 239c0b __lock 58 API calls 101488->101489 101490 23d5e5 101489->101490 101491 2387d5 __calloc_crt 58 API calls 101490->101491 101493 23d5f6 101491->101493 101492 23d661 GetStartupInfoW 101500 23d676 101492->101500 101503 23d7a5 101492->101503 101493->101492 101494 23d601 @_EH4_CallFilterFunc@8 __setmode 101493->101494 101494->101439 101495 23d86d 101582 23d87d RtlLeaveCriticalSection _doexit 101495->101582 101497 2387d5 __calloc_crt 58 API calls 101497->101500 101498 23d7f2 GetStdHandle 101498->101503 101499 23d805 GetFileType 101499->101503 101500->101497 101501 23d6c4 101500->101501 101500->101503 101502 23d6f8 GetFileType 101501->101502 101501->101503 101580 239e2b InitializeCriticalSectionAndSpinCount 101501->101580 101502->101501 101503->101495 101503->101498 101503->101499 101581 239e2b InitializeCriticalSectionAndSpinCount 101503->101581 101507 237d06 101506->101507 101508 244f34 101506->101508 101512 244b1b GetModuleFileNameW 101507->101512 101583 23881d 58 API calls 2 library calls 101508->101583 101510 244f5a _memmove 101511 244f70 FreeEnvironmentStringsW 101510->101511 101511->101507 101513 244b4f _wparse_cmdline 101512->101513 101515 244b8f _wparse_cmdline 101513->101515 101584 23881d 58 API calls 2 library calls 101513->101584 101515->101446 101517 244d71 __wsetenvp 101516->101517 101521 244d69 101516->101521 101518 2387d5 __calloc_crt 58 API calls 101517->101518 101526 244d9a __wsetenvp 101518->101526 101519 244df1 101520 232d55 _free 58 API calls 101519->101520 101520->101521 101521->101450 101522 2387d5 __calloc_crt 58 API calls 101522->101526 101523 244e16 101524 232d55 _free 58 API calls 101523->101524 101524->101521 101526->101519 101526->101521 101526->101522 101526->101523 101527 244e2d 101526->101527 101585 244607 58 API calls __wcsnicmp 101526->101585 101586 238dc6 IsProcessorFeaturePresent 101527->101586 101529 244e39 101529->101450 101531 2330fb __IsNonwritableInCurrentImage 101530->101531 101609 23a4d1 101531->101609 101533 233119 __initterm_e 101534 232d40 __cinit 67 API calls 101533->101534 101535 233138 __cinit __IsNonwritableInCurrentImage 101533->101535 101534->101535 101535->101454 101537 2147ea 101536->101537 101547 214889 101536->101547 101538 214824 74BFC8D0 101537->101538 101612 23336c 101538->101612 101542 214850 101624 2148fd SystemParametersInfoW SystemParametersInfoW 101542->101624 101544 21485c 101625 213b3a 101544->101625 101546 214864 SystemParametersInfoW 101546->101547 101547->101458 101548->101432 101549->101436 101550->101443 101554->101459 101555->101462 101556->101468 101557->101470 101558->101474 101559->101475 101562 2387dc 101560->101562 101563 238817 101562->101563 101565 2387fa 101562->101565 101569 2451f6 101562->101569 101563->101479 101566 239de6 TlsSetValue 101563->101566 101565->101562 101565->101563 101577 23a132 Sleep 101565->101577 101566->101483 101567->101486 101568->101482 101570 245201 101569->101570 101575 24521c 101569->101575 101571 24520d 101570->101571 101570->101575 101578 238b28 58 API calls __getptd_noexit 101571->101578 101573 24522c RtlAllocateHeap 101574 245212 101573->101574 101573->101575 101574->101562 101575->101573 101575->101574 101579 2333a1 RtlDecodePointer 101575->101579 101577->101565 101578->101574 101579->101575 101580->101501 101581->101503 101582->101494 101583->101510 101584->101515 101585->101526 101587 238dd1 101586->101587 101592 238c59 101587->101592 101591 238dec 101591->101529 101593 238c73 _memset ___raise_securityfailure 101592->101593 101594 238c93 IsDebuggerPresent 101593->101594 101600 23a155 SetUnhandledExceptionFilter UnhandledExceptionFilter 101594->101600 101597 238d7a 101599 23a140 GetCurrentProcess TerminateProcess 101597->101599 101598 238d57 ___raise_securityfailure 101601 23c5f6 101598->101601 101599->101591 101600->101598 101602 23c600 IsProcessorFeaturePresent 101601->101602 101603 23c5fe 101601->101603 101605 24590a 101602->101605 101603->101597 101608 2458b9 5 API calls 2 library calls 101605->101608 101607 2459ed 101607->101597 101608->101607 101610 23a4d4 RtlEncodePointer 101609->101610 101610->101610 101611 23a4ee 101610->101611 101611->101533 101613 239c0b __lock 58 API calls 101612->101613 101614 233377 RtlDecodePointer RtlEncodePointer 101613->101614 101677 239d75 RtlLeaveCriticalSection 101614->101677 101616 214849 101617 2333d4 101616->101617 101618 2333f8 101617->101618 101619 2333de 101617->101619 101618->101542 101619->101618 101678 238b28 58 API calls __getptd_noexit 101619->101678 101621 2333e8 101679 238db6 9 API calls __wcsnicmp 101621->101679 101623 2333f3 101623->101542 101624->101544 101626 213b47 __write_nolock 101625->101626 101627 217667 59 API calls 101626->101627 101628 213b51 GetCurrentDirectoryW 101627->101628 101680 213766 101628->101680 101630 213b7a IsDebuggerPresent 101631 24d272 MessageBoxA 101630->101631 101632 213b88 101630->101632 101634 24d28c 101631->101634 101632->101634 101635 213ba5 101632->101635 101664 213c61 101632->101664 101633 213c68 SetCurrentDirectoryW 101638 213c75 Mailbox 101633->101638 101879 217213 59 API calls Mailbox 101634->101879 101761 217285 101635->101761 101638->101546 101639 24d29c 101644 24d2b2 SetCurrentDirectoryW 101639->101644 101641 213bc3 GetFullPathNameW 101642 217bcc 59 API calls 101641->101642 101643 213bfe 101642->101643 101777 22092d 101643->101777 101644->101638 101647 213c1c 101648 213c26 101647->101648 101880 26874b AllocateAndInitializeSid CheckTokenMembership FreeSid 101647->101880 101793 213a46 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 101648->101793 101652 24d2cf 101652->101648 101654 24d2e0 101652->101654 101881 214706 101654->101881 101664->101633 101677->101616 101678->101621 101679->101623 101681 217667 59 API calls 101680->101681 101682 21377c 101681->101682 101892 213d31 101682->101892 101684 21379a 101685 214706 61 API calls 101684->101685 101686 2137ae 101685->101686 101687 217de1 59 API calls 101686->101687 101688 2137bb 101687->101688 101906 214ddd 101688->101906 101691 24d173 101973 27955b 101691->101973 101692 2137dc Mailbox 101695 218047 59 API calls 101692->101695 101699 2137ef 101695->101699 101696 24d192 101698 232d55 _free 58 API calls 101696->101698 101700 24d19f 101698->101700 101930 21928a 101699->101930 101702 214e4a 84 API calls 101700->101702 101706 24d1a8 101702->101706 101704 217de1 59 API calls 101705 213808 101704->101705 101933 2184c0 101705->101933 101708 213ed0 59 API calls 101706->101708 101710 24d1c3 101708->101710 101709 21381a Mailbox 101711 217de1 59 API calls 101709->101711 101712 213ed0 59 API calls 101710->101712 101713 213840 101711->101713 101715 24d1df 101712->101715 101714 2184c0 69 API calls 101713->101714 101718 21384f Mailbox 101714->101718 101716 214706 61 API calls 101715->101716 101717 24d204 101716->101717 101719 213ed0 59 API calls 101717->101719 101721 217667 59 API calls 101718->101721 101720 24d210 101719->101720 101722 218047 59 API calls 101720->101722 101723 21386d 101721->101723 101724 24d21e 101722->101724 101937 213ed0 101723->101937 101726 213ed0 59 API calls 101724->101726 101728 24d22d 101726->101728 101734 218047 59 API calls 101728->101734 101730 213887 101730->101706 101731 213891 101730->101731 101732 232efd _W_store_winword 60 API calls 101731->101732 101733 21389c 101732->101733 101733->101710 101735 2138a6 101733->101735 101737 24d24f 101734->101737 101736 232efd _W_store_winword 60 API calls 101735->101736 101739 2138b1 101736->101739 101738 213ed0 59 API calls 101737->101738 101740 24d25c 101738->101740 101739->101715 101741 2138bb 101739->101741 101740->101740 101742 232efd _W_store_winword 60 API calls 101741->101742 101743 2138c6 101742->101743 101743->101728 101744 213907 101743->101744 101746 213ed0 59 API calls 101743->101746 101744->101728 101745 213914 101744->101745 101953 2192ce 101745->101953 101747 2138ea 101746->101747 101750 218047 59 API calls 101747->101750 101752 2138f8 101750->101752 101754 213ed0 59 API calls 101752->101754 101754->101744 101756 21928a 59 API calls 101758 21394f 101756->101758 101757 218ee0 60 API calls 101757->101758 101758->101756 101758->101757 101759 213ed0 59 API calls 101758->101759 101760 213995 Mailbox 101758->101760 101759->101758 101760->101630 101762 217292 __write_nolock 101761->101762 101763 24ea22 _memset 101762->101763 101764 2172ab 101762->101764 101767 24ea3e 7722D0D0 101763->101767 102837 214750 101764->102837 101769 24ea8d 101767->101769 101771 217bcc 59 API calls 101769->101771 101773 24eaa2 101771->101773 101773->101773 101774 2172c9 102865 21686a 101774->102865 101778 22093a __write_nolock 101777->101778 103182 216d80 101778->103182 101780 22093f 101781 213c14 101780->101781 103193 22119e 89 API calls 101780->103193 101781->101639 101781->101647 101783 22094c 101783->101781 103194 223ee7 91 API calls Mailbox 101783->103194 101785 220955 101785->101781 101786 220959 GetFullPathNameW 101785->101786 101787 217bcc 59 API calls 101786->101787 101788 220985 101787->101788 101794 213ab0 LoadImageW RegisterClassExW 101793->101794 101795 24d261 101793->101795 103228 213041 GetSysColorBrush RegisterClassExW RegisterClipboardFormatW 101794->103228 103232 2147a0 LoadImageW EnumResourceNamesW 101795->103232 101799 24d26a 101879->101639 101880->101652 101882 241940 __write_nolock 101881->101882 101883 214713 GetModuleFileNameW 101882->101883 101893 213d3e __write_nolock 101892->101893 101894 217bcc 59 API calls 101893->101894 101899 213ea4 Mailbox 101893->101899 101896 213d70 101894->101896 101904 213da6 Mailbox 101896->101904 102014 2179f2 101896->102014 101897 213e77 101898 217de1 59 API calls 101897->101898 101897->101899 101901 213e98 101898->101901 101899->101684 101900 217de1 59 API calls 101900->101904 101902 213f74 59 API calls 101901->101902 101902->101899 101904->101897 101904->101899 101904->101900 101905 2179f2 59 API calls 101904->101905 102017 213f74 101904->102017 101905->101904 102023 214bb5 101906->102023 101911 24d8e6 101914 214e4a 84 API calls 101911->101914 101912 214e08 LoadLibraryExW 102033 214b6a 101912->102033 101916 24d8ed 101914->101916 101918 214b6a 3 API calls 101916->101918 101920 24d8f5 101918->101920 101919 214e2f 101919->101920 101921 214e3b 101919->101921 102059 214f0b 101920->102059 101923 214e4a 84 API calls 101921->101923 101925 2137d4 101923->101925 101925->101691 101925->101692 101927 24d91c 102067 214ec7 101927->102067 101929 24d929 101931 230db6 Mailbox 59 API calls 101930->101931 101932 2137fb 101931->101932 101932->101704 101934 2184cb 101933->101934 101936 2184f2 101934->101936 102496 2189b3 69 API calls Mailbox 101934->102496 101936->101709 101938 213ef3 101937->101938 101939 213eda 101937->101939 101940 217bcc 59 API calls 101938->101940 101941 218047 59 API calls 101939->101941 101942 213879 101940->101942 101941->101942 101943 232efd 101942->101943 101944 232f09 101943->101944 101945 232f7e 101943->101945 101952 232f2e 101944->101952 102497 238b28 58 API calls __getptd_noexit 101944->102497 102499 232f90 60 API calls 3 library calls 101945->102499 101948 232f8b 101948->101730 101949 232f15 102498 238db6 9 API calls __wcsnicmp 101949->102498 101951 232f20 101951->101730 101952->101730 101954 2192d6 101953->101954 101955 230db6 Mailbox 59 API calls 101954->101955 101956 2192e4 101955->101956 101957 213924 101956->101957 102500 2191fc 59 API calls Mailbox 101956->102500 101959 219050 101957->101959 102501 219160 101959->102501 101961 230db6 Mailbox 59 API calls 101962 213932 101961->101962 101964 218ee0 101962->101964 101963 21905f 101963->101961 101963->101962 101965 24f17c 101964->101965 101967 218ef7 101964->101967 101965->101967 102511 218bdb 59 API calls Mailbox 101965->102511 101968 219040 101967->101968 101969 218ff8 101967->101969 101972 218fff 101967->101972 102510 219d3c 60 API calls Mailbox 101968->102510 101971 230db6 Mailbox 59 API calls 101969->101971 101971->101972 101972->101758 101974 214ee5 85 API calls 101973->101974 101975 2795ca 101974->101975 102512 279734 101975->102512 101978 214f0b 74 API calls 101979 2795f7 101978->101979 101980 214f0b 74 API calls 101979->101980 101981 279607 101980->101981 101982 214f0b 74 API calls 101981->101982 101983 279622 101982->101983 101984 214f0b 74 API calls 101983->101984 101985 27963d 101984->101985 101986 214ee5 85 API calls 101985->101986 101987 279654 101986->101987 101988 23571c __crtCompareStringA_stat 58 API calls 101987->101988 101989 27965b 101988->101989 101990 23571c __crtCompareStringA_stat 58 API calls 101989->101990 101991 279665 101990->101991 101992 214f0b 74 API calls 101991->101992 101993 279679 101992->101993 101994 279109 GetSystemTimeAsFileTime 101993->101994 101995 27968c 101994->101995 101996 2796b6 101995->101996 101997 2796a1 101995->101997 101999 2796bc 101996->101999 102000 27971b 101996->102000 101998 232d55 _free 58 API calls 101997->101998 102002 2796a7 101998->102002 102518 278b06 101999->102518 102001 232d55 _free 58 API calls 102000->102001 102004 24d186 102001->102004 102005 232d55 _free 58 API calls 102002->102005 102004->101696 102008 214e4a 102004->102008 102005->102004 102007 232d55 _free 58 API calls 102007->102004 102009 214e54 102008->102009 102011 214e5b 102008->102011 102010 2353a6 __fcloseall 83 API calls 102009->102010 102010->102011 102012 214e7b FreeLibrary 102011->102012 102013 214e6a 102011->102013 102012->102013 102013->101696 102015 217e4f 59 API calls 102014->102015 102016 2179fd 102015->102016 102016->101896 102018 213f82 102017->102018 102022 213fa4 _memmove 102017->102022 102020 230db6 Mailbox 59 API calls 102018->102020 102019 230db6 Mailbox 59 API calls 102021 213fb8 102019->102021 102020->102022 102021->101904 102022->102019 102072 214c03 102023->102072 102026 214bdc 102028 214bf5 102026->102028 102029 214bec FreeLibrary 102026->102029 102027 214c03 2 API calls 102027->102026 102030 23525b 102028->102030 102029->102028 102076 235270 102030->102076 102032 214dfc 102032->101911 102032->101912 102233 214c36 102033->102233 102036 214ba1 FreeLibrary 102037 214baa 102036->102037 102040 214c70 102037->102040 102038 214c36 2 API calls 102039 214b8f 102038->102039 102039->102036 102039->102037 102041 230db6 Mailbox 59 API calls 102040->102041 102042 214c85 102041->102042 102237 21522e 102042->102237 102044 214c91 _memmove 102045 214ccc 102044->102045 102047 214dc1 102044->102047 102048 214d89 102044->102048 102046 214ec7 69 API calls 102045->102046 102055 214cd5 102046->102055 102251 27991b 95 API calls 102047->102251 102240 214e89 CreateStreamOnHGlobal 102048->102240 102051 214f0b 74 API calls 102051->102055 102053 214d69 102053->101919 102054 24d8a7 102056 214ee5 85 API calls 102054->102056 102055->102051 102055->102053 102055->102054 102246 214ee5 102055->102246 102057 24d8bb 102056->102057 102058 214f0b 74 API calls 102057->102058 102058->102053 102060 24d9cd 102059->102060 102061 214f1d 102059->102061 102275 2355e2 102061->102275 102064 279109 102473 278f5f 102064->102473 102066 27911f 102066->101927 102068 24d990 102067->102068 102069 214ed6 102067->102069 102478 235c60 102069->102478 102071 214ede 102071->101929 102073 214bd0 102072->102073 102074 214c0c LoadLibraryA 102072->102074 102073->102026 102073->102027 102074->102073 102075 214c1d GetProcAddress 102074->102075 102075->102073 102079 23527c __setmode 102076->102079 102077 23528f 102125 238b28 58 API calls __getptd_noexit 102077->102125 102079->102077 102081 2352c0 102079->102081 102080 235294 102126 238db6 9 API calls __wcsnicmp 102080->102126 102095 2404e8 102081->102095 102084 2352c5 102085 2352db 102084->102085 102086 2352ce 102084->102086 102088 235305 102085->102088 102089 2352e5 102085->102089 102127 238b28 58 API calls __getptd_noexit 102086->102127 102110 240607 102088->102110 102128 238b28 58 API calls __getptd_noexit 102089->102128 102094 23529f @_EH4_CallFilterFunc@8 __setmode 102094->102032 102096 2404f4 __setmode 102095->102096 102097 239c0b __lock 58 API calls 102096->102097 102098 240502 102097->102098 102099 24057d 102098->102099 102105 239c93 __mtinitlocknum 58 API calls 102098->102105 102108 240576 102098->102108 102133 236c50 59 API calls __lock 102098->102133 102134 236cba RtlLeaveCriticalSection RtlLeaveCriticalSection _doexit 102098->102134 102135 23881d 58 API calls 2 library calls 102099->102135 102102 240584 102102->102108 102136 239e2b InitializeCriticalSectionAndSpinCount 102102->102136 102103 2405f3 __setmode 102103->102084 102105->102098 102107 2405aa RtlEnterCriticalSection 102107->102108 102130 2405fe 102108->102130 102118 240627 __wopenfile 102110->102118 102111 240641 102141 238b28 58 API calls __getptd_noexit 102111->102141 102113 240646 102142 238db6 9 API calls __wcsnicmp 102113->102142 102115 235310 102129 235332 RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 102115->102129 102116 24085f 102138 2485a1 102116->102138 102118->102111 102124 2407fc 102118->102124 102143 2337cb 60 API calls 2 library calls 102118->102143 102120 2407f5 102120->102124 102144 2337cb 60 API calls 2 library calls 102120->102144 102122 240814 102122->102124 102145 2337cb 60 API calls 2 library calls 102122->102145 102124->102111 102124->102116 102125->102080 102126->102094 102127->102094 102128->102094 102129->102094 102137 239d75 RtlLeaveCriticalSection 102130->102137 102132 240605 102132->102103 102133->102098 102134->102098 102135->102102 102136->102107 102137->102132 102146 247d85 102138->102146 102140 2485ba 102140->102115 102141->102113 102142->102115 102143->102120 102144->102122 102145->102124 102149 247d91 __setmode 102146->102149 102147 247da7 102230 238b28 58 API calls __getptd_noexit 102147->102230 102149->102147 102151 247ddd 102149->102151 102150 247dac 102231 238db6 9 API calls __wcsnicmp 102150->102231 102157 247e4e 102151->102157 102154 247df9 102232 247e22 RtlLeaveCriticalSection __unlock_fhandle 102154->102232 102156 247db6 __setmode 102156->102140 102158 247e6e 102157->102158 102159 2344ea __wsopen_nolock 58 API calls 102158->102159 102163 247e8a 102159->102163 102160 247fc1 102161 238dc6 __invoke_watson 8 API calls 102160->102161 102162 2485a0 102161->102162 102165 247d85 __wsopen_helper 103 API calls 102162->102165 102163->102160 102164 247ec4 102163->102164 102171 247ee7 102163->102171 102166 238af4 __close 58 API calls 102164->102166 102167 2485ba 102165->102167 102168 247ec9 102166->102168 102167->102154 102169 238b28 __wcsnicmp 58 API calls 102168->102169 102170 247ed6 102169->102170 102173 238db6 __wcsnicmp 9 API calls 102170->102173 102172 247fa5 102171->102172 102180 247f83 102171->102180 102174 238af4 __close 58 API calls 102172->102174 102175 247ee0 102173->102175 102176 247faa 102174->102176 102175->102154 102177 238b28 __wcsnicmp 58 API calls 102176->102177 102178 247fb7 102177->102178 102179 238db6 __wcsnicmp 9 API calls 102178->102179 102179->102160 102181 23d294 __alloc_osfhnd 61 API calls 102180->102181 102182 248051 102181->102182 102183 24807e 102182->102183 102184 24805b 102182->102184 102186 247cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 102183->102186 102185 238af4 __close 58 API calls 102184->102185 102187 248060 102185->102187 102194 2480a0 102186->102194 102189 238b28 __wcsnicmp 58 API calls 102187->102189 102188 24811e GetFileType 102192 248129 GetLastError 102188->102192 102193 24816b 102188->102193 102191 24806a 102189->102191 102190 2480ec GetLastError 102195 238b07 __dosmaperr 58 API calls 102190->102195 102196 238b28 __wcsnicmp 58 API calls 102191->102196 102197 238b07 __dosmaperr 58 API calls 102192->102197 102202 23d52a __set_osfhnd 59 API calls 102193->102202 102194->102188 102194->102190 102198 247cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 102194->102198 102199 248111 102195->102199 102196->102175 102200 248150 CloseHandle 102197->102200 102201 2480e1 102198->102201 102205 238b28 __wcsnicmp 58 API calls 102199->102205 102200->102199 102203 24815e 102200->102203 102201->102188 102201->102190 102208 248189 102202->102208 102204 238b28 __wcsnicmp 58 API calls 102203->102204 102206 248163 102204->102206 102205->102160 102206->102199 102207 248344 102207->102160 102210 248517 CloseHandle 102207->102210 102208->102207 102209 2418c1 __lseeki64_nolock 60 API calls 102208->102209 102226 24820a 102208->102226 102211 2481f3 102209->102211 102212 247cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 102210->102212 102215 238af4 __close 58 API calls 102211->102215 102211->102226 102214 24853e 102212->102214 102213 240e5b 70 API calls __read_nolock 102213->102226 102216 248546 GetLastError 102214->102216 102217 248572 102214->102217 102215->102226 102218 238b07 __dosmaperr 58 API calls 102216->102218 102217->102160 102219 248552 102218->102219 102221 23d43d __free_osfhnd 59 API calls 102219->102221 102220 240add __close_nolock 61 API calls 102220->102226 102221->102217 102222 2497a2 __chsize_nolock 82 API calls 102222->102226 102223 23d886 __write 78 API calls 102223->102226 102224 2483c1 102225 240add __close_nolock 61 API calls 102224->102225 102228 2483c8 102225->102228 102226->102207 102226->102213 102226->102220 102226->102222 102226->102223 102226->102224 102227 2418c1 60 API calls __lseeki64_nolock 102226->102227 102227->102226 102229 238b28 __wcsnicmp 58 API calls 102228->102229 102229->102160 102230->102150 102231->102156 102232->102156 102234 214b83 102233->102234 102235 214c3f LoadLibraryA 102233->102235 102234->102038 102234->102039 102235->102234 102236 214c50 GetProcAddress 102235->102236 102236->102234 102238 230db6 Mailbox 59 API calls 102237->102238 102239 215240 102238->102239 102239->102044 102241 214ec0 102240->102241 102242 214ea3 FindResourceExW 102240->102242 102241->102045 102242->102241 102243 24d933 LoadResource 102242->102243 102243->102241 102244 24d948 SizeofResource 102243->102244 102244->102241 102245 24d95c LockResource 102244->102245 102245->102241 102247 214ef4 102246->102247 102248 24d9ab 102246->102248 102252 23584d 102247->102252 102250 214f02 102250->102055 102251->102045 102253 235859 __setmode 102252->102253 102254 23586b 102253->102254 102256 235891 102253->102256 102265 238b28 58 API calls __getptd_noexit 102254->102265 102267 236c11 102256->102267 102257 235870 102266 238db6 9 API calls __wcsnicmp 102257->102266 102260 235897 102273 2357be 83 API calls 5 library calls 102260->102273 102262 2358a6 102274 2358c8 RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 102262->102274 102264 23587b __setmode 102264->102250 102265->102257 102266->102264 102268 236c43 RtlEnterCriticalSection 102267->102268 102269 236c21 102267->102269 102270 236c39 102268->102270 102269->102268 102271 236c29 102269->102271 102270->102260 102272 239c0b __lock 58 API calls 102271->102272 102272->102270 102273->102262 102274->102264 102278 2355fd 102275->102278 102277 214f2e 102277->102064 102279 235609 __setmode 102278->102279 102280 23561f _memset 102279->102280 102281 23564c 102279->102281 102282 235644 __setmode 102279->102282 102305 238b28 58 API calls __getptd_noexit 102280->102305 102283 236c11 __lock_file 59 API calls 102281->102283 102282->102277 102285 235652 102283->102285 102291 23541d 102285->102291 102286 235639 102306 238db6 9 API calls __wcsnicmp 102286->102306 102294 235438 _memset 102291->102294 102304 235453 102291->102304 102292 235443 102403 238b28 58 API calls __getptd_noexit 102292->102403 102294->102292 102300 235493 102294->102300 102294->102304 102297 2355a4 _memset 102406 238b28 58 API calls __getptd_noexit 102297->102406 102300->102297 102300->102304 102308 2346e6 102300->102308 102315 240e5b 102300->102315 102383 240ba7 102300->102383 102405 240cc8 58 API calls 3 library calls 102300->102405 102302 235448 102404 238db6 9 API calls __wcsnicmp 102302->102404 102307 235686 RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 102304->102307 102305->102286 102306->102282 102307->102282 102309 2346f0 102308->102309 102310 234705 102308->102310 102407 238b28 58 API calls __getptd_noexit 102309->102407 102310->102300 102312 2346f5 102408 238db6 9 API calls __wcsnicmp 102312->102408 102314 234700 102314->102300 102316 240e93 102315->102316 102317 240e7c 102315->102317 102319 2415cb 102316->102319 102323 240ecd 102316->102323 102418 238af4 58 API calls __getptd_noexit 102317->102418 102434 238af4 58 API calls __getptd_noexit 102319->102434 102320 240e81 102419 238b28 58 API calls __getptd_noexit 102320->102419 102325 240ed5 102323->102325 102333 240eec 102323->102333 102324 2415d0 102435 238b28 58 API calls __getptd_noexit 102324->102435 102420 238af4 58 API calls __getptd_noexit 102325->102420 102327 240e88 102327->102300 102329 240ee1 102436 238db6 9 API calls __wcsnicmp 102329->102436 102330 240eda 102421 238b28 58 API calls __getptd_noexit 102330->102421 102332 240f01 102422 238af4 58 API calls __getptd_noexit 102332->102422 102333->102327 102333->102332 102335 240f1b 102333->102335 102337 240f39 102333->102337 102335->102332 102338 240f26 102335->102338 102423 23881d 58 API calls 2 library calls 102337->102423 102409 245c6b 102338->102409 102341 240f49 102342 240f51 102341->102342 102343 240f6c 102341->102343 102424 238b28 58 API calls __getptd_noexit 102342->102424 102426 2418c1 60 API calls 3 library calls 102343->102426 102345 24103a 102346 2410b3 ReadFile 102345->102346 102351 241050 GetConsoleMode 102345->102351 102349 2410d5 102346->102349 102350 241593 GetLastError 102346->102350 102348 240f56 102425 238af4 58 API calls __getptd_noexit 102348->102425 102349->102350 102357 2410a5 102349->102357 102353 241093 102350->102353 102354 2415a0 102350->102354 102355 241064 102351->102355 102356 2410b0 102351->102356 102365 241099 102353->102365 102427 238b07 58 API calls 3 library calls 102353->102427 102432 238b28 58 API calls __getptd_noexit 102354->102432 102355->102356 102359 24106a ReadConsoleW 102355->102359 102356->102346 102357->102365 102366 24110a 102357->102366 102375 241377 102357->102375 102359->102357 102361 24108d GetLastError 102359->102361 102360 2415a5 102433 238af4 58 API calls __getptd_noexit 102360->102433 102361->102353 102364 232d55 _free 58 API calls 102364->102327 102365->102327 102365->102364 102367 241176 ReadFile 102366->102367 102373 2411f7 102366->102373 102369 241197 GetLastError 102367->102369 102382 2411a1 102367->102382 102369->102382 102370 2412b4 102377 241264 MultiByteToWideChar 102370->102377 102430 2418c1 60 API calls 3 library calls 102370->102430 102371 2412a4 102429 238b28 58 API calls __getptd_noexit 102371->102429 102372 24147d ReadFile 102376 2414a0 GetLastError 102372->102376 102380 2414ae 102372->102380 102373->102365 102373->102370 102373->102371 102373->102377 102375->102365 102375->102372 102376->102380 102377->102361 102377->102365 102380->102375 102431 2418c1 60 API calls 3 library calls 102380->102431 102382->102366 102428 2418c1 60 API calls 3 library calls 102382->102428 102384 240bb2 102383->102384 102389 240bc7 102383->102389 102470 238b28 58 API calls __getptd_noexit 102384->102470 102385 240bc2 102385->102300 102387 240bb7 102471 238db6 9 API calls __wcsnicmp 102387->102471 102389->102385 102390 240bfc 102389->102390 102472 245fe4 58 API calls __malloc_crt 102389->102472 102392 2346e6 __fclose_nolock 58 API calls 102390->102392 102393 240c10 102392->102393 102437 240d47 102393->102437 102395 240c17 102395->102385 102396 2346e6 __fclose_nolock 58 API calls 102395->102396 102397 240c3a 102396->102397 102397->102385 102398 2346e6 __fclose_nolock 58 API calls 102397->102398 102399 240c46 102398->102399 102399->102385 102400 2346e6 __fclose_nolock 58 API calls 102399->102400 102401 240c53 102400->102401 102402 2346e6 __fclose_nolock 58 API calls 102401->102402 102402->102385 102403->102302 102404->102304 102405->102300 102406->102302 102407->102312 102408->102314 102410 245c76 102409->102410 102411 245c83 102409->102411 102412 238b28 __wcsnicmp 58 API calls 102410->102412 102414 245c8f 102411->102414 102415 238b28 __wcsnicmp 58 API calls 102411->102415 102413 245c7b 102412->102413 102413->102345 102414->102345 102416 245cb0 102415->102416 102417 238db6 __wcsnicmp 9 API calls 102416->102417 102417->102413 102418->102320 102419->102327 102420->102330 102421->102329 102422->102330 102423->102341 102424->102348 102425->102327 102426->102338 102427->102365 102428->102382 102429->102365 102430->102377 102431->102380 102432->102360 102433->102365 102434->102324 102435->102329 102436->102327 102438 240d53 __setmode 102437->102438 102439 240d77 102438->102439 102440 240d60 102438->102440 102442 240e3b 102439->102442 102445 240d8b 102439->102445 102441 238af4 __close 58 API calls 102440->102441 102444 240d65 102441->102444 102443 238af4 __close 58 API calls 102442->102443 102446 240dae 102443->102446 102447 238b28 __wcsnicmp 58 API calls 102444->102447 102448 240db6 102445->102448 102449 240da9 102445->102449 102455 238b28 __wcsnicmp 58 API calls 102446->102455 102459 240d6c __setmode 102447->102459 102451 240dc3 102448->102451 102452 240dd8 102448->102452 102450 238af4 __close 58 API calls 102449->102450 102450->102446 102453 238af4 __close 58 API calls 102451->102453 102454 23d206 ___lock_fhandle 59 API calls 102452->102454 102456 240dc8 102453->102456 102457 240dde 102454->102457 102458 240dd0 102455->102458 102460 238b28 __wcsnicmp 58 API calls 102456->102460 102461 240e04 102457->102461 102462 240df1 102457->102462 102464 238db6 __wcsnicmp 9 API calls 102458->102464 102459->102395 102460->102458 102465 238b28 __wcsnicmp 58 API calls 102461->102465 102463 240e5b __read_nolock 70 API calls 102462->102463 102467 240dfd 102463->102467 102464->102459 102466 240e09 102465->102466 102468 238af4 __close 58 API calls 102466->102468 102469 240e33 __read RtlLeaveCriticalSection 102467->102469 102468->102467 102469->102459 102470->102387 102471->102385 102472->102390 102476 23520a GetSystemTimeAsFileTime 102473->102476 102475 278f6e 102475->102066 102477 235238 __aulldiv 102476->102477 102477->102475 102479 235c6c __setmode 102478->102479 102480 235c93 102479->102480 102481 235c7e 102479->102481 102483 236c11 __lock_file 59 API calls 102480->102483 102492 238b28 58 API calls __getptd_noexit 102481->102492 102485 235c99 102483->102485 102484 235c83 102493 238db6 9 API calls __wcsnicmp 102484->102493 102494 2358d0 67 API calls 6 library calls 102485->102494 102488 235ca4 102495 235cc4 RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 102488->102495 102490 235cb6 102491 235c8e __setmode 102490->102491 102491->102071 102492->102484 102493->102491 102494->102488 102495->102490 102496->101936 102497->101949 102498->101951 102499->101948 102500->101957 102502 219169 Mailbox 102501->102502 102503 24f19f 102502->102503 102508 219173 102502->102508 102504 230db6 Mailbox 59 API calls 102503->102504 102505 24f1ab 102504->102505 102506 21917a 102506->101963 102508->102506 102509 219c90 59 API calls Mailbox 102508->102509 102509->102508 102510->101972 102511->101967 102514 279748 __tzset_nolock _wcscmp 102512->102514 102513 214f0b 74 API calls 102513->102514 102514->102513 102515 279109 GetSystemTimeAsFileTime 102514->102515 102516 2795dc 102514->102516 102517 214ee5 85 API calls 102514->102517 102515->102514 102516->101978 102516->102004 102517->102514 102519 278b11 102518->102519 102520 278b1f 102518->102520 102521 23525b 115 API calls 102519->102521 102522 278b64 102520->102522 102523 23525b 115 API calls 102520->102523 102534 278b28 102520->102534 102521->102520 102549 278d91 102522->102549 102525 278b49 102523->102525 102525->102522 102527 278b52 102525->102527 102526 278ba8 102528 278bcd 102526->102528 102529 278bac 102526->102529 102531 2353a6 __fcloseall 83 API calls 102527->102531 102527->102534 102553 2789a9 102528->102553 102530 278bb9 102529->102530 102533 2353a6 __fcloseall 83 API calls 102529->102533 102530->102534 102536 2353a6 __fcloseall 83 API calls 102530->102536 102531->102534 102533->102530 102534->102007 102536->102534 102537 278bfb 102562 278c2b 102537->102562 102538 278bdb 102540 2353a6 __fcloseall 83 API calls 102538->102540 102541 278be8 102538->102541 102540->102541 102541->102534 102543 2353a6 __fcloseall 83 API calls 102541->102543 102543->102534 102546 278c16 102546->102534 102548 2353a6 __fcloseall 83 API calls 102546->102548 102548->102534 102550 278db6 102549->102550 102552 278d9f __tzset_nolock _memmove 102549->102552 102551 2355e2 __fread_nolock 74 API calls 102550->102551 102551->102552 102552->102526 102554 23571c __crtCompareStringA_stat 58 API calls 102553->102554 102555 2789b8 102554->102555 102556 23571c __crtCompareStringA_stat 58 API calls 102555->102556 102557 2789cc 102556->102557 102558 23571c __crtCompareStringA_stat 58 API calls 102557->102558 102559 2789e0 102558->102559 102560 278d0d 58 API calls 102559->102560 102561 2789f3 102559->102561 102560->102561 102561->102537 102561->102538 102568 278c40 102562->102568 102563 278cf8 102595 278f35 102563->102595 102565 278a05 74 API calls 102565->102568 102568->102563 102568->102565 102569 278c02 102568->102569 102591 278e12 102568->102591 102599 278aa1 74 API calls 102568->102599 102570 278d0d 102569->102570 102571 278d20 102570->102571 102572 278d1a 102570->102572 102574 278d31 102571->102574 102575 232d55 _free 58 API calls 102571->102575 102573 232d55 _free 58 API calls 102572->102573 102573->102571 102576 278c09 102574->102576 102577 232d55 _free 58 API calls 102574->102577 102575->102574 102576->102546 102578 2353a6 102576->102578 102577->102576 102579 2353b2 __setmode 102578->102579 102580 2353c6 102579->102580 102581 2353de 102579->102581 102648 238b28 58 API calls __getptd_noexit 102580->102648 102583 236c11 __lock_file 59 API calls 102581->102583 102587 2353d6 __setmode 102581->102587 102585 2353f0 102583->102585 102584 2353cb 102649 238db6 9 API calls __wcsnicmp 102584->102649 102632 23533a 102585->102632 102587->102546 102592 278e21 102591->102592 102593 278e61 102591->102593 102592->102568 102593->102592 102600 278ee8 102593->102600 102596 278f42 102595->102596 102597 278f53 102595->102597 102598 234863 80 API calls 102596->102598 102597->102569 102598->102597 102599->102568 102601 278f14 102600->102601 102602 278f25 102600->102602 102604 234863 102601->102604 102602->102593 102605 23486f __setmode 102604->102605 102606 2348a5 102605->102606 102607 23488d 102605->102607 102608 23489d __setmode 102605->102608 102609 236c11 __lock_file 59 API calls 102606->102609 102629 238b28 58 API calls __getptd_noexit 102607->102629 102608->102602 102611 2348ab 102609->102611 102617 23470a 102611->102617 102612 234892 102630 238db6 9 API calls __wcsnicmp 102612->102630 102620 234719 102617->102620 102624 234737 102617->102624 102618 234727 102619 238b28 __wcsnicmp 58 API calls 102618->102619 102621 23472c 102619->102621 102620->102618 102620->102624 102625 234751 _memmove 102620->102625 102622 238db6 __wcsnicmp 9 API calls 102621->102622 102622->102624 102623 23ae1e __flsbuf 78 API calls 102623->102625 102631 2348dd RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 102624->102631 102625->102623 102625->102624 102626 234a3d __flush 78 API calls 102625->102626 102627 2346e6 __fclose_nolock 58 API calls 102625->102627 102628 23d886 __write 78 API calls 102625->102628 102626->102625 102627->102625 102628->102625 102629->102612 102630->102608 102631->102608 102633 235349 102632->102633 102635 23535d 102632->102635 102687 238b28 58 API calls __getptd_noexit 102633->102687 102636 235359 102635->102636 102651 234a3d 102635->102651 102650 235415 RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 102636->102650 102637 23534e 102688 238db6 9 API calls __wcsnicmp 102637->102688 102643 2346e6 __fclose_nolock 58 API calls 102644 235377 102643->102644 102661 240a02 102644->102661 102646 23537d 102646->102636 102647 232d55 _free 58 API calls 102646->102647 102647->102636 102648->102584 102649->102587 102650->102587 102652 234a74 102651->102652 102653 234a50 102651->102653 102657 240b77 102652->102657 102653->102652 102654 2346e6 __fclose_nolock 58 API calls 102653->102654 102655 234a6d 102654->102655 102689 23d886 102655->102689 102658 240b84 102657->102658 102660 235371 102657->102660 102659 232d55 _free 58 API calls 102658->102659 102658->102660 102659->102660 102660->102643 102662 240a0e __setmode 102661->102662 102663 240a32 102662->102663 102664 240a1b 102662->102664 102666 240abd 102663->102666 102668 240a42 102663->102668 102814 238af4 58 API calls __getptd_noexit 102664->102814 102819 238af4 58 API calls __getptd_noexit 102666->102819 102667 240a20 102815 238b28 58 API calls __getptd_noexit 102667->102815 102671 240a60 102668->102671 102672 240a6a 102668->102672 102816 238af4 58 API calls __getptd_noexit 102671->102816 102675 23d206 ___lock_fhandle 59 API calls 102672->102675 102673 240a65 102820 238b28 58 API calls __getptd_noexit 102673->102820 102677 240a70 102675->102677 102679 240a83 102677->102679 102680 240a8e 102677->102680 102678 240ac9 102821 238db6 9 API calls __wcsnicmp 102678->102821 102799 240add 102679->102799 102817 238b28 58 API calls __getptd_noexit 102680->102817 102684 240a27 __setmode 102684->102646 102685 240a89 102818 240ab5 RtlLeaveCriticalSection __unlock_fhandle 102685->102818 102687->102637 102688->102636 102690 23d892 __setmode 102689->102690 102691 23d8b6 102690->102691 102692 23d89f 102690->102692 102693 23d955 102691->102693 102695 23d8ca 102691->102695 102790 238af4 58 API calls __getptd_noexit 102692->102790 102796 238af4 58 API calls __getptd_noexit 102693->102796 102698 23d8f2 102695->102698 102699 23d8e8 102695->102699 102697 23d8a4 102791 238b28 58 API calls __getptd_noexit 102697->102791 102717 23d206 102698->102717 102792 238af4 58 API calls __getptd_noexit 102699->102792 102700 23d8ed 102797 238b28 58 API calls __getptd_noexit 102700->102797 102704 23d8f8 102706 23d90b 102704->102706 102707 23d91e 102704->102707 102726 23d975 102706->102726 102793 238b28 58 API calls __getptd_noexit 102707->102793 102708 23d961 102798 238db6 9 API calls __wcsnicmp 102708->102798 102712 23d8ab __setmode 102712->102652 102713 23d917 102795 23d94d RtlLeaveCriticalSection __unlock_fhandle 102713->102795 102714 23d923 102794 238af4 58 API calls __getptd_noexit 102714->102794 102718 23d212 __setmode 102717->102718 102719 23d261 RtlEnterCriticalSection 102718->102719 102720 239c0b __lock 58 API calls 102718->102720 102721 23d287 __setmode 102719->102721 102722 23d237 102720->102722 102721->102704 102723 23d24f 102722->102723 102724 239e2b ___lock_fhandle InitializeCriticalSectionAndSpinCount 102722->102724 102725 23d28b ___lock_fhandle RtlLeaveCriticalSection 102723->102725 102724->102723 102725->102719 102727 23d982 __write_nolock 102726->102727 102728 23d9c1 102727->102728 102729 23d9e0 102727->102729 102757 23d9b6 102727->102757 102731 238af4 __close 58 API calls 102728->102731 102732 23da38 102729->102732 102733 23da1c 102729->102733 102730 23c5f6 __fputwc_nolock 6 API calls 102734 23e1d6 102730->102734 102735 23d9c6 102731->102735 102737 23da51 102732->102737 102739 2418c1 __lseeki64_nolock 60 API calls 102732->102739 102736 238af4 __close 58 API calls 102733->102736 102734->102713 102738 238b28 __wcsnicmp 58 API calls 102735->102738 102742 23da21 102736->102742 102741 245c6b __flswbuf 58 API calls 102737->102741 102740 23d9cd 102738->102740 102739->102737 102743 238db6 __wcsnicmp 9 API calls 102740->102743 102744 23da5f 102741->102744 102745 238b28 __wcsnicmp 58 API calls 102742->102745 102743->102757 102746 23ddb8 102744->102746 102751 2399ac _LocaleUpdate::_LocaleUpdate 58 API calls 102744->102751 102747 23da28 102745->102747 102748 23ddd6 102746->102748 102749 23e14b WriteFile 102746->102749 102750 238db6 __wcsnicmp 9 API calls 102747->102750 102752 23defa 102748->102752 102761 23ddec 102748->102761 102753 23ddab GetLastError 102749->102753 102759 23dd78 102749->102759 102750->102757 102754 23da8b GetConsoleMode 102751->102754 102764 23df05 102752->102764 102767 23dfef 102752->102767 102753->102759 102754->102746 102756 23daca 102754->102756 102755 23e184 102755->102757 102758 238b28 __wcsnicmp 58 API calls 102755->102758 102756->102746 102760 23dada GetConsoleCP 102756->102760 102757->102730 102765 23e1b2 102758->102765 102759->102755 102759->102757 102766 23ded8 102759->102766 102760->102755 102787 23db09 102760->102787 102761->102755 102762 23de5b WriteFile 102761->102762 102762->102753 102763 23de98 102762->102763 102763->102761 102768 23debc 102763->102768 102764->102755 102769 23df6a WriteFile 102764->102769 102770 238af4 __close 58 API calls 102765->102770 102771 23dee3 102766->102771 102772 23e17b 102766->102772 102767->102755 102773 23e064 WideCharToMultiByte 102767->102773 102768->102759 102769->102753 102774 23dfb9 102769->102774 102770->102757 102775 238b28 __wcsnicmp 58 API calls 102771->102775 102776 238b07 __dosmaperr 58 API calls 102772->102776 102773->102753 102782 23e0ab 102773->102782 102774->102759 102774->102764 102774->102768 102778 23dee8 102775->102778 102776->102757 102777 23e0b3 WriteFile 102780 23e106 GetLastError 102777->102780 102777->102782 102781 238af4 __close 58 API calls 102778->102781 102779 2335f5 __write_nolock 58 API calls 102779->102787 102780->102782 102781->102757 102782->102759 102782->102767 102782->102768 102782->102777 102783 247a5e WriteConsoleW CreateFileW __putwch_nolock 102788 23dc5f 102783->102788 102784 2462ba 60 API calls __write_nolock 102784->102787 102785 23dbf2 WideCharToMultiByte 102785->102759 102786 23dc2d WriteFile 102785->102786 102786->102753 102786->102788 102787->102759 102787->102779 102787->102784 102787->102785 102787->102788 102788->102753 102788->102759 102788->102783 102788->102787 102789 23dc87 WriteFile 102788->102789 102789->102753 102789->102788 102790->102697 102791->102712 102792->102700 102793->102714 102794->102713 102795->102712 102796->102700 102797->102708 102798->102712 102822 23d4c3 102799->102822 102801 240b41 102835 23d43d 59 API calls 2 library calls 102801->102835 102803 240aeb 102803->102801 102804 240b1f 102803->102804 102806 23d4c3 __lseeki64_nolock 58 API calls 102803->102806 102804->102801 102807 23d4c3 __lseeki64_nolock 58 API calls 102804->102807 102805 240b49 102808 240b6b 102805->102808 102836 238b07 58 API calls 3 library calls 102805->102836 102809 240b16 102806->102809 102810 240b2b CloseHandle 102807->102810 102808->102685 102812 23d4c3 __lseeki64_nolock 58 API calls 102809->102812 102810->102801 102813 240b37 GetLastError 102810->102813 102812->102804 102813->102801 102814->102667 102815->102684 102816->102673 102817->102685 102818->102684 102819->102673 102820->102678 102821->102684 102823 23d4ce 102822->102823 102826 23d4e3 102822->102826 102824 238af4 __close 58 API calls 102823->102824 102825 23d4d3 102824->102825 102828 238b28 __wcsnicmp 58 API calls 102825->102828 102827 238af4 __close 58 API calls 102826->102827 102829 23d508 102826->102829 102830 23d512 102827->102830 102831 23d4db 102828->102831 102829->102803 102832 238b28 __wcsnicmp 58 API calls 102830->102832 102831->102803 102833 23d51a 102832->102833 102834 238db6 __wcsnicmp 9 API calls 102833->102834 102834->102831 102835->102805 102836->102808 102899 241940 102837->102899 102840 214799 102905 217d8c 102840->102905 102841 21477c 102842 217bcc 59 API calls 102841->102842 102844 214788 102842->102844 102901 217726 102844->102901 102847 230791 102848 241940 __write_nolock 102847->102848 102849 23079e GetLongPathNameW 102848->102849 102850 217bcc 59 API calls 102849->102850 102851 2172bd 102850->102851 102852 21700b 102851->102852 102853 217667 59 API calls 102852->102853 102854 21701d 102853->102854 102855 214750 60 API calls 102854->102855 102856 217028 102855->102856 102857 217033 102856->102857 102863 24e885 102856->102863 102858 213f74 59 API calls 102857->102858 102860 21703f 102858->102860 102909 2134c2 102860->102909 102862 24e89f 102863->102862 102915 217908 61 API calls 102863->102915 102864 217052 Mailbox 102864->101774 102866 214ddd 136 API calls 102865->102866 102867 21688f 102866->102867 102868 24e031 102867->102868 102869 214ddd 136 API calls 102867->102869 102870 27955b 122 API calls 102868->102870 102871 2168a3 102869->102871 102872 24e046 102870->102872 102871->102868 102875 2168ab 102871->102875 102873 24e067 102872->102873 102874 24e04a 102872->102874 102877 230db6 Mailbox 59 API calls 102873->102877 102876 214e4a 84 API calls 102874->102876 102878 24e052 102875->102878 102879 2168b7 102875->102879 102876->102878 102898 24e0ac Mailbox 102877->102898 103017 2742f8 90 API calls _wprintf 102878->103017 102916 216a8c 102879->102916 102882 24e060 102882->102873 102884 24e260 102885 232d55 _free 58 API calls 102884->102885 102886 24e268 102885->102886 102887 214e4a 84 API calls 102886->102887 102892 24e271 102887->102892 102891 232d55 _free 58 API calls 102891->102892 102892->102891 102894 214e4a 84 API calls 102892->102894 103022 26f7a1 89 API calls 4 library calls 102892->103022 102894->102892 102895 217de1 59 API calls 102895->102898 102898->102884 102898->102892 102898->102895 103009 21750f 102898->103009 103018 26f73d 59 API calls 2 library calls 102898->103018 103019 26f65e 61 API calls 2 library calls 102898->103019 103020 27737f 59 API calls Mailbox 102898->103020 103021 21735d 59 API calls Mailbox 102898->103021 102900 21475d GetFullPathNameW 102899->102900 102900->102840 102900->102841 102902 217734 102901->102902 102903 217d2c 59 API calls 102902->102903 102904 214794 102903->102904 102904->102847 102906 217da6 102905->102906 102908 217d99 102905->102908 102907 230db6 Mailbox 59 API calls 102906->102907 102907->102908 102908->102844 102910 2134f3 _memmove 102909->102910 102911 2134d4 102909->102911 102912 230db6 Mailbox 59 API calls 102910->102912 102913 230db6 Mailbox 59 API calls 102911->102913 102914 21350a 102912->102914 102913->102910 102914->102864 102915->102863 102917 216ab5 102916->102917 102918 24e41e 102916->102918 103028 2157a6 60 API calls Mailbox 102917->103028 103114 26f7a1 89 API calls 4 library calls 102918->103114 102921 216ad7 103029 2157f6 102921->103029 102922 24e431 103115 26f7a1 89 API calls 4 library calls 102922->103115 102925 216af4 102927 217667 59 API calls 102925->102927 102929 216b00 102927->102929 102928 24e44d 102930 216b61 102928->102930 103042 230957 60 API calls __write_nolock 102929->103042 102932 24e460 102930->102932 102933 216b6f 102930->102933 102935 215c6f CloseHandle 102932->102935 102936 217667 59 API calls 102933->102936 102934 216b0c 102937 217667 59 API calls 102934->102937 102938 24e46c 102935->102938 102939 216b78 102936->102939 102940 216b18 102937->102940 102941 214ddd 136 API calls 102938->102941 102942 217667 59 API calls 102939->102942 102943 214750 60 API calls 102940->102943 102944 24e488 102941->102944 102945 216b81 102942->102945 102946 216b26 102943->102946 102948 24e4b1 102944->102948 102951 27955b 122 API calls 102944->102951 103052 21459b 102945->103052 103043 215850 ReadFile SetFilePointerEx 102946->103043 103116 26f7a1 89 API calls 4 library calls 102948->103116 102950 216b52 103044 215aee 102950->103044 102955 24e4a4 102951->102955 102952 216b98 102956 217b2e 59 API calls 102952->102956 102958 24e4ac 102955->102958 102959 24e4cd 102955->102959 102957 24e4c8 102965 216d0c Mailbox 102957->102965 102961 214e4a 84 API calls 102958->102961 102962 214e4a 84 API calls 102959->102962 102961->102948 102963 24e4d2 102962->102963 102964 230db6 Mailbox 59 API calls 102963->102964 102972 24e506 102964->102972 103023 2157d4 102965->103023 102969 213bbb 102969->101641 102969->101664 102973 21750f 59 API calls 102972->102973 103006 24e54f Mailbox 102973->103006 102977 24e740 103121 2772df 59 API calls Mailbox 102977->103121 102982 24e762 103122 28fbce 59 API calls 2 library calls 102982->103122 102985 24e76f 102986 232d55 _free 58 API calls 102985->102986 102986->102965 102990 21750f 59 API calls 102990->103006 102999 217de1 59 API calls 102999->103006 103003 24e792 103123 26f7a1 89 API calls 4 library calls 103003->103123 103005 24e7ab 103007 232d55 _free 58 API calls 103005->103007 103006->102977 103006->102990 103006->102999 103006->103003 103117 26f73d 59 API calls 2 library calls 103006->103117 103118 26f65e 61 API calls 2 library calls 103006->103118 103119 27737f 59 API calls Mailbox 103006->103119 103120 217213 59 API calls Mailbox 103006->103120 103008 24e7be 103007->103008 103008->102965 103010 217522 _memmove 103009->103010 103011 2175af 103009->103011 103012 230db6 Mailbox 59 API calls 103010->103012 103013 230db6 Mailbox 59 API calls 103011->103013 103015 217529 103012->103015 103013->103010 103014 217552 103014->102898 103015->103014 103016 230db6 Mailbox 59 API calls 103015->103016 103016->103014 103017->102882 103018->102898 103019->102898 103020->102898 103021->102898 103022->102892 103024 215c6f CloseHandle 103023->103024 103025 2157dc Mailbox 103024->103025 103026 215c6f CloseHandle 103025->103026 103027 2157eb 103026->103027 103027->102969 103028->102921 103030 215c6f CloseHandle 103029->103030 103031 215802 103030->103031 103126 215c99 103031->103126 103033 215844 103033->102922 103033->102925 103034 215821 103034->103033 103134 215610 103034->103134 103036 215833 103151 21527b SetFilePointerEx SetFilePointerEx 103036->103151 103038 21583a 103038->103033 103039 24dc07 103038->103039 103152 27345a SetFilePointerEx SetFilePointerEx WriteFile 103039->103152 103041 24dc37 103041->103033 103042->102934 103043->102950 103051 215b08 103044->103051 103045 215b8f SetFilePointerEx 103165 215c4e SetFilePointerEx 103045->103165 103048 24dd28 103166 215c4e SetFilePointerEx 103048->103166 103049 215b63 103049->102930 103050 24dd42 103051->103045 103051->103048 103051->103049 103053 217667 59 API calls 103052->103053 103054 2145b1 103053->103054 103055 217667 59 API calls 103054->103055 103056 2145b9 103055->103056 103057 217667 59 API calls 103056->103057 103058 2145c1 103057->103058 103059 217667 59 API calls 103058->103059 103060 2145c9 103059->103060 103061 24d4d2 103060->103061 103062 2145fd 103060->103062 103063 218047 59 API calls 103061->103063 103064 21784b 59 API calls 103062->103064 103065 24d4db 103063->103065 103066 21460b 103064->103066 103067 217d8c 59 API calls 103065->103067 103068 217d2c 59 API calls 103066->103068 103070 214640 103067->103070 103069 214615 103068->103069 103069->103070 103071 21784b 59 API calls 103069->103071 103072 214680 103070->103072 103074 21465f 103070->103074 103085 24d4fb 103070->103085 103075 214636 103071->103075 103167 21784b 103072->103167 103076 2179f2 59 API calls 103074->103076 103079 217d2c 59 API calls 103075->103079 103080 214669 103076->103080 103077 214691 103081 2146a3 103077->103081 103083 218047 59 API calls 103077->103083 103078 24d5cb 103082 217bcc 59 API calls 103078->103082 103079->103070 103080->103072 103087 21784b 59 API calls 103080->103087 103084 2146b3 103081->103084 103088 218047 59 API calls 103081->103088 103098 24d588 103082->103098 103083->103081 103086 2146ba 103084->103086 103090 218047 59 API calls 103084->103090 103085->103078 103089 24d5b4 103085->103089 103096 24d532 103085->103096 103091 218047 59 API calls 103086->103091 103100 2146c1 Mailbox 103086->103100 103087->103072 103088->103084 103089->103078 103093 24d59f 103089->103093 103090->103086 103091->103100 103092 24d590 103094 217bcc 59 API calls 103092->103094 103095 217bcc 59 API calls 103093->103095 103094->103098 103095->103098 103096->103092 103101 24d57b 103096->103101 103097 2179f2 59 API calls 103097->103098 103098->103072 103098->103097 103180 217924 59 API calls 2 library calls 103098->103180 103100->102952 103102 217bcc 59 API calls 103101->103102 103102->103098 103114->102922 103115->102928 103116->102957 103117->103006 103118->103006 103119->103006 103120->103006 103121->102982 103122->102985 103123->103005 103127 215cb2 CreateFileW 103126->103127 103128 24dd58 103126->103128 103130 215cd4 103127->103130 103129 24dd5e CreateFileW 103128->103129 103128->103130 103129->103130 103131 24dd84 103129->103131 103130->103034 103132 215aee 2 API calls 103131->103132 103133 24dd8f 103132->103133 103133->103130 103135 24dba5 103134->103135 103136 21562b 103134->103136 103150 2156ba 103135->103150 103159 215cdf 103135->103159 103137 215aee 2 API calls 103136->103137 103136->103150 103138 21564d 103137->103138 103139 21522e 59 API calls 103138->103139 103141 215657 103139->103141 103141->103135 103142 215664 103141->103142 103143 230db6 Mailbox 59 API calls 103142->103143 103144 21566f 103143->103144 103145 21522e 59 API calls 103144->103145 103146 21567a 103145->103146 103153 215bc0 103146->103153 103148 2156a7 103149 215aee 2 API calls 103148->103149 103149->103150 103150->103036 103151->103038 103152->103041 103154 215c33 103153->103154 103155 215bce 103153->103155 103164 215c4e SetFilePointerEx 103154->103164 103156 215bf6 103155->103156 103158 215c06 ReadFile 103155->103158 103156->103148 103158->103155 103158->103156 103160 215aee 2 API calls 103159->103160 103161 215d00 103160->103161 103162 215aee 2 API calls 103161->103162 103163 215d14 103162->103163 103163->103150 103164->103155 103165->103049 103166->103050 103168 2178b7 103167->103168 103169 21785a 103167->103169 103170 217d2c 59 API calls 103168->103170 103169->103168 103171 217865 103169->103171 103177 217888 _memmove 103170->103177 103172 217880 103171->103172 103173 24eb09 103171->103173 103181 217f27 59 API calls Mailbox 103172->103181 103174 218029 59 API calls 103173->103174 103176 24eb13 103174->103176 103178 230db6 Mailbox 59 API calls 103176->103178 103177->103077 103179 24eb33 103178->103179 103180->103098 103181->103177 103183 216d95 103182->103183 103188 216ea9 103182->103188 103184 230db6 Mailbox 59 API calls 103183->103184 103183->103188 103186 216dbc 103184->103186 103185 230db6 Mailbox 59 API calls 103192 216e31 103185->103192 103186->103185 103188->101780 103191 21750f 59 API calls 103191->103192 103192->103188 103192->103191 103195 216240 103192->103195 103220 21735d 59 API calls Mailbox 103192->103220 103221 266553 59 API calls Mailbox 103192->103221 103193->101783 103194->101785 103196 217a16 59 API calls 103195->103196 103214 216265 103196->103214 103197 21646a 103202 217d8c 59 API calls 103202->103214 103203 21750f 59 API calls 103203->103214 103204 24dff6 103226 26f8aa 91 API calls 4 library calls 103204->103226 103210 216799 _memmove 103227 26f8aa 91 API calls 4 library calls 103210->103227 103212 24df92 103213 218029 59 API calls 103212->103213 103214->103197 103214->103202 103214->103203 103214->103204 103214->103210 103214->103212 103217 217e4f 59 API calls 103214->103217 103222 215f6c 60 API calls 103214->103222 103223 215d41 59 API calls Mailbox 103214->103223 103224 215e72 60 API calls 103214->103224 103225 217924 59 API calls 2 library calls 103214->103225 103218 21643b CharUpperBuffW 103217->103218 103218->103214 103220->103192 103221->103192 103222->103214 103223->103214 103224->103214 103225->103214 103229 2130d2 LoadIconW 103228->103229 103231 213107 103229->103231 103232->101799 103709 211016 103714 214974 103709->103714 103712 232d40 __cinit 67 API calls 103713 211025 103712->103713 103715 230db6 Mailbox 59 API calls 103714->103715 103716 21497c 103715->103716 103717 21101b 103716->103717 103721 214936 103716->103721 103717->103712 103722 214951 103721->103722 103723 21493f 103721->103723 103725 2149a0 103722->103725 103724 232d40 __cinit 67 API calls 103723->103724 103724->103722 103726 217667 59 API calls 103725->103726 103727 2149b8 GetVersionExW 103726->103727 103728 217bcc 59 API calls 103727->103728 103730 2149fb 103728->103730 103729 217d2c 59 API calls 103731 214a1c 103729->103731 103730->103729 103738 214a28 103730->103738 103732 217726 59 API calls 103731->103732 103732->103738 103733 214a93 GetCurrentProcess IsWow64Process 103734 214aac 103733->103734 103736 214ac2 103734->103736 103737 214b2b GetSystemInfo 103734->103737 103735 24d864 103749 214b37 103736->103749 103739 214af8 103737->103739 103738->103733 103738->103735 103739->103717 103742 214ad4 103745 214b37 2 API calls 103742->103745 103743 214b1f GetSystemInfo 103744 214ae9 103743->103744 103744->103739 103747 214aef FreeLibrary 103744->103747 103746 214adc GetNativeSystemInfo 103745->103746 103746->103744 103747->103739 103750 214ad0 103749->103750 103751 214b40 LoadLibraryA 103749->103751 103750->103742 103750->103743 103751->103750 103752 214b51 GetProcAddress 103751->103752 103752->103750 103753 211066 103758 21f76f 103753->103758 103755 21106c 103756 232d40 __cinit 67 API calls 103755->103756 103757 211076 103756->103757 103759 21f790 103758->103759 103791 22ff03 103759->103791 103763 21f7d7 103764 217667 59 API calls 103763->103764 103765 21f7e1 103764->103765 103766 217667 59 API calls 103765->103766 103767 21f7eb 103766->103767 103768 217667 59 API calls 103767->103768 103769 21f7f5 103768->103769 103770 217667 59 API calls 103769->103770 103771 21f833 103770->103771 103772 217667 59 API calls 103771->103772 103773 21f8fe 103772->103773 103801 225f87 103773->103801 103777 21f930 103778 217667 59 API calls 103777->103778 103779 21f93a 103778->103779 103829 22fd9e 103779->103829 103781 21f981 103782 21f991 GetStdHandle 103781->103782 103783 21f9dd 103782->103783 103784 2545ab 103782->103784 103785 21f9e5 OleInitialize 103783->103785 103784->103783 103786 2545b4 103784->103786 103785->103755 103836 276b38 64 API calls Mailbox 103786->103836 103788 2545bb 103837 277207 CreateThread 103788->103837 103790 2545c7 CloseHandle 103790->103785 103838 22ffdc 103791->103838 103794 22ffdc 59 API calls 103795 22ff45 103794->103795 103796 217667 59 API calls 103795->103796 103797 22ff51 103796->103797 103798 217bcc 59 API calls 103797->103798 103799 21f796 103798->103799 103800 230162 6 API calls 103799->103800 103800->103763 103802 217667 59 API calls 103801->103802 103803 225f97 103802->103803 103804 217667 59 API calls 103803->103804 103805 225f9f 103804->103805 103845 225a9d 103805->103845 103808 225a9d 59 API calls 103809 225faf 103808->103809 103810 217667 59 API calls 103809->103810 103811 225fba 103810->103811 103812 230db6 Mailbox 59 API calls 103811->103812 103813 21f908 103812->103813 103814 2260f9 103813->103814 103815 226107 103814->103815 103816 217667 59 API calls 103815->103816 103817 226112 103816->103817 103818 217667 59 API calls 103817->103818 103819 22611d 103818->103819 103820 217667 59 API calls 103819->103820 103821 226128 103820->103821 103822 217667 59 API calls 103821->103822 103823 226133 103822->103823 103824 225a9d 59 API calls 103823->103824 103825 22613e 103824->103825 103826 230db6 Mailbox 59 API calls 103825->103826 103827 226145 RegisterClipboardFormatW 103826->103827 103827->103777 103830 26576f 103829->103830 103831 22fdae 103829->103831 103848 279ae7 60 API calls 103830->103848 103832 230db6 Mailbox 59 API calls 103831->103832 103835 22fdb6 103832->103835 103834 26577a 103835->103781 103836->103788 103837->103790 103849 2771ed 65 API calls 103837->103849 103839 217667 59 API calls 103838->103839 103840 22ffe7 103839->103840 103841 217667 59 API calls 103840->103841 103842 22ffef 103841->103842 103843 217667 59 API calls 103842->103843 103844 22ff3b 103843->103844 103844->103794 103846 217667 59 API calls 103845->103846 103847 225aa5 103846->103847 103847->103808 103848->103834 103850 24fdfc 103884 21ab30 Mailbox _memmove 103850->103884 103852 26617e Mailbox 59 API calls 103877 21a057 103852->103877 103855 21b525 104039 279e4a 89 API calls 4 library calls 103855->104039 103857 230db6 59 API calls Mailbox 103874 219f37 Mailbox 103857->103874 103858 250055 104038 279e4a 89 API calls 4 library calls 103858->104038 103860 21b475 103867 218047 59 API calls 103860->103867 103863 250064 103864 21b47a 103864->103858 103878 2509e5 103864->103878 103867->103877 103869 218047 59 API calls 103869->103874 103870 217667 59 API calls 103870->103874 103871 232d40 67 API calls __cinit 103871->103874 103872 217de1 59 API calls 103872->103884 103873 266e8f 59 API calls 103873->103874 103874->103857 103874->103858 103874->103860 103874->103864 103874->103869 103874->103870 103874->103871 103874->103873 103875 2509d6 103874->103875 103874->103877 103879 21a55a 103874->103879 104031 21c8c0 341 API calls 2 library calls 103874->104031 104032 21b900 60 API calls Mailbox 103874->104032 104043 279e4a 89 API calls 4 library calls 103875->104043 104044 279e4a 89 API calls 4 library calls 103878->104044 104042 279e4a 89 API calls 4 library calls 103879->104042 103880 28bc6b 341 API calls 103880->103884 103882 230db6 59 API calls Mailbox 103882->103884 103883 21b2b6 104036 21f6a3 341 API calls 103883->104036 103884->103855 103884->103872 103884->103874 103884->103877 103884->103880 103884->103882 103884->103883 103885 219ea0 341 API calls 103884->103885 103887 25086a 103884->103887 103889 250878 103884->103889 103891 25085c 103884->103891 103892 21b21c 103884->103892 103896 266e8f 59 API calls 103884->103896 103900 221fc3 103884->103900 103940 27d07b 103884->103940 103987 28df23 103884->103987 103990 28c2e0 103884->103990 104022 277956 103884->104022 104028 26617e 103884->104028 104033 219c90 59 API calls Mailbox 103884->104033 104037 28c193 85 API calls 2 library calls 103884->104037 103885->103884 104040 219c90 59 API calls Mailbox 103887->104040 104041 279e4a 89 API calls 4 library calls 103889->104041 103891->103852 103891->103877 104034 219d3c 60 API calls Mailbox 103892->104034 103894 21b22d 104035 219d3c 60 API calls Mailbox 103894->104035 103896->103884 103901 219a98 59 API calls 103900->103901 103902 221fdb 103901->103902 103904 230db6 Mailbox 59 API calls 103902->103904 103906 256585 103902->103906 103905 221ff4 103904->103905 103908 222004 103905->103908 104060 2157a6 60 API calls Mailbox 103905->104060 103907 222029 103906->103907 104064 27f574 59 API calls 103906->104064 103916 222036 103907->103916 104065 219b3c 59 API calls 103907->104065 103910 219837 84 API calls 103908->103910 103911 222012 103910->103911 103913 2157f6 67 API calls 103911->103913 103917 222021 103913->103917 103914 2565cd 103915 2565d5 103914->103915 103914->103916 104066 219b3c 59 API calls 103915->104066 103919 215cdf 2 API calls 103916->103919 103917->103906 103917->103907 104063 2158ba CloseHandle 103917->104063 103921 22203d 103919->103921 103922 2565e7 103921->103922 103923 222057 103921->103923 103924 230db6 Mailbox 59 API calls 103922->103924 103925 217667 59 API calls 103923->103925 103927 2565ed 103924->103927 103926 22205f 103925->103926 104045 215572 103926->104045 103932 256601 103927->103932 104067 215850 ReadFile SetFilePointerEx 103927->104067 103931 22206e 103934 256605 _memmove 103931->103934 104061 219a3c 59 API calls Mailbox 103931->104061 103932->103934 104068 2776c4 59 API calls 2 library calls 103932->104068 103935 222082 Mailbox 103936 2220bc 103935->103936 103937 215c6f CloseHandle 103935->103937 103936->103884 103938 2220b0 103937->103938 103938->103936 104062 2158ba CloseHandle 103938->104062 103941 27d0a5 103940->103941 103942 27d09a 103940->103942 103946 217667 59 API calls 103941->103946 103983 27d17f Mailbox 103941->103983 104106 219b3c 59 API calls 103942->104106 103944 230db6 Mailbox 59 API calls 103945 27d1c8 103944->103945 103947 27d1d4 103945->103947 104109 2157a6 60 API calls Mailbox 103945->104109 103948 27d0c9 103946->103948 103951 219837 84 API calls 103947->103951 103950 217667 59 API calls 103948->103950 103952 27d0d2 103950->103952 103953 27d1ec 103951->103953 103954 219837 84 API calls 103952->103954 103956 2157f6 67 API calls 103953->103956 103955 27d0de 103954->103955 103957 21459b 59 API calls 103955->103957 103958 27d1fb 103956->103958 103961 27d0f3 103957->103961 103959 27d233 103958->103959 103960 27d1ff GetLastError 103958->103960 103965 27d295 103959->103965 103966 27d25e 103959->103966 103962 27d218 103960->103962 103963 217b2e 59 API calls 103961->103963 103984 27d188 Mailbox 103962->103984 104110 2158ba CloseHandle 103962->104110 103964 27d126 103963->103964 103967 27d178 103964->103967 103972 273c37 3 API calls 103964->103972 103968 230db6 Mailbox 59 API calls 103965->103968 103969 230db6 Mailbox 59 API calls 103966->103969 104108 219b3c 59 API calls 103967->104108 103973 27d29a 103968->103973 103974 27d263 103969->103974 103976 27d136 103972->103976 103979 217667 59 API calls 103973->103979 103973->103984 103975 27d274 103974->103975 103977 217667 59 API calls 103974->103977 104111 28fbce 59 API calls 2 library calls 103975->104111 103976->103967 103978 27d13a 103976->103978 103977->103975 103981 217de1 59 API calls 103978->103981 103979->103984 103982 27d147 103981->103982 104107 273a2a 63 API calls Mailbox 103982->104107 103983->103944 103983->103984 103984->103884 103986 27d150 Mailbox 103986->103967 103988 28cadd 130 API calls 103987->103988 103989 28df33 103988->103989 103989->103884 103991 217667 59 API calls 103990->103991 103992 28c2f4 103991->103992 103993 217667 59 API calls 103992->103993 103994 28c2fc 103993->103994 103995 217667 59 API calls 103994->103995 103996 28c304 103995->103996 103997 219837 84 API calls 103996->103997 104011 28c312 103997->104011 103998 217bcc 59 API calls 103998->104011 103999 28c528 Mailbox 103999->103884 104001 28c4e2 104002 217cab 59 API calls 104001->104002 104006 28c4ef 104002->104006 104003 217924 59 API calls 104003->104011 104004 28c4fd 104007 217cab 59 API calls 104004->104007 104005 218047 59 API calls 104005->104011 104009 217b2e 59 API calls 104006->104009 104010 28c50c 104007->104010 104008 217e4f 59 API calls 104012 28c3a9 CharUpperBuffW 104008->104012 104013 28c4fb 104009->104013 104014 217b2e 59 API calls 104010->104014 104011->103998 104011->103999 104011->104001 104011->104003 104011->104004 104011->104005 104011->104008 104011->104013 104015 217e4f 59 API calls 104011->104015 104019 219837 84 API calls 104011->104019 104020 217cab 59 API calls 104011->104020 104021 217b2e 59 API calls 104011->104021 104112 21843a 68 API calls 104012->104112 104013->103999 104114 219a3c 59 API calls Mailbox 104013->104114 104014->104013 104017 28c469 CharUpperBuffW 104015->104017 104113 21c5a7 69 API calls 2 library calls 104017->104113 104019->104011 104020->104011 104021->104011 104023 277962 104022->104023 104024 230db6 Mailbox 59 API calls 104023->104024 104025 277970 104024->104025 104026 27797e 104025->104026 104027 217667 59 API calls 104025->104027 104026->103884 104027->104026 104115 2660c0 104028->104115 104030 26618c 104030->103884 104031->103874 104032->103874 104033->103884 104034->103894 104035->103883 104036->103855 104037->103884 104038->103863 104039->103891 104040->103891 104041->103891 104042->103877 104043->103878 104044->103877 104046 2155a2 104045->104046 104047 21557d 104045->104047 104048 217d8c 59 API calls 104046->104048 104047->104046 104051 21558c 104047->104051 104052 27325e 104048->104052 104049 27328d 104049->103931 104071 215ab8 104051->104071 104052->104049 104069 2731fa ReadFile SetFilePointerEx 104052->104069 104070 217924 59 API calls 2 library calls 104052->104070 104059 27339c Mailbox 104059->103931 104060->103908 104061->103935 104062->103936 104063->103906 104064->103906 104065->103914 104066->103921 104067->103932 104068->103934 104069->104052 104070->104052 104072 230db6 Mailbox 59 API calls 104071->104072 104073 215acb 104072->104073 104074 230db6 Mailbox 59 API calls 104073->104074 104075 215ad7 104074->104075 104076 2154d2 104075->104076 104083 2158cf 104076->104083 104078 215514 104078->104059 104082 2177da 61 API calls Mailbox 104078->104082 104079 215bc0 2 API calls 104080 2154e3 104079->104080 104080->104078 104080->104079 104090 215a7a 104080->104090 104082->104059 104084 2158e0 104083->104084 104085 24dc3c 104083->104085 104084->104080 104099 265ecd 59 API calls Mailbox 104085->104099 104087 24dc46 104088 230db6 Mailbox 59 API calls 104087->104088 104089 24dc52 104088->104089 104091 24dcee 104090->104091 104092 215a8e 104090->104092 104105 265ecd 59 API calls Mailbox 104091->104105 104100 2159b9 104092->104100 104095 215a9a 104095->104080 104096 24dcf9 104097 230db6 Mailbox 59 API calls 104096->104097 104098 24dd0e _memmove 104097->104098 104099->104087 104101 2159d1 104100->104101 104104 2159ca _memmove 104100->104104 104102 24dc7e 104101->104102 104103 230db6 Mailbox 59 API calls 104101->104103 104103->104104 104104->104095 104105->104096 104106->103941 104107->103986 104108->103983 104109->103947 104110->103984 104111->103984 104112->104011 104113->104011 104114->103999 104116 2660e8 104115->104116 104117 2660cb 104115->104117 104116->104030 104117->104116 104119 2660ab 59 API calls Mailbox 104117->104119 104119->104117 104120 211078 104125 21708b 104120->104125 104122 21108c 104123 232d40 __cinit 67 API calls 104122->104123 104124 211096 104123->104124 104126 21709b __write_nolock 104125->104126 104127 217667 59 API calls 104126->104127 104128 217151 104127->104128 104129 214706 61 API calls 104128->104129 104130 21715a 104129->104130 104156 23050b 104130->104156 104133 217cab 59 API calls 104134 217173 104133->104134 104135 213f74 59 API calls 104134->104135 104136 217182 104135->104136 104137 217667 59 API calls 104136->104137 104138 21718b 104137->104138 104139 217d8c 59 API calls 104138->104139 104140 217194 RegOpenKeyExW 104139->104140 104141 24e8b1 RegQueryValueExW 104140->104141 104145 2171b6 Mailbox 104140->104145 104142 24e943 RegCloseKey 104141->104142 104143 24e8ce 104141->104143 104142->104145 104155 24e955 _wcscat Mailbox __wsetenvp 104142->104155 104144 230db6 Mailbox 59 API calls 104143->104144 104146 24e8e7 104144->104146 104145->104122 104147 21522e 59 API calls 104146->104147 104148 24e8f2 RegQueryValueExW 104147->104148 104150 24e90f 104148->104150 104152 24e929 104148->104152 104149 2179f2 59 API calls 104149->104155 104151 217bcc 59 API calls 104150->104151 104151->104152 104152->104142 104153 217de1 59 API calls 104153->104155 104154 213f74 59 API calls 104154->104155 104155->104145 104155->104149 104155->104153 104155->104154 104157 241940 __write_nolock 104156->104157 104158 230518 GetFullPathNameW 104157->104158 104159 23053a 104158->104159 104160 217bcc 59 API calls 104159->104160 104161 217165 104160->104161 104161->104133 104162 21e5ab 104165 21d100 104162->104165 104164 21e5b9 104166 21d37d 104165->104166 104167 21d11d 104165->104167 104178 21d54b 104166->104178 104214 279e4a 89 API calls 4 library calls 104166->104214 104168 252691 104167->104168 104169 2526e0 104167->104169 104173 21d144 104167->104173 104172 252694 104168->104172 104179 2526af 104168->104179 104209 28a3e6 341 API calls __cinit 104169->104209 104172->104173 104174 2526a0 104172->104174 104173->104166 104176 232d40 __cinit 67 API calls 104173->104176 104173->104178 104182 21d434 104173->104182 104186 2527fc 104173->104186 104190 2184c0 69 API calls 104173->104190 104196 219ea0 341 API calls 104173->104196 104197 218047 59 API calls 104173->104197 104199 218740 68 API calls __cinit 104173->104199 104200 218542 68 API calls 104173->104200 104202 21843a 68 API calls 104173->104202 104203 21cf7c 341 API calls 104173->104203 104204 219dda 59 API calls Mailbox 104173->104204 104205 21cf00 89 API calls 104173->104205 104206 21cd7d 341 API calls 104173->104206 104210 218a52 68 API calls 104173->104210 104211 219d3c 60 API calls Mailbox 104173->104211 104212 26678d 60 API calls 104173->104212 104207 28a9fa 341 API calls 104174->104207 104176->104173 104178->104164 104179->104166 104208 28aea2 341 API calls 3 library calls 104179->104208 104180 2528b5 104180->104180 104201 218a52 68 API calls 104182->104201 104185 21d443 104185->104164 104213 28a751 89 API calls 104186->104213 104190->104173 104196->104173 104197->104173 104199->104173 104200->104173 104201->104185 104202->104173 104203->104173 104204->104173 104205->104173 104206->104173 104207->104178 104208->104166 104209->104173 104210->104173 104211->104173 104212->104173 104213->104166 104214->104180 104215 21552a 104216 215ab8 59 API calls 104215->104216 104217 21553c 104216->104217 104218 2154d2 61 API calls 104217->104218 104219 21554a 104218->104219 104221 21555a Mailbox 104219->104221 104222 218061 MultiByteToWideChar 104219->104222 104223 218087 104222->104223 104224 2180ce 104222->104224 104225 230db6 Mailbox 59 API calls 104223->104225 104226 217d8c 59 API calls 104224->104226 104227 21809c MultiByteToWideChar 104225->104227 104229 2180c0 104226->104229 104230 21774d 104227->104230 104229->104221 104231 21775c 104230->104231 104232 2177cf 104230->104232 104231->104232 104234 217768 104231->104234 104233 217d2c 59 API calls 104232->104233 104241 21777a _memmove 104233->104241 104235 2177a0 104234->104235 104236 217772 104234->104236 104238 218029 59 API calls 104235->104238 104242 217f27 59 API calls Mailbox 104236->104242 104239 2177aa 104238->104239 104240 230db6 Mailbox 59 API calls 104239->104240 104240->104241 104241->104229 104242->104241

                                                              Executed Functions

                                                              Function 00213B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153windowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00213B68
                                                              • IsDebuggerPresent.KERNEL32 ref: 00213B7A
                                                              • GetFullPathNameW.KERNEL32(00007FFF,?,?,002D52F8,002D52E0,?,?), ref: 00213BEB
                                                                • Part of subcall function 00217BCC: _memmove.LIBCMT ref: 00217C06
                                                                • Part of subcall function 0022092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00213C14,002D52F8,?,?,?), ref: 0022096E
                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00213C6F
                                                              • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,002C7770,00000010), ref: 0024D281
                                                              • SetCurrentDirectoryW.KERNEL32(?,002D52F8,?,?,?), ref: 0024D2B9
                                                              • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,002C4260,002D52F8,?,?,?), ref: 0024D33F
                                                              • ShellExecuteW.SHELL32(00000000,?,?), ref: 0024D346
                                                                • Part of subcall function 00213A46: GetSysColorBrush.USER32(0000000F), ref: 00213A50
                                                                • Part of subcall function 00213A46: LoadCursorW.USER32(00000000,00007F00), ref: 00213A5F
                                                                • Part of subcall function 00213A46: LoadIconW.USER32(00000063), ref: 00213A76
                                                                • Part of subcall function 00213A46: LoadIconW.USER32(000000A4), ref: 00213A88
                                                                • Part of subcall function 00213A46: LoadIconW.USER32(000000A2), ref: 00213A9A
                                                                • Part of subcall function 00213A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00213AC0
                                                                • Part of subcall function 00213A46: RegisterClassExW.USER32(?), ref: 00213B16
                                                                • Part of subcall function 002139D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00213A03
                                                                • Part of subcall function 002139D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00213A24
                                                                • Part of subcall function 002139D5: ShowWindow.USER32(00000000,?,?), ref: 00213A38
                                                                • Part of subcall function 002139D5: ShowWindow.USER32(00000000,?,?), ref: 00213A41
                                                                • Part of subcall function 0021434A: _memset.LIBCMT ref: 00214370
                                                                • Part of subcall function 0021434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00214415
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                              • String ID: This is a third-party compiled AutoIt script.$runas$%*
                                                              • API String ID: 529118366-1945766179
                                                              • Opcode ID: ae398ca3ac36565534f359b555f4cff8b5f9ca817d22ea874c03e4244ab122b8
                                                              • Instruction ID: dcef223c0b1e4068d9e6a420086218ef561a752194219d5a244cf8466d69b8ef
                                                              • Opcode Fuzzy Hash: ae398ca3ac36565534f359b555f4cff8b5f9ca817d22ea874c03e4244ab122b8
                                                              • Instruction Fuzzy Hash: 00510970D28149AACB01EFB4EC0DEED7BB5AF65710F004067F811A2192DAB05AB9CF61
                                                              Function 00213633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151timewindowregistryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 758 213633-213681 760 2136e1-2136e3 758->760 761 213683-213686 758->761 760->761 762 2136e5 760->762 763 2136e7 761->763 764 213688-21368f 761->764 765 2136ca-2136d2 NtdllDefWindowProc_W 762->765 766 24d0cc-24d0fa call 221070 call 221093 763->766 767 2136ed-2136f0 763->767 768 213695-21369a 764->768 769 21374b-213753 PostQuitMessage 764->769 771 2136d8-2136de 765->771 801 24d0ff-24d106 766->801 772 2136f2-2136f3 767->772 773 213715-21373c SetTimer RegisterClipboardFormatW 767->773 775 24d154-24d168 call 272527 768->775 776 2136a0-2136a2 768->776 770 213711-213713 769->770 770->771 777 2136f9-21370c KillTimer call 21443a call 213114 772->777 778 24d06f-24d072 772->778 773->770 780 21373e-213749 CreatePopupMenu 773->780 775->770 794 24d16e 775->794 781 213755-213764 call 2144a0 776->781 782 2136a8-2136ad 776->782 777->770 786 24d074-24d076 778->786 787 24d0a8-24d0c7 MoveWindow 778->787 780->770 781->770 790 2136b3-2136b8 782->790 791 24d139-24d140 782->791 796 24d097-24d0a3 SetFocus 786->796 797 24d078-24d07b 786->797 787->770 792 24d124-24d134 call 272d36 790->792 793 2136be-2136c4 790->793 791->765 799 24d146-24d14f call 267c36 791->799 792->770 793->765 793->801 794->765 796->770 797->793 802 24d081-24d092 call 221070 797->802 799->765 801->765 806 24d10c-24d11f call 21443a call 21434a 801->806 802->770 806->765
                                                              APIs
                                                              • NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 002136D2
                                                              • KillTimer.USER32(?,00000001), ref: 002136FC
                                                              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0021371F
                                                              • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 0021372A
                                                              • CreatePopupMenu.USER32 ref: 0021373E
                                                              • PostQuitMessage.USER32(00000000), ref: 0021374D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
                                                              • String ID: TaskbarCreated$%*
                                                              • API String ID: 157504867-2475160800
                                                              • Opcode ID: 961e1a2763763089e9d30da6c69cac38dde9cb620999a2ac708cf4dda6655305
                                                              • Instruction ID: 46daaabbbe01f4a6fc030ff44af720f5a9ca28dd35b3645f5d21fb16a76e419a
                                                              • Opcode Fuzzy Hash: 961e1a2763763089e9d30da6c69cac38dde9cb620999a2ac708cf4dda6655305
                                                              • Instruction Fuzzy Hash: 4F4126B1630556BBDB24DF64FC0DBF937DAEB20301F140126F902D62A1CAE09EF59A65
                                                              Function 002149A0 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 948 2149a0-214a00 call 217667 GetVersionExW call 217bcc 953 214a06 948->953 954 214b0b-214b0d 948->954 955 214a09-214a0e 953->955 956 24d767-24d773 954->956 958 214b12-214b13 955->958 959 214a14 955->959 957 24d774-24d778 956->957 960 24d77a 957->960 961 24d77b-24d787 957->961 962 214a15-214a4c call 217d2c call 217726 958->962 959->962 960->961 961->957 963 24d789-24d78e 961->963 971 24d864-24d867 962->971 972 214a52-214a53 962->972 963->955 965 24d794-24d79b 963->965 965->956 967 24d79d 965->967 970 24d7a2-24d7a5 967->970 973 214a93-214aaa GetCurrentProcess IsWow64Process 970->973 974 24d7ab-24d7c9 970->974 975 24d880-24d884 971->975 976 24d869 971->976 972->970 977 214a59-214a64 972->977 978 214aac 973->978 979 214aaf-214ac0 973->979 974->973 980 24d7cf-24d7d5 974->980 984 24d886-24d88f 975->984 985 24d86f-24d878 975->985 981 24d86c 976->981 982 214a6a-214a6c 977->982 983 24d7ea-24d7f0 977->983 978->979 987 214ac2-214ad2 call 214b37 979->987 988 214b2b-214b35 GetSystemInfo 979->988 989 24d7d7-24d7da 980->989 990 24d7df-24d7e5 980->990 981->985 991 24d805-24d811 982->991 992 214a72-214a75 982->992 993 24d7f2-24d7f5 983->993 994 24d7fa-24d800 983->994 984->981 986 24d891-24d894 984->986 985->975 986->985 1005 214ad4-214ae1 call 214b37 987->1005 1006 214b1f-214b29 GetSystemInfo 987->1006 995 214af8-214b08 988->995 989->973 990->973 996 24d813-24d816 991->996 997 24d81b-24d821 991->997 999 24d831-24d834 992->999 1000 214a7b-214a8a 992->1000 993->973 994->973 996->973 997->973 999->973 1002 24d83a-24d84f 999->1002 1003 214a90 1000->1003 1004 24d826-24d82c 1000->1004 1007 24d851-24d854 1002->1007 1008 24d859-24d85f 1002->1008 1003->973 1004->973 1013 214ae3-214ae7 GetNativeSystemInfo 1005->1013 1014 214b18-214b1d 1005->1014 1009 214ae9-214aed 1006->1009 1007->973 1008->973 1009->995 1012 214aef-214af2 FreeLibrary 1009->1012 1012->995 1013->1009 1014->1013
                                                              APIs
                                                              • GetVersionExW.KERNEL32(?), ref: 002149CD
                                                                • Part of subcall function 00217BCC: _memmove.LIBCMT ref: 00217C06
                                                              • GetCurrentProcess.KERNEL32(?,0029FAEC,00000000,00000000,?), ref: 00214A9A
                                                              • IsWow64Process.KERNEL32(00000000), ref: 00214AA1
                                                              • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00214AE7
                                                              • FreeLibrary.KERNEL32(00000000), ref: 00214AF2
                                                              • GetSystemInfo.KERNEL32(00000000), ref: 00214B23
                                                              • GetSystemInfo.KERNEL32(00000000), ref: 00214B2F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                              • String ID:
                                                              • API String ID: 1986165174-0
                                                              • Opcode ID: c3e65d3fc87f23b7f252b53dc8219996fbd26f4b84e1d1dc499bdd06808756b9
                                                              • Instruction ID: f0101085739ca6bcc78eecd02a7b9f6e1ac2f560e5d79c35b662a7a199b3f78f
                                                              • Opcode Fuzzy Hash: c3e65d3fc87f23b7f252b53dc8219996fbd26f4b84e1d1dc499bdd06808756b9
                                                              • Instruction Fuzzy Hash: 5291F4319AD7C1DEC731DF6895601EAFFF5AF3A300B4449AED0CA93A01D260A598C759
                                                              Function 00214E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1064 214e89-214ea1 CreateStreamOnHGlobal 1065 214ec1-214ec6 1064->1065 1066 214ea3-214eba FindResourceExW 1064->1066 1067 214ec0 1066->1067 1068 24d933-24d942 LoadResource 1066->1068 1067->1065 1068->1067 1069 24d948-24d956 SizeofResource 1068->1069 1069->1067 1070 24d95c-24d967 LockResource 1069->1070 1070->1067 1071 24d96d-24d975 1070->1071 1072 24d979-24d98b 1071->1072 1072->1067
                                                              APIs
                                                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00214E99
                                                              • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00214D8E,?,?,00000000,00000000), ref: 00214EB0
                                                              • LoadResource.KERNEL32(?,00000000,?,?,00214D8E,?,?,00000000,00000000,?,?,?,?,?,?,00214E2F), ref: 0024D937
                                                              • SizeofResource.KERNEL32(?,00000000,?,?,00214D8E,?,?,00000000,00000000,?,?,?,?,?,?,00214E2F), ref: 0024D94C
                                                              • LockResource.KERNEL32(00214D8E,?,?,00214D8E,?,?,00000000,00000000,?,?,?,?,?,?,00214E2F,00000000), ref: 0024D95F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                              • String ID: SCRIPT
                                                              • API String ID: 3051347437-3967369404
                                                              • Opcode ID: d1bae54c15b715ce210446ed15edb420b1aa01726a12d86075260a67d89ac837
                                                              • Instruction ID: f4ddbadbeaf51ce57787d128e54764ecab24f9a01451174a4753ceb10c726f09
                                                              • Opcode Fuzzy Hash: d1bae54c15b715ce210446ed15edb420b1aa01726a12d86075260a67d89ac837
                                                              • Instruction Fuzzy Hash: 62119EB1600305BFD7619F65EC48F677BBAFBC5B11F204269F809C6250DBA1E8508660
                                                              Function 0027445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileAttributesW.KERNELBASE(?,0024E398), ref: 0027446A
                                                              • FindFirstFileW.KERNELBASE(?,?), ref: 0027447B
                                                              • FindClose.KERNEL32(00000000), ref: 0027448B
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: FileFind$AttributesCloseFirst
                                                              • String ID:
                                                              • API String ID: 48322524-0
                                                              • Opcode ID: 7b5b95d17e2abdc8d44384092814a593810ac4175dfe8f27cad7650954ba7d3a
                                                              • Instruction ID: fd617436facc536076df2d8a1f5aeacc72b7483b88d6ebb520af3bcae920de46
                                                              • Opcode Fuzzy Hash: 7b5b95d17e2abdc8d44384092814a593810ac4175dfe8f27cad7650954ba7d3a
                                                              • Instruction Fuzzy Hash: 62E0DF338209016B8250BB38FC0D9EA779CAE05335F248726F839C20E0EBB49910A696
                                                              Function 002209D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00220A5B
                                                              • timeGetTime.WINMM ref: 00220D16
                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00220E53
                                                              • Sleep.KERNEL32(0000000A), ref: 00220E61
                                                              • LockWindowUpdate.USER32(00000000,?,?), ref: 00220EFA
                                                              • DestroyWindow.USER32 ref: 00220F06
                                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00220F20
                                                              • Sleep.KERNEL32(0000000A,?,?), ref: 00254E83
                                                              • TranslateMessage.USER32(?), ref: 00255C60
                                                              • DispatchMessageW.USER32(?), ref: 00255C6E
                                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00255C82
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                                                              • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                              • API String ID: 4212290369-3242690629
                                                              • Opcode ID: aedf0746fa65da7ff9cc2637778f42d327d2454c09dc850b27aef2c1b2f51828
                                                              • Instruction ID: 58af41bc2242d15a2fb072c8205709e6d50586b7d4e603f633acaa5142e8aa91
                                                              • Opcode Fuzzy Hash: aedf0746fa65da7ff9cc2637778f42d327d2454c09dc850b27aef2c1b2f51828
                                                              • Instruction Fuzzy Hash: BFB20670628752EFD724DF64D494BAAB7E4BF84304F14491EF849872A1C771E8A8CF86
                                                              Function 00279155 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 00278F5F: __time64.LIBCMT ref: 00278F69
                                                                • Part of subcall function 00214EE5: _fseek.LIBCMT ref: 00214EFD
                                                              • __wsplitpath.LIBCMT ref: 00279234
                                                                • Part of subcall function 002340FB: __wsplitpath_helper.LIBCMT ref: 0023413B
                                                              • _wcscpy.LIBCMT ref: 00279247
                                                              • _wcscat.LIBCMT ref: 0027925A
                                                              • __wsplitpath.LIBCMT ref: 0027927F
                                                              • _wcscat.LIBCMT ref: 00279295
                                                              • _wcscat.LIBCMT ref: 002792A8
                                                                • Part of subcall function 00278FA5: _memmove.LIBCMT ref: 00278FDE
                                                                • Part of subcall function 00278FA5: _memmove.LIBCMT ref: 00278FED
                                                              • _wcscmp.LIBCMT ref: 002791EF
                                                                • Part of subcall function 00279734: _wcscmp.LIBCMT ref: 00279824
                                                                • Part of subcall function 00279734: _wcscmp.LIBCMT ref: 00279837
                                                              • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00279452
                                                              • _wcsncpy.LIBCMT ref: 002794C5
                                                              • DeleteFileW.KERNEL32(?,?), ref: 002794FB
                                                              • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00279511
                                                              • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00279522
                                                              • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00279534
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                              • String ID:
                                                              • API String ID: 1500180987-0
                                                              • Opcode ID: 5f4262c7d365ef3148cf45f632b1ad791a5e5255f22f1dbdfafcdc88c948d23f
                                                              • Instruction ID: 12c8edb07009213d11a1e88f61da59a4acfd6818d93c3095aa33674921db31e9
                                                              • Opcode Fuzzy Hash: 5f4262c7d365ef3148cf45f632b1ad791a5e5255f22f1dbdfafcdc88c948d23f
                                                              • Instruction Fuzzy Hash: C7C15DB1D1022DAADF21DF94CC85ADEB7BDEF55310F0080AAF609E7141EB309A958F65
                                                              Function 0021708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 00214706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,002D52F8,?,002137AE,?), ref: 00214724
                                                                • Part of subcall function 0023050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00217165), ref: 0023052D
                                                              • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 002171A8
                                                              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0024E8C8
                                                              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0024E909
                                                              • RegCloseKey.ADVAPI32(?), ref: 0024E947
                                                              • _wcscat.LIBCMT ref: 0024E9A0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                              • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                              • API String ID: 2673923337-2727554177
                                                              • Opcode ID: db27d6c9e099c7ef43a0892d2b6f368bb50f9ad89ccda23033153c8e753cf576
                                                              • Instruction ID: a0e559a3452eb7695550a0f25ede1ba949d8d4662a2d29dd9e36902e31324f0e
                                                              • Opcode Fuzzy Hash: db27d6c9e099c7ef43a0892d2b6f368bb50f9ad89ccda23033153c8e753cf576
                                                              • Instruction Fuzzy Hash: F9717C719293019ED704EF65E88D9ABBBF8FF95310F40092FF845871A0DB719968CB92
                                                              Function 00213A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • GetSysColorBrush.USER32(0000000F), ref: 00213A50
                                                              • LoadCursorW.USER32(00000000,00007F00), ref: 00213A5F
                                                              • LoadIconW.USER32(00000063), ref: 00213A76
                                                              • LoadIconW.USER32(000000A4), ref: 00213A88
                                                              • LoadIconW.USER32(000000A2), ref: 00213A9A
                                                              • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00213AC0
                                                              • RegisterClassExW.USER32(?), ref: 00213B16
                                                                • Part of subcall function 00213041: GetSysColorBrush.USER32(0000000F), ref: 00213074
                                                                • Part of subcall function 00213041: RegisterClassExW.USER32(00000030), ref: 0021309E
                                                                • Part of subcall function 00213041: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 002130AF
                                                                • Part of subcall function 00213041: LoadIconW.USER32(000000A9), ref: 002130F2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
                                                              • String ID: #$0$AutoIt v3
                                                              • API String ID: 2880975755-4155596026
                                                              • Opcode ID: 8a1ae39dc2b4331a53ce2c9a644706e8136c6959c58ac60177429af3a555b161
                                                              • Instruction ID: e6565deb0ebcbb3084baf181dcde1a11d5894611980dfcc5b6dcdea7b1b90e2a
                                                              • Opcode Fuzzy Hash: 8a1ae39dc2b4331a53ce2c9a644706e8136c6959c58ac60177429af3a555b161
                                                              • Instruction Fuzzy Hash: E5212770D12318ABEB50DFA4FD0DBAD7BB5EB08712F10012AE904A62A1D3B55A548F84
                                                              Function 00213766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                                              • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
                                                              • API String ID: 1825951767-3513169116
                                                              • Opcode ID: b6f781be7aefc372561d16e0eeffcd38755cc5b5988fb07895a57806629be1b0
                                                              • Instruction ID: 330f7bf8cb0ace50d12699980a70e6882fdf951356398cbe3751df2ef55cb3cf
                                                              • Opcode Fuzzy Hash: b6f781be7aefc372561d16e0eeffcd38755cc5b5988fb07895a57806629be1b0
                                                              • Instruction Fuzzy Hash: ABA1527192022D9ACF04EBA0DC95DEEB7B9BF25310F44042AF815B7191DF745AA9CFA0
                                                              Function 0021301C Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 73registrywindowclipboardCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • GetSysColorBrush.USER32(0000000F), ref: 00213074
                                                              • RegisterClassExW.USER32(00000030), ref: 0021309E
                                                              • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 002130AF
                                                              • LoadIconW.USER32(000000A9), ref: 002130F2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Register$BrushClassClipboardColorFormatIconLoad
                                                              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                              • API String ID: 975902462-1005189915
                                                              • Opcode ID: 956426b83abd4f6043650130543bad2febdd9b2823312e66ca1af7a0e8470bb8
                                                              • Instruction ID: eba05c82a3ab45f1453da7ec9b3fe335294f8f7c6bb99c17f3a75fe5cceb6fac
                                                              • Opcode Fuzzy Hash: 956426b83abd4f6043650130543bad2febdd9b2823312e66ca1af7a0e8470bb8
                                                              • Instruction Fuzzy Hash: 913118B1D51319AFDB808FA4E949AC9BBF4FB09310F20412AE580E62A0D3B50995CF51
                                                              Function 00213041 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 54registrywindowclipboardCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • GetSysColorBrush.USER32(0000000F), ref: 00213074
                                                              • RegisterClassExW.USER32(00000030), ref: 0021309E
                                                              • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 002130AF
                                                              • LoadIconW.USER32(000000A9), ref: 002130F2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Register$BrushClassClipboardColorFormatIconLoad
                                                              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                              • API String ID: 975902462-1005189915
                                                              • Opcode ID: 78899cde83ded89d631d5109fefc2427cbf6392e49461c35ebc8642334144323
                                                              • Instruction ID: bda7c8d0ee6e69481b518ce37bfa63e63dddc2d405435dcb52d43c0032de2439
                                                              • Opcode Fuzzy Hash: 78899cde83ded89d631d5109fefc2427cbf6392e49461c35ebc8642334144323
                                                              • Instruction Fuzzy Hash: 9121A3B1D51618AFDB80DFA4F94DADDBBF8FB08701F10412BE910E62A0D7B149949F91
                                                              Function 015A1818 Relevance: 10.7, APIs: 7, Instructions: 151fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1015 15a1818-15a186a call 15a1718 CreateFileW 1018 15a186c-15a186e 1015->1018 1019 15a1873-15a1880 1015->1019 1020 15a19cc-15a19d0 1018->1020 1022 15a1882-15a188e 1019->1022 1023 15a1893-15a18aa VirtualAlloc 1019->1023 1022->1020 1024 15a18ac-15a18ae 1023->1024 1025 15a18b3-15a18d9 CreateFileW 1023->1025 1024->1020 1027 15a18db-15a18f8 1025->1027 1028 15a18fd-15a1917 ReadFile 1025->1028 1027->1020 1029 15a193b-15a193f 1028->1029 1030 15a1919-15a1936 1028->1030 1031 15a1960-15a1977 WriteFile 1029->1031 1032 15a1941-15a195e 1029->1032 1030->1020 1035 15a1979-15a19a0 1031->1035 1036 15a19a2-15a19c7 CloseHandle VirtualFree 1031->1036 1032->1020 1035->1020 1036->1020
                                                              APIs
                                                              • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 015A185D
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1432043469.00000000015A0000.00000040.00000020.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_15a0000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: CreateFile
                                                              • String ID:
                                                              • API String ID: 823142352-0
                                                              • Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                                              • Instruction ID: 5ab8f5957557017b4ba2b07a0cb5abfb40cdcd7227ffff3148144ef7a4214470
                                                              • Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                                              • Instruction Fuzzy Hash: 60510975A50209FFEB20DFA4CC89FDE7BB8BF48700F508914F64AEA180DA749644CB64
                                                              Function 00217285 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 65COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1045 217285-2172a5 call 241940 1048 24ea22-24ea8b call 232de0 7722D0D0 1045->1048 1049 2172ab-2172d8 call 214750 call 230791 call 21700b call 21686a 1045->1049 1055 24ea94-24ea9d call 217bcc 1048->1055 1056 24ea8d 1048->1056 1060 24eaa2 1055->1060 1056->1055 1060->1060
                                                              APIs
                                                              • _memset.LIBCMT ref: 0024EA39
                                                              • 7722D0D0.COMDLG32(?), ref: 0024EA83
                                                                • Part of subcall function 00214750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00214743,?,?,002137AE,?), ref: 00214770
                                                                • Part of subcall function 00230791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 002307B0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: NamePath$7722FullLong_memset
                                                              • String ID: AutoIt script files (*.au3, *.a3x)$Run Script:$X$au3
                                                              • API String ID: 1752364830-1954568251
                                                              • Opcode ID: 7db45698d13b991684bcb64dd43b63673b269947aa868d05a1a23b9d91e02f1a
                                                              • Instruction ID: 6ecf5ca1ea65f6f8ff4da5b62b5782a784b0c074c98f666033251287c9821abe
                                                              • Opcode Fuzzy Hash: 7db45698d13b991684bcb64dd43b63673b269947aa868d05a1a23b9d91e02f1a
                                                              • Instruction Fuzzy Hash: 1621D870A242589BDF41DF94D845BEE7BF8AF58714F00405AE808AB241DBF459A9CFA1
                                                              Function 002139D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1074 2139d5-213a45 CreateWindowExW * 2 ShowWindow * 2
                                                              APIs
                                                              • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00213A03
                                                              • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00213A24
                                                              • ShowWindow.USER32(00000000,?,?), ref: 00213A38
                                                              • ShowWindow.USER32(00000000,?,?), ref: 00213A41
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Window$CreateShow
                                                              • String ID: AutoIt v3$edit
                                                              • API String ID: 1584632944-3779509399
                                                              • Opcode ID: 5024fb08565fab51336a6a33922e2934d3f0e42febd45b8f523a5a370a5719fc
                                                              • Instruction ID: b2d79a376e47fd2b61bc86070fac7851aff0bc84afe0a4b6099951d0e7d07aaf
                                                              • Opcode Fuzzy Hash: 5024fb08565fab51336a6a33922e2934d3f0e42febd45b8f523a5a370a5719fc
                                                              • Instruction Fuzzy Hash: 4FF01770A022A07AEA6057237C4CE6B2F7DD7C6F50F00002BBD00E2160C2A10C14CAB0
                                                              Function 0021686A Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 260COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1075 21686a-216891 call 214ddd 1078 24e031-24e041 call 27955b 1075->1078 1079 216897-2168a5 call 214ddd 1075->1079 1083 24e046-24e048 1078->1083 1079->1078 1086 2168ab-2168b1 1079->1086 1084 24e067-24e0af call 230db6 1083->1084 1085 24e04a-24e04d call 214e4a 1083->1085 1095 24e0d4 1084->1095 1096 24e0b1-24e0bb 1084->1096 1089 24e052-24e061 call 2742f8 1085->1089 1086->1089 1090 2168b7-2168d9 call 216a8c 1086->1090 1089->1084 1099 24e0d6-24e0e9 1095->1099 1098 24e0cf-24e0d0 1096->1098 1100 24e0d2 1098->1100 1101 24e0bd-24e0cc 1098->1101 1102 24e260-24e263 call 232d55 1099->1102 1103 24e0ef 1099->1103 1100->1099 1101->1098 1107 24e268-24e271 call 214e4a 1102->1107 1104 24e0f6-24e0f9 call 217480 1103->1104 1108 24e0fe-24e120 call 215db2 call 2773e9 1104->1108 1113 24e273-24e283 call 217616 call 215d9b 1107->1113 1119 24e134-24e13e call 2773d3 1108->1119 1120 24e122-24e12f 1108->1120 1126 24e288-24e2b8 call 26f7a1 call 230e2c call 232d55 call 214e4a 1113->1126 1128 24e140-24e153 1119->1128 1129 24e158-24e162 call 2773bd 1119->1129 1122 24e227-24e22e call 21750f 1120->1122 1127 24e233-24e237 1122->1127 1126->1113 1127->1108 1131 24e23d-24e25a call 21735d 1127->1131 1128->1122 1138 24e164-24e171 1129->1138 1139 24e176-24e180 call 215e2a 1129->1139 1131->1102 1131->1104 1138->1122 1139->1122 1144 24e186-24e19e call 26f73d 1139->1144 1150 24e1a0-24e1bf call 217de1 call 215904 1144->1150 1151 24e1c1-24e1c4 1144->1151 1175 24e1e2-24e1f0 call 215db2 1150->1175 1153 24e1c6-24e1e1 call 217de1 call 216839 call 215904 1151->1153 1154 24e1f2-24e1f5 1151->1154 1153->1175 1156 24e215-24e218 call 27737f 1154->1156 1157 24e1f7-24e200 call 26f65e 1154->1157 1162 24e21d-24e226 call 230e2c 1156->1162 1157->1126 1169 24e206-24e210 call 230e2c 1157->1169 1162->1122 1169->1108 1175->1162
                                                              APIs
                                                                • Part of subcall function 00214DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,002D52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00214E0F
                                                              • _free.LIBCMT ref: 0024E263
                                                              • _free.LIBCMT ref: 0024E2AA
                                                                • Part of subcall function 00216A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00216BAD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: _free$CurrentDirectoryLibraryLoad
                                                              • String ID: /v!$>>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                              • API String ID: 2861923089-3401092202
                                                              • Opcode ID: 666f2aefba3224b91b8f5fcca5c316d3de295fe4040bfc55ecdf39045ff400ad
                                                              • Instruction ID: f01bec2561c077c249fc9079275d874c6a3d692243c6ab8cc71f3faab0d2a6f6
                                                              • Opcode Fuzzy Hash: 666f2aefba3224b91b8f5fcca5c316d3de295fe4040bfc55ecdf39045ff400ad
                                                              • Instruction Fuzzy Hash: 60918E71920219DFDF08EFA4C8919EDB7B8FF19310F104469F816AB2A1DBB09965CF50
                                                              Function 0021407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1179 21407c-214092 1180 214098-2140ad call 217a16 1179->1180 1181 21416f-214173 1179->1181 1184 2140b3-2140d3 call 217bcc 1180->1184 1185 24d3c8-24d3d7 LoadStringW 1180->1185 1188 24d3e2-24d3fa call 217b2e call 216fe3 1184->1188 1189 2140d9-2140dd 1184->1189 1185->1188 1197 2140ed-21416a call 232de0 call 21454e call 232dbc Shell_NotifyIconW call 215904 1188->1197 1201 24d400-24d41e call 217cab call 216fe3 call 217cab 1188->1201 1192 2140e3-2140e8 call 217b2e 1189->1192 1193 214174-21417d call 218047 1189->1193 1192->1197 1193->1197 1197->1181 1201->1197
                                                              APIs
                                                              • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0024D3D7
                                                                • Part of subcall function 00217BCC: _memmove.LIBCMT ref: 00217C06
                                                              • _memset.LIBCMT ref: 002140FC
                                                              • _wcscpy.LIBCMT ref: 00214150
                                                              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00214160
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                              • String ID: Line:
                                                              • API String ID: 3942752672-1585850449
                                                              • Opcode ID: 903590158a797ea4cec9365614cdf27d1d8440f33849e093e7e4359c63d7e182
                                                              • Instruction ID: 928c0f2b13bdadd3769f7eed0e27048203d37ca8d8c23130f704dd96484c4956
                                                              • Opcode Fuzzy Hash: 903590158a797ea4cec9365614cdf27d1d8440f33849e093e7e4359c63d7e182
                                                              • Instruction Fuzzy Hash: FD31D771428315AFD324EF60EC49FDB77E8AF64304F20451FF58992091EBB096A8CB82
                                                              Function 0023541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                              • String ID:
                                                              • API String ID: 1559183368-0
                                                              • Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                                                              • Instruction ID: 108484a8a3c81ed4b8f0d3a0873ccbde56fea35478d3c1937833f83dd43a7979
                                                              • Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                                                              • Instruction Fuzzy Hash: E651CCF0A20B16DBDB288F65D84066E77B6AF40321F548729F82D962D0D770ED708F41
                                                              Function 0021F76F Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 168comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00230162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00230193
                                                                • Part of subcall function 00230162: MapVirtualKeyW.USER32(00000010,00000000), ref: 0023019B
                                                                • Part of subcall function 00230162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 002301A6
                                                                • Part of subcall function 00230162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 002301B1
                                                                • Part of subcall function 00230162: MapVirtualKeyW.USER32(00000011,00000000), ref: 002301B9
                                                                • Part of subcall function 00230162: MapVirtualKeyW.USER32(00000012,00000000), ref: 002301C1
                                                                • Part of subcall function 002260F9: RegisterClipboardFormatW.USER32(WM_GETCONTROLNAME), ref: 00226154
                                                              • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0021F9CD
                                                              • OleInitialize.OLE32(00000000), ref: 0021FA4A
                                                              • CloseHandle.KERNEL32(00000000), ref: 002545C8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Virtual$Handle$ClipboardCloseFormatInitializeRegister
                                                              • String ID: %*
                                                              • API String ID: 3094916012-3615067565
                                                              • Opcode ID: ee3961b7ddb8b2f85cb3f4b2a9482d1e09980cbe69767e926ec2750cd61cb44b
                                                              • Instruction ID: d34bb4e7b430be1a13cb9c4c91cfc074b959711377d157ac44db71dc42f949a5
                                                              • Opcode Fuzzy Hash: ee3961b7ddb8b2f85cb3f4b2a9482d1e09980cbe69767e926ec2750cd61cb44b
                                                              • Instruction Fuzzy Hash: 5581B0B0D26A608FD384DF79B948659BBE5FB983067A0816BE018C7361E7F44C94CF52
                                                              Function 015A32D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 148fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 015A31C8: Sleep.KERNELBASE(000001F4), ref: 015A31D9
                                                              • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 015A33F0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1432043469.00000000015A0000.00000040.00000020.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_15a0000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: CreateFileSleep
                                                              • String ID: 6WCSXZP3DGA2G6ZV
                                                              • API String ID: 2694422964-186375060
                                                              • Opcode ID: bcc40fce414ec1caa9646508fd63c621eeae42ffff454a46c13dec789ffcad39
                                                              • Instruction ID: 28945221987e22d9eabd9ba70f04db8beb1d0baa3a8109a5e16a15ee26ae8350
                                                              • Opcode Fuzzy Hash: bcc40fce414ec1caa9646508fd63c621eeae42ffff454a46c13dec789ffcad39
                                                              • Instruction Fuzzy Hash: 5F51A335D44249EBEF11DBA4C818BEEBB79BF54304F404598E218BB2C0D7B91B49CBA5
                                                              Function 002135B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,002135A1,SwapMouseButtons,00000004,?), ref: 002135D4
                                                              • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,002135A1,SwapMouseButtons,00000004,?,?,?,?,00212754), ref: 002135F5
                                                              • RegCloseKey.KERNELBASE(00000000,?,?,002135A1,SwapMouseButtons,00000004,?,?,?,?,00212754), ref: 00213617
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: CloseOpenQueryValue
                                                              • String ID: Control Panel\Mouse
                                                              • API String ID: 3677997916-824357125
                                                              • Opcode ID: 1bcb6b58f594655220941773d68fd0c4838e0eb47f611679f653f5ef47b9cf54
                                                              • Instruction ID: 335cb3baaa3c31fcaccd0331ae66d82617960ba25b9ae10d77030749b0944da7
                                                              • Opcode Fuzzy Hash: 1bcb6b58f594655220941773d68fd0c4838e0eb47f611679f653f5ef47b9cf54
                                                              • Instruction Fuzzy Hash: DA114871A20248BFDB20CF64EC84AEEB7FDEF54740F00446AE805D7210D2719EA49764
                                                              Function 0027955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00214EE5: _fseek.LIBCMT ref: 00214EFD
                                                                • Part of subcall function 00279734: _wcscmp.LIBCMT ref: 00279824
                                                                • Part of subcall function 00279734: _wcscmp.LIBCMT ref: 00279837
                                                              • _free.LIBCMT ref: 002796A2
                                                              • _free.LIBCMT ref: 002796A9
                                                              • _free.LIBCMT ref: 00279714
                                                                • Part of subcall function 00232D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00239A24), ref: 00232D69
                                                                • Part of subcall function 00232D55: GetLastError.KERNEL32(00000000,?,00239A24), ref: 00232D7B
                                                              • _free.LIBCMT ref: 0027971C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                              • String ID:
                                                              • API String ID: 1552873950-0
                                                              • Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                              • Instruction ID: cbc59456babd3157b660aedcc2f0fb1d84d15e130d4bde628d8b0ab40a8ce60f
                                                              • Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                              • Instruction Fuzzy Hash: DA513CB1924258ABDF249F64CC85A9EBBB9EF48300F10449EF60DA7241DB715AA1CF58
                                                              Function 0023470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                              • String ID:
                                                              • API String ID: 2782032738-0
                                                              • Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                              • Instruction ID: b98e45feef2206aa7aba9d2a69b7c083c0d61a5ba58e00e543df83e7adaf2a81
                                                              • Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                              • Instruction Fuzzy Hash: 6A41E6F4B207469BDB18EE69CC809AEB7A6EF46364F2481BDE815C7640D770FD618B40
                                                              Function 0031B9D0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 206memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualProtect.KERNELBASE(?,00001000,00000004,?,00000000), ref: 0031BB87
                                                              • VirtualProtect.KERNELBASE(?,00001000), ref: 0031BB9C
                                                              Strings
                                                              • med classes are supported only within a class, xrefs: 0031B9D1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: ProtectVirtual
                                                              • String ID: med classes are supported only within a class
                                                              • API String ID: 544645111-2751476757
                                                              • Opcode ID: a51a78fe5f5f49d3f6f50e5a4a9b58427afdf4ec299009a38d44d47f334b3d09
                                                              • Instruction ID: 87c9752595944f94101af2e6f3f07a30598ec8590cdb9d14c9f252d0bb19e59d
                                                              • Opcode Fuzzy Hash: a51a78fe5f5f49d3f6f50e5a4a9b58427afdf4ec299009a38d44d47f334b3d09
                                                              • Instruction Fuzzy Hash: B1511772A543524BD72A9E78DCC06F0F7E4EF593207290778D5E2C77C9EB90588687A0
                                                              Function 00214C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: _memmove
                                                              • String ID: AU3!P/*$EA06
                                                              • API String ID: 4104443479-4236188408
                                                              • Opcode ID: e93d3b9e05a094c16cde33a106727a50df114b4709174ccbc09f57aadcb671c1
                                                              • Instruction ID: 6f408b108eec98fb9ef9df74a5baa1b89813b4335b7d603fc623e8f48e2b60b0
                                                              • Opcode Fuzzy Hash: e93d3b9e05a094c16cde33a106727a50df114b4709174ccbc09f57aadcb671c1
                                                              • Instruction Fuzzy Hash: 81418C31A3415D57CF21BF64A891BFE7FE29B75300F284475EC8A9B282D6205DE487A1
                                                              Function 00278D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: __fread_nolock_memmove
                                                              • String ID: EA06
                                                              • API String ID: 1988441806-3962188686
                                                              • Opcode ID: cba8d8f7e94b19d9755cb56e6dff0edf55c4448dec1c8863fc615de744a1fb44
                                                              • Instruction ID: 95ec50f40eabb0fdab96659861f9457497dd78adf6238206e7a2fb9bce9632fd
                                                              • Opcode Fuzzy Hash: cba8d8f7e94b19d9755cb56e6dff0edf55c4448dec1c8863fc615de744a1fb44
                                                              • Instruction Fuzzy Hash: A701F9719142187EDB28CAA8C856EEE7BF8DB15301F00419EF556D2181E874A6148B60
                                                              Function 00230DB6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0023571C: __FF_MSGBANNER.LIBCMT ref: 00235733
                                                                • Part of subcall function 0023571C: __NMSG_WRITE.LIBCMT ref: 0023573A
                                                                • Part of subcall function 0023571C: RtlAllocateHeap.NTDLL(01550000,00000000,00000001), ref: 0023575F
                                                              • std::exception::exception.LIBCMT ref: 00230DEC
                                                              • __CxxThrowException@8.LIBCMT ref: 00230E01
                                                                • Part of subcall function 0023859B: RaiseException.KERNEL32(?,?,00000000,002C9E78,?,00000001,?,?,?,00230E06,00000000,002C9E78,00219E8C,00000001), ref: 002385F0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                              • String ID: bad allocation
                                                              • API String ID: 3902256705-2104205924
                                                              • Opcode ID: 245760917139c528fc56c8c04ed9a50115d5d39c077dee2b0fe39037c00b95e4
                                                              • Instruction ID: 4aec358de5674a5d25c09b07130b2fd8fb87c39544638a3f8adc0eeb0eed823c
                                                              • Opcode Fuzzy Hash: 245760917139c528fc56c8c04ed9a50115d5d39c077dee2b0fe39037c00b95e4
                                                              • Instruction Fuzzy Hash: 84F0A9B153031EA6CB10FA98DC559DE77ACDF05311F104456F904A6942DF719A7485E1
                                                              Function 015A1EF8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateProcessW.KERNELBASE(?,00000000), ref: 015A1F3D
                                                              • ExitProcess.KERNEL32(00000000), ref: 015A1F5C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1432043469.00000000015A0000.00000040.00000020.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_15a0000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Process$CreateExit
                                                              • String ID: D
                                                              • API String ID: 126409537-2746444292
                                                              • Opcode ID: 5eb2aae7a9647d9e2c45f82c1b7c95c0f5ecba5966e3f1c76f424d9cb9e516ac
                                                              • Instruction ID: ac4197f16c635cbb26e7c4ca622ba315d38f1a800428194b9d1b56fa54e224c9
                                                              • Opcode Fuzzy Hash: 5eb2aae7a9647d9e2c45f82c1b7c95c0f5ecba5966e3f1c76f424d9cb9e516ac
                                                              • Instruction Fuzzy Hash: 58F0C97554024DABDB60EFE0CC89FEE777DBB44701F408508BA1A9A180DA7496088B61
                                                              Function 002798E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetTempPathW.KERNEL32(00000104,?), ref: 002798F8
                                                              • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0027990F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Temp$FileNamePath
                                                              • String ID: aut
                                                              • API String ID: 3285503233-3010740371
                                                              • Opcode ID: 2da5b6034e6696977e5313714fc43c4c0a7c18638a09330afb0ef28284accf1d
                                                              • Instruction ID: c015195d2b959d5b2a1ed5493c83fdbe1ab5478a366016a32a961cff62c499f0
                                                              • Opcode Fuzzy Hash: 2da5b6034e6696977e5313714fc43c4c0a7c18638a09330afb0ef28284accf1d
                                                              • Instruction Fuzzy Hash: 69D05E7994030DABDB909BA0EC0EF9A773CE704700F0043B2BE54D10A1EAB095A88B91
                                                              Function 0028CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b1262f0ebbb88e0e9c29e5ab800dff60ced4c5265bdd0e5b9468d695e2359388
                                                              • Instruction ID: 0052441f274ee06d9bdb26e46c75a3cf3d935b31d4ce961c032dd7a226cbe84c
                                                              • Opcode Fuzzy Hash: b1262f0ebbb88e0e9c29e5ab800dff60ced4c5265bdd0e5b9468d695e2359388
                                                              • Instruction Fuzzy Hash: 8CF15A746183019FCB14EF28C484A6ABBE5FF88314F14892EF8999B391D730E955CF92
                                                              Function 0021434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 00214370
                                                              • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00214415
                                                              • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00214432
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: IconNotifyShell_$_memset
                                                              • String ID:
                                                              • API String ID: 1505330794-0
                                                              • Opcode ID: fe6c53c0a7426da1a0c8084949af01ea655df84ea18eb7e2ed6da4d0e4ef16dd
                                                              • Instruction ID: 3c57d6faac218c167dabd67ecf05606346ce007c9aa03f6c8b6512f690bf828a
                                                              • Opcode Fuzzy Hash: fe6c53c0a7426da1a0c8084949af01ea655df84ea18eb7e2ed6da4d0e4ef16dd
                                                              • Instruction Fuzzy Hash: CA3184B0515711CFD721EF24E8886DBBBF8FB58309F10092EE59EC2251D7B06998CB52
                                                              Function 0023571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • __FF_MSGBANNER.LIBCMT ref: 00235733
                                                                • Part of subcall function 0023A16B: __NMSG_WRITE.LIBCMT ref: 0023A192
                                                                • Part of subcall function 0023A16B: __NMSG_WRITE.LIBCMT ref: 0023A19C
                                                              • __NMSG_WRITE.LIBCMT ref: 0023573A
                                                                • Part of subcall function 0023A1C8: GetModuleFileNameW.KERNEL32(00000000,002D33BA,00000104,00000000,00000001,00000000), ref: 0023A25A
                                                                • Part of subcall function 0023A1C8: ___crtMessageBoxW.LIBCMT ref: 0023A308
                                                                • Part of subcall function 0023309F: ___crtCorExitProcess.LIBCMT ref: 002330A5
                                                                • Part of subcall function 0023309F: ExitProcess.KERNEL32 ref: 002330AE
                                                                • Part of subcall function 00238B28: __getptd_noexit.LIBCMT ref: 00238B28
                                                              • RtlAllocateHeap.NTDLL(01550000,00000000,00000001), ref: 0023575F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                              • String ID:
                                                              • API String ID: 1372826849-0
                                                              • Opcode ID: 473e776eeeb2529337cae8260a6c12a43e00033851c2697484bcec7fa061a617
                                                              • Instruction ID: 57af32886f9c9885332b3ab7b73bbb7eb26a8c9d444d043180de873deebe921f
                                                              • Opcode Fuzzy Hash: 473e776eeeb2529337cae8260a6c12a43e00033851c2697484bcec7fa061a617
                                                              • Instruction Fuzzy Hash: BE01D8F5671B23DAD6106B38FC46A6EF3589F42761F100536F84DDB1D1DEB09D208A62
                                                              Function 002798A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00279548,?,?,?,?,?,00000004), ref: 002798BB
                                                              • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00279548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 002798D1
                                                              • CloseHandle.KERNEL32(00000000,?,00279548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 002798D8
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: File$CloseCreateHandleTime
                                                              • String ID:
                                                              • API String ID: 3397143404-0
                                                              • Opcode ID: 2c58e879bc862853d0200a9b1770e119591a74b85de0c447383bba94f831edec
                                                              • Instruction ID: 4ad43be12afd0217a91fee639eb151a5502690dccf6d24e44610627b5d2cf1cb
                                                              • Opcode Fuzzy Hash: 2c58e879bc862853d0200a9b1770e119591a74b85de0c447383bba94f831edec
                                                              • Instruction Fuzzy Hash: 4FE08632140214B7D7611F64FD0DFCA7B19EF06760F108121FB18A90E087B1152197D8
                                                              Function 00278D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _free.LIBCMT ref: 00278D1B
                                                                • Part of subcall function 00232D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00239A24), ref: 00232D69
                                                                • Part of subcall function 00232D55: GetLastError.KERNEL32(00000000,?,00239A24), ref: 00232D7B
                                                              • _free.LIBCMT ref: 00278D2C
                                                              • _free.LIBCMT ref: 00278D3E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast
                                                              • String ID:
                                                              • API String ID: 776569668-0
                                                              • Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                              • Instruction ID: 0653a1e87142e42af2f7e9c0248661e994e7c27b12447fb7764e9692652e3240
                                                              • Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                              • Instruction Fuzzy Hash: C7E012F166160686CB34A978AD48A9313DC4F58352B24491DB40DD7186DF74F8668524
                                                              Function 0021A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: CALL
                                                              • API String ID: 0-4196123274
                                                              • Opcode ID: db7f3c6705dbb49635d78939417a44830da4768ffab9e728330ddeb5cceaf620
                                                              • Instruction ID: 9bf0360f68023a33cd6055997fe8491d1fb3dc1dc9bc8ced351c5f50fc00233b
                                                              • Opcode Fuzzy Hash: db7f3c6705dbb49635d78939417a44830da4768ffab9e728330ddeb5cceaf620
                                                              • Instruction Fuzzy Hash: DE226870529341DFC724DF14C494AAABBF1BF99304F14896DE88A8B361D771ECA5CB82
                                                              Function 002147D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • 74BFC8D0.UXTHEME ref: 00214834
                                                                • Part of subcall function 0023336C: __lock.LIBCMT ref: 00233372
                                                                • Part of subcall function 0023336C: RtlDecodePointer.NTDLL(00000001), ref: 0023337E
                                                                • Part of subcall function 0023336C: RtlEncodePointer.NTDLL(?), ref: 00233389
                                                                • Part of subcall function 002148FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00214915
                                                                • Part of subcall function 002148FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0021492A
                                                                • Part of subcall function 00213B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00213B68
                                                                • Part of subcall function 00213B3A: IsDebuggerPresent.KERNEL32 ref: 00213B7A
                                                                • Part of subcall function 00213B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,002D52F8,002D52E0,?,?), ref: 00213BEB
                                                                • Part of subcall function 00213B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00213C6F
                                                              • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00214874
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: InfoParametersSystem$CurrentDirectoryPointer$DebuggerDecodeEncodeFullNamePathPresent__lock
                                                              • String ID:
                                                              • API String ID: 2688871447-0
                                                              • Opcode ID: 26eb55b868f6a98265b4fcc2baba790f2a7d91e64b135910143d8c922d8f53ab
                                                              • Instruction ID: 61f4dde1b82a2389a75389cf14eebd95b36862f000b9d2d5d2ad60f6bf5b02c3
                                                              • Opcode Fuzzy Hash: 26eb55b868f6a98265b4fcc2baba790f2a7d91e64b135910143d8c922d8f53ab
                                                              • Instruction Fuzzy Hash: 6E118E719193159BC700EF68EC4D98ABBE8EB99750F10851BF44483271DBB09A99CF92
                                                              Function 00215C99 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00215821,?,?,?,?), ref: 00215CC7
                                                              • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00215821,?,?,?,?), ref: 0024DD73
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: CreateFile
                                                              • String ID:
                                                              • API String ID: 823142352-0
                                                              • Opcode ID: 7df37791ff19bc41f89f409c50e97727584d0e475e3d52775ec9404708a85f74
                                                              • Instruction ID: a119c1667d62c56c8af9e7d6ced06d60c8c5a5832b22c31abbfd2fffd03cba0a
                                                              • Opcode Fuzzy Hash: 7df37791ff19bc41f89f409c50e97727584d0e475e3d52775ec9404708a85f74
                                                              • Instruction Fuzzy Hash: 0101C471150359FEF3240E24CC8AFA236DCAB10728F208356BAE49A1E0C6B10C948B94
                                                              Function 002355FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: __lock_file_memset
                                                              • String ID:
                                                              • API String ID: 26237723-0
                                                              • Opcode ID: 3228f4c8c99c9ba87739a00e320c5c78f46a78dc2acd2bd15ce062204327bc7e
                                                              • Instruction ID: 675f8c9b67be2b634471ea2ccc0c9adf1cb15a6b5a5af5554812ccb451eda3aa
                                                              • Opcode Fuzzy Hash: 3228f4c8c99c9ba87739a00e320c5c78f46a78dc2acd2bd15ce062204327bc7e
                                                              • Instruction Fuzzy Hash: 00012BF1920719EBCF12AF649C0799E7B65BF51361F404115F8281B191DB31CA31DF91
                                                              Function 002353A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00238B28: __getptd_noexit.LIBCMT ref: 00238B28
                                                              • __lock_file.LIBCMT ref: 002353EB
                                                                • Part of subcall function 00236C11: __lock.LIBCMT ref: 00236C34
                                                              • __fclose_nolock.LIBCMT ref: 002353F6
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                              • String ID:
                                                              • API String ID: 2800547568-0
                                                              • Opcode ID: 4e064a86da9ddcb42287adc66ec83454e2c43537f05c56f2ec8e6e2feb5049ae
                                                              • Instruction ID: 0300427d75e2687f73e7218e475816900bdf6eb44a042ce165988c0aa8dc7ad9
                                                              • Opcode Fuzzy Hash: 4e064a86da9ddcb42287adc66ec83454e2c43537f05c56f2ec8e6e2feb5049ae
                                                              • Instruction Fuzzy Hash: 71F0F6F1830B159ADB10BF7488057AD66E06F41374F208249B428AB1C1CFFC89215F52
                                                              Function 00218061 Relevance: 2.6, APIs: 2, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,?,?,?,0021542F,?,?,?,?,?), ref: 0021807A
                                                              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,?,?,0021542F,?,?,?,?,?), ref: 002180AD
                                                                • Part of subcall function 0021774D: _memmove.LIBCMT ref: 00217789
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWide$_memmove
                                                              • String ID:
                                                              • API String ID: 3033907384-0
                                                              • Opcode ID: 1e84acb68568dd77e6e5d00c48dec0c2fb4c118c08cb4decccda27cd4263315c
                                                              • Instruction ID: 8e09f56e578eb768d95c10bca7407346c2a98e8d4386d98b4e3fc61e4e09c027
                                                              • Opcode Fuzzy Hash: 1e84acb68568dd77e6e5d00c48dec0c2fb4c118c08cb4decccda27cd4263315c
                                                              • Instruction Fuzzy Hash: C301A271211108BFEB246A21DD8AFBB3BADEF89760F10802AF905CE190DE6198508A71
                                                              Function 00221FC3 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 30fdf5e77c80686c53851562cf5523e283eb408851376758071062bfd7fec6ec
                                                              • Instruction ID: 8d195908ae6bb0839df01c714fdb0d4b287b0b6a4e7d8d188a4f379cca381ecd
                                                              • Opcode Fuzzy Hash: 30fdf5e77c80686c53851562cf5523e283eb408851376758071062bfd7fec6ec
                                                              • Instruction Fuzzy Hash: 9151C330620614EFCF14EFA4C995EAE77E6AF94310F5440A8F8069B382DA31EE65CF50
                                                              Function 015A1F68 Relevance: 1.7, APIs: 1, Instructions: 167COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 015A17D8: GetFileAttributesW.KERNELBASE(?), ref: 015A17E3
                                                              • CreateDirectoryW.KERNELBASE(?,00000000), ref: 015A20C4
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1432043469.00000000015A0000.00000040.00000020.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_15a0000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: AttributesCreateDirectoryFile
                                                              • String ID:
                                                              • API String ID: 3401506121-0
                                                              • Opcode ID: d1b2535b9e6bfbf527a2a2ca398df553f9431891e4159ccb28e78e65b6f8c4a2
                                                              • Instruction ID: 3132c82e74e84d2d12368d8f88adaeb6211d31379a93a69e8d133db3b14e7e15
                                                              • Opcode Fuzzy Hash: d1b2535b9e6bfbf527a2a2ca398df553f9431891e4159ccb28e78e65b6f8c4a2
                                                              • Instruction Fuzzy Hash: 19518431A1020996EF14DFA0D845BEF737AFF58700F40456DE60DEB280E7759A85CB65
                                                              Function 0021750F Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: _memmove
                                                              • String ID:
                                                              • API String ID: 4104443479-0
                                                              • Opcode ID: 015305c075300b0522bf11e6b696b7c0424fdbc0cb60e2f73f1e4e58f3d68de1
                                                              • Instruction ID: 83dcc68995113843238f1e5726b0139a9519e29f7cc175c7e26f8a6f90eb0075
                                                              • Opcode Fuzzy Hash: 015305c075300b0522bf11e6b696b7c0424fdbc0cb60e2f73f1e4e58f3d68de1
                                                              • Instruction Fuzzy Hash: 8231C3B5228A02EFC724DF19C0909A1F7F5FF99310B54C569E98A8B391D770E8A1CB90
                                                              Function 00215AEE Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00215B96
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: FilePointer
                                                              • String ID:
                                                              • API String ID: 973152223-0
                                                              • Opcode ID: ce37de79de1155e327f52f014359e71123447236958cfbe65f28cd738bf8924c
                                                              • Instruction ID: ae38f4b590cb7288173e21e2852697caad5f7ba991444851b033737c14242517
                                                              • Opcode Fuzzy Hash: ce37de79de1155e327f52f014359e71123447236958cfbe65f28cd738bf8924c
                                                              • Instruction Fuzzy Hash: 07315C31A24A26EFCB18CF6CC480AADB7F5FF94314F148669D81993754D770AAA0CB90
                                                              Function 00230C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: ProtectVirtual
                                                              • String ID:
                                                              • API String ID: 544645111-0
                                                              • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                              • Instruction ID: f22067c21ed94798f6cef0b5c888af96d9ed46b7af823d3638958520411eca85
                                                              • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                              • Instruction Fuzzy Hash: A631F9B0A101069BC718DF48C4E4969F7A5FB49300F249BA6E40ACB351D771EDE1DBE0
                                                              Function 0024FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: ClearVariant
                                                              • String ID:
                                                              • API String ID: 1473721057-0
                                                              • Opcode ID: f133bfa063ffe7d624e8ed1d3165cd17e0d02b2ea7d6a766e4defa9b4bfe0319
                                                              • Instruction ID: 8da1c63517898fc79c0020f1d3b69cee1d82676510aee124fd851d81967bb66b
                                                              • Opcode Fuzzy Hash: f133bfa063ffe7d624e8ed1d3165cd17e0d02b2ea7d6a766e4defa9b4bfe0319
                                                              • Instruction Fuzzy Hash: F6413874624351DFDB14DF14C494B5ABBE1BF58318F0988ACE8998B362C332E895CF92
                                                              Function 002159B9 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: _memmove
                                                              • String ID:
                                                              • API String ID: 4104443479-0
                                                              • Opcode ID: 7c7b6653786161669954387985adb1bda518ac306d3ea3fa35998fc216b0e148
                                                              • Instruction ID: df59da8a43c7485960fef73c7cdfae01d104a10f498a1b8bb96e691059419069
                                                              • Opcode Fuzzy Hash: 7c7b6653786161669954387985adb1bda518ac306d3ea3fa35998fc216b0e148
                                                              • Instruction Fuzzy Hash: DD21C671924A18EBDB189F51E8C4BAA7BF8FF54311F2184ABE485D5110D7B0D4F0D751
                                                              Function 00214DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00214BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00214BEF
                                                                • Part of subcall function 0023525B: __wfsopen.LIBCMT ref: 00235266
                                                              • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,002D52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00214E0F
                                                                • Part of subcall function 00214B6A: FreeLibrary.KERNEL32(00000000), ref: 00214BA4
                                                                • Part of subcall function 00214C70: _memmove.LIBCMT ref: 00214CBA
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Library$Free$Load__wfsopen_memmove
                                                              • String ID:
                                                              • API String ID: 1396898556-0
                                                              • Opcode ID: 0a100444ee7e57bd87bbec6bc3fc05d204bd13a2fdad7b5942bc87bbe998f16a
                                                              • Instruction ID: 9e34ddab0d25ea90bdfa09cd8a0fd64ea0cd217f14c03e36a29b79af05014388
                                                              • Opcode Fuzzy Hash: 0a100444ee7e57bd87bbec6bc3fc05d204bd13a2fdad7b5942bc87bbe998f16a
                                                              • Instruction Fuzzy Hash: 3D11E731620205ABCF15BF70C816FED77E5AF54714F108829F549E7181DA719A619F90
                                                              Function 0024FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: ClearVariant
                                                              • String ID:
                                                              • API String ID: 1473721057-0
                                                              • Opcode ID: 0172044abab36f96cc2bace02a8fdb69e53cd69e2ef7735e1f7877c1d67801c4
                                                              • Instruction ID: 5302090d1b1b4863bf4cfa2848792b898cb1a2b7e98b576b5056c37c9a99fb66
                                                              • Opcode Fuzzy Hash: 0172044abab36f96cc2bace02a8fdb69e53cd69e2ef7735e1f7877c1d67801c4
                                                              • Instruction Fuzzy Hash: CA2104B4628311DFCB14DF64C494A5ABBE1BF88314F058968E88A57722D731E865CF92
                                                              Function 00215BC0 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,002156A7,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00215C16
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: FileRead
                                                              • String ID:
                                                              • API String ID: 2738559852-0
                                                              • Opcode ID: d53621fade546ccbfa5db0fd90a8af2d76c5309241dac8f20f798b7970e64109
                                                              • Instruction ID: 1ef3f1d94e75285432fa57e51d32420b34dacf61786d362b1c61c1e8e2ce7592
                                                              • Opcode Fuzzy Hash: d53621fade546ccbfa5db0fd90a8af2d76c5309241dac8f20f798b7970e64109
                                                              • Instruction Fuzzy Hash: 25116D31214B05DFD3208F15C440BA6B7E4EF94714F10C55EE89A86650D3B1E994CB50
                                                              Function 00215A7A Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: _memmove
                                                              • String ID:
                                                              • API String ID: 4104443479-0
                                                              • Opcode ID: 439ba46ed08accdd833f542a1f8ae8b8d2b96f8bded2deda04d850ad5107dde8
                                                              • Instruction ID: 6a249851fd19593379f5d643291630f0ecef08561efb8e7c36a8ef8c213bf526
                                                              • Opcode Fuzzy Hash: 439ba46ed08accdd833f542a1f8ae8b8d2b96f8bded2deda04d850ad5107dde8
                                                              • Instruction Fuzzy Hash: B6017CB9210912EFC705EB28C491D66F7A9FF9A3107144569E829C7702DB71EC71CBE0
                                                              Function 00234863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __lock_file.LIBCMT ref: 002348A6
                                                                • Part of subcall function 00238B28: __getptd_noexit.LIBCMT ref: 00238B28
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: __getptd_noexit__lock_file
                                                              • String ID:
                                                              • API String ID: 2597487223-0
                                                              • Opcode ID: efdcbbcb048b9c7eebeec9791f682a20d7350434c5e65ebc7924dd671f3c9441
                                                              • Instruction ID: 36b0dbc62462f501f3ea5383a8450dc8927f5df3f380fd350e64b27759f4babb
                                                              • Opcode Fuzzy Hash: efdcbbcb048b9c7eebeec9791f682a20d7350434c5e65ebc7924dd671f3c9441
                                                              • Instruction Fuzzy Hash: 3FF022F193030AEBDF11BFB08C0A7AE36B0AF01328F018448F4209A181CBB89971DF41
                                                              Function 00214E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FreeLibrary.KERNEL32(?,?,002D52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00214E7E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: FreeLibrary
                                                              • String ID:
                                                              • API String ID: 3664257935-0
                                                              • Opcode ID: cae4b04164d29340cefe54a50daa97fcc144a47a77d946f784bb657e745c2f4d
                                                              • Instruction ID: 981b94961cdec4808ba9c1de5b05fe094d5d6b9581c52fbcce558dc891ba809b
                                                              • Opcode Fuzzy Hash: cae4b04164d29340cefe54a50daa97fcc144a47a77d946f784bb657e745c2f4d
                                                              • Instruction Fuzzy Hash: F4F03075521712CFCB34AF64E494852BBE1BF24325310897EE2DE82611C77198A0DF80
                                                              Function 00230791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 002307B0
                                                                • Part of subcall function 00217BCC: _memmove.LIBCMT ref: 00217C06
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: LongNamePath_memmove
                                                              • String ID:
                                                              • API String ID: 2514874351-0
                                                              • Opcode ID: 71f4628e2d83e6c1ec012ba20ffb5b95dc65a29b50843e814d6514a177b1e534
                                                              • Instruction ID: d45c3284360c99bf52c8fcf26ea79786ed8f2e35a8a2cc2360921a50ab7aac72
                                                              • Opcode Fuzzy Hash: 71f4628e2d83e6c1ec012ba20ffb5b95dc65a29b50843e814d6514a177b1e534
                                                              • Instruction Fuzzy Hash: 64E0CD3690412857C720D6589C06FEA77EDDFC87A0F0441B6FC0CD7209D9609DD08AD0
                                                              Function 00278E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: __fread_nolock
                                                              • String ID:
                                                              • API String ID: 2638373210-0
                                                              • Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                                                              • Instruction ID: f60195b2f9c958f3e23edc94167b6e6c7a68114d83df15f182d7b09dc9bc62e6
                                                              • Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                                                              • Instruction Fuzzy Hash: C0E09AB0214B009BDB388E24D840BE377E1AB0A304F00081DF2AAC3242EBA2B8518B59
                                                              Function 015A17D8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileAttributesW.KERNELBASE(?), ref: 015A17E3
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1432043469.00000000015A0000.00000040.00000020.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_15a0000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: AttributesFile
                                                              • String ID:
                                                              • API String ID: 3188754299-0
                                                              • Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                                              • Instruction ID: 4cb6f7a09ec92b3096e14ebbde6adde819c4fd7721855b096375a98ca04e6b8a
                                                              • Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                                              • Instruction Fuzzy Hash: A4E0C27098560DEBDB14CBBCCD48AEE77E8FB05321F404A54E906CB2C0D6308A00D754
                                                              Function 00215C4E Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,0024DD42,?,?,00000000), ref: 00215C5F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: FilePointer
                                                              • String ID:
                                                              • API String ID: 973152223-0
                                                              • Opcode ID: 5e28aa07226b46dfd2cf90c2ae527f8758f8590b3c3fe3d8ccd7418a0f8cfc3e
                                                              • Instruction ID: 09f87b96ba8662f27bad770465f11fe399733efd61ba0d51f5b4adfb5273ce72
                                                              • Opcode Fuzzy Hash: 5e28aa07226b46dfd2cf90c2ae527f8758f8590b3c3fe3d8ccd7418a0f8cfc3e
                                                              • Instruction Fuzzy Hash: 23D0C77564020CBFE710DB80DC46FA9777CDB05710F100195FD0496290D6B27D508795
                                                              Function 015A17A8 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileAttributesW.KERNELBASE(?), ref: 015A17B3
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1432043469.00000000015A0000.00000040.00000020.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_15a0000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: AttributesFile
                                                              • String ID:
                                                              • API String ID: 3188754299-0
                                                              • Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                                              • Instruction ID: 68f4325e2ec9444504ef3254597cbd6fc0197658194a857576b65080a474eb15
                                                              • Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                                              • Instruction Fuzzy Hash: 99D0A73094520CEBCB10CFB89D049DE77ECE705320F404B54FD15C7280D53199009754
                                                              Function 0023525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: __wfsopen
                                                              • String ID:
                                                              • API String ID: 197181222-0
                                                              • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                              • Instruction ID: 5d01f72aca30526d87d78d194f9e3bf3f2ebca5abaf29509bc9e2a42da2d14c3
                                                              • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                              • Instruction Fuzzy Hash: 1AB092B644020C77CE012A82EC02A4A3B199B41764F408020FF0C18162A673E6749A89
                                                              Function 0027D07B Relevance: 1.4, APIs: 1, Instructions: 198COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32(00000002,00000000), ref: 0027D1FF
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast
                                                              • String ID:
                                                              • API String ID: 1452528299-0
                                                              • Opcode ID: 85ac2e5cea89d6798d6b878f63d039957f35d569eae273c71359468c190ed526
                                                              • Instruction ID: da350abbf9c0851cd4107ec3724e0ef50cb00dbbf7c7762a5d1b74e95b9bcbfb
                                                              • Opcode Fuzzy Hash: 85ac2e5cea89d6798d6b878f63d039957f35d569eae273c71359468c190ed526
                                                              • Instruction Fuzzy Hash: AD7162306243028FC704EF64C491AAAB7F4AF99314F44496DF89A9B3A2DB30ED55CF52
                                                              Function 015A31C4 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Sleep.KERNELBASE(000001F4), ref: 015A31D9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1432043469.00000000015A0000.00000040.00000020.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_15a0000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Sleep
                                                              • String ID:
                                                              • API String ID: 3472027048-0
                                                              • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                              • Instruction ID: 97062516874932d0450ec80673394500b5c4e438f11258fbf9a3b309e1731275
                                                              • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                              • Instruction Fuzzy Hash: 04E0BF7498010EEFDB00DFA4D5496DD7BB4FF04301F1045A1FD05D7680DB309E548A62
                                                              Function 015A31C8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Sleep.KERNELBASE(000001F4), ref: 015A31D9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1432043469.00000000015A0000.00000040.00000020.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_15a0000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Sleep
                                                              • String ID:
                                                              • API String ID: 3472027048-0
                                                              • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                              • Instruction ID: 04eb790f0016d82fefbdeff37f9bb644e54488f43241c40b35ad182dfcd8c8d4
                                                              • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                              • Instruction Fuzzy Hash: C9E0E67498010EDFDB00DFB4D54969D7BB4FF04301F104161FD01D2280DA309D508A62

                                                              Non-executed Functions

                                                              Function 0029CABC Relevance: 70.6, APIs: 37, Strings: 3, Instructions: 632windowkeyboardnativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00212612: GetWindowLongW.USER32(?,000000EB), ref: 00212623
                                                              • NtdllDialogWndProc_W.NTDLL(?,0000004E,?,?,?,?,?,?), ref: 0029CB37
                                                              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0029CB95
                                                              • GetWindowLongW.USER32(?,000000F0), ref: 0029CBD6
                                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0029CC00
                                                              • SendMessageW.USER32 ref: 0029CC29
                                                              • _wcsncpy.LIBCMT ref: 0029CC95
                                                              • GetKeyState.USER32(00000011), ref: 0029CCB6
                                                              • GetKeyState.USER32(00000009), ref: 0029CCC3
                                                              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0029CCD9
                                                              • GetKeyState.USER32(00000010), ref: 0029CCE3
                                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0029CD0C
                                                              • SendMessageW.USER32 ref: 0029CD33
                                                              • SendMessageW.USER32(?,00001030,?,0029B348), ref: 0029CE37
                                                              • SetCapture.USER32(?), ref: 0029CE69
                                                              • ClientToScreen.USER32(?,?), ref: 0029CECE
                                                              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0029CEF5
                                                              • ReleaseCapture.USER32 ref: 0029CF00
                                                              • GetCursorPos.USER32(?), ref: 0029CF3A
                                                              • ScreenToClient.USER32(?,?), ref: 0029CF47
                                                              • SendMessageW.USER32(?,00001012,00000000,?), ref: 0029CFA3
                                                              • SendMessageW.USER32 ref: 0029CFD1
                                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 0029D00E
                                                              • SendMessageW.USER32 ref: 0029D03D
                                                              • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0029D05E
                                                              • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0029D06D
                                                              • GetCursorPos.USER32(?), ref: 0029D08D
                                                              • ScreenToClient.USER32(?,?), ref: 0029D09A
                                                              • GetParent.USER32(?), ref: 0029D0BA
                                                              • SendMessageW.USER32(?,00001012,00000000,?), ref: 0029D123
                                                              • SendMessageW.USER32 ref: 0029D154
                                                              • ClientToScreen.USER32(?,?), ref: 0029D1B2
                                                              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0029D1E2
                                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 0029D20C
                                                              • SendMessageW.USER32 ref: 0029D22F
                                                              • ClientToScreen.USER32(?,?), ref: 0029D281
                                                              • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0029D2B5
                                                                • Part of subcall function 002125DB: GetWindowLongW.USER32(?,000000EB), ref: 002125EC
                                                              • GetWindowLongW.USER32(?,000000F0), ref: 0029D351
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$ClientScreen$LongWindow$State$CaptureCursorMenuPopupTrack$DialogInvalidateNtdllParentProc_RectRelease_wcsncpy
                                                              • String ID: @GUI_DRAGID$@U=u$F
                                                              • API String ID: 302779176-1007936534
                                                              • Opcode ID: a1af121e79af63406399b72a0fe117c360fc211866a2d3f3256531fcdfc48f5a
                                                              • Instruction ID: 3937b3fa576ec9b0dab33ffc2cfd2dcdfee0fe94a479ba1a7338bbcbbae22420
                                                              • Opcode Fuzzy Hash: a1af121e79af63406399b72a0fe117c360fc211866a2d3f3256531fcdfc48f5a
                                                              • Instruction Fuzzy Hash: 6142CC74624342AFDB20CF24D858AAABBE5FF49354F24052AF595C72A0C771DCA0EF52
                                                              Function 00226F9E Relevance: 52.3, APIs: 19, Strings: 8, Instructions: 5018COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: _memmove$_memset
                                                              • String ID: 3c"$DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_"
                                                              • API String ID: 1357608183-2383079746
                                                              • Opcode ID: f64df057a9a2505f7185240053ec16c69bebde92747e1ad94d121545845ffd4e
                                                              • Instruction ID: 6dd9557f321314f1360432a7a28deacf547add84b6454fdf5fba73cc509aa862
                                                              • Opcode Fuzzy Hash: f64df057a9a2505f7185240053ec16c69bebde92747e1ad94d121545845ffd4e
                                                              • Instruction Fuzzy Hash: 58939471E24216DFDB24CF98D881BADB7B1FF48310F25816AE949AB281E7709DD1CB50
                                                              Function 002148D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetForegroundWindow.USER32(00000000,?), ref: 002148DF
                                                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0024D665
                                                              • IsIconic.USER32(?), ref: 0024D66E
                                                              • ShowWindow.USER32(?,00000009), ref: 0024D67B
                                                              • SetForegroundWindow.USER32(?), ref: 0024D685
                                                              • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0024D69B
                                                              • GetCurrentThreadId.KERNEL32 ref: 0024D6A2
                                                              • GetWindowThreadProcessId.USER32(?,00000000), ref: 0024D6AE
                                                              • AttachThreadInput.USER32(?,00000000,00000001), ref: 0024D6BF
                                                              • AttachThreadInput.USER32(?,00000000,00000001), ref: 0024D6C7
                                                              • AttachThreadInput.USER32(00000000,?,00000001), ref: 0024D6CF
                                                              • SetForegroundWindow.USER32(?), ref: 0024D6D2
                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 0024D6E7
                                                              • keybd_event.USER32(00000012,00000000), ref: 0024D6F2
                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 0024D6FC
                                                              • keybd_event.USER32(00000012,00000000), ref: 0024D701
                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 0024D70A
                                                              • keybd_event.USER32(00000012,00000000), ref: 0024D70F
                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 0024D719
                                                              • keybd_event.USER32(00000012,00000000), ref: 0024D71E
                                                              • SetForegroundWindow.USER32(?), ref: 0024D721
                                                              • AttachThreadInput.USER32(?,?,00000000), ref: 0024D748
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                              • String ID: Shell_TrayWnd
                                                              • API String ID: 4125248594-2988720461
                                                              • Opcode ID: 241e34b2fde6ac84d3ee9526d5883ed9da8433142343aa4a032c54619bd13665
                                                              • Instruction ID: 270e26e256b8f81f321bb0d93b9486e90f31b35298ca1d25f02aab87a4f83fb3
                                                              • Opcode Fuzzy Hash: 241e34b2fde6ac84d3ee9526d5883ed9da8433142343aa4a032c54619bd13665
                                                              • Instruction Fuzzy Hash: DD318571A90318BBEB606F61AD89F7F7F6CEB44B50F114026FA04EA1D1C6B05D10EAA0
                                                              Function 00268310 Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 224COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 002687E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0026882B
                                                                • Part of subcall function 002687E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00268858
                                                                • Part of subcall function 002687E1: GetLastError.KERNEL32 ref: 00268865
                                                              • _memset.LIBCMT ref: 00268353
                                                              • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 002683A5
                                                              • CloseHandle.KERNEL32(?), ref: 002683B6
                                                              • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 002683CD
                                                              • GetProcessWindowStation.USER32 ref: 002683E6
                                                              • SetProcessWindowStation.USER32(00000000), ref: 002683F0
                                                              • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0026840A
                                                                • Part of subcall function 002681CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00268309), ref: 002681E0
                                                                • Part of subcall function 002681CB: CloseHandle.KERNEL32(?,?,00268309), ref: 002681F2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                              • String ID: $default$winsta0$winsta0\default
                                                              • API String ID: 2063423040-1685893292
                                                              • Opcode ID: f9d4d10bd50e03cc06aa87425bd6c94d6d6bff2b702ff0edbcfe4372607044d7
                                                              • Instruction ID: 05256dc7f9432341cec5281763e183ec8a0f1f80077827d98050c1ea412c5cb2
                                                              • Opcode Fuzzy Hash: f9d4d10bd50e03cc06aa87425bd6c94d6d6bff2b702ff0edbcfe4372607044d7
                                                              • Instruction Fuzzy Hash: 3C817F7192020AAFDF51DFA4DD49AEEBB78FF04304F14426AF915B6161DB318EA4DB20
                                                              Function 0027C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileW.KERNEL32(?,?), ref: 0027C78D
                                                              • FindClose.KERNEL32(00000000), ref: 0027C7E1
                                                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0027C806
                                                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0027C81D
                                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 0027C844
                                                              • __swprintf.LIBCMT ref: 0027C890
                                                              • __swprintf.LIBCMT ref: 0027C8D3
                                                                • Part of subcall function 00217DE1: _memmove.LIBCMT ref: 00217E22
                                                              • __swprintf.LIBCMT ref: 0027C927
                                                                • Part of subcall function 00233698: __woutput_l.LIBCMT ref: 002336F1
                                                              • __swprintf.LIBCMT ref: 0027C975
                                                                • Part of subcall function 00233698: __flsbuf.LIBCMT ref: 00233713
                                                                • Part of subcall function 00233698: __flsbuf.LIBCMT ref: 0023372B
                                                              • __swprintf.LIBCMT ref: 0027C9C4
                                                              • __swprintf.LIBCMT ref: 0027CA13
                                                              • __swprintf.LIBCMT ref: 0027CA62
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                              • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                              • API String ID: 3953360268-2428617273
                                                              • Opcode ID: 626eedbb3cc76876ce54b3bd884f81455b26a448b52423fee338f01487539010
                                                              • Instruction ID: 0a3e1de821324e691b55e9b73c325c73f10d6a9208f8571fc0bed0775a9b02fc
                                                              • Opcode Fuzzy Hash: 626eedbb3cc76876ce54b3bd884f81455b26a448b52423fee338f01487539010
                                                              • Instruction Fuzzy Hash: 6CA12CB1428304ABC744EFA4C896DEFB7ECAF95700F40492DF585C6191EB30DA98CB62
                                                              Function 0027EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 0027EFB6
                                                              • _wcscmp.LIBCMT ref: 0027EFCB
                                                              • _wcscmp.LIBCMT ref: 0027EFE2
                                                              • GetFileAttributesW.KERNEL32(?), ref: 0027EFF4
                                                              • SetFileAttributesW.KERNEL32(?,?), ref: 0027F00E
                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 0027F026
                                                              • FindClose.KERNEL32(00000000), ref: 0027F031
                                                              • FindFirstFileW.KERNEL32(*.*,?), ref: 0027F04D
                                                              • _wcscmp.LIBCMT ref: 0027F074
                                                              • _wcscmp.LIBCMT ref: 0027F08B
                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 0027F09D
                                                              • SetCurrentDirectoryW.KERNEL32(002C8920), ref: 0027F0BB
                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 0027F0C5
                                                              • FindClose.KERNEL32(00000000), ref: 0027F0D2
                                                              • FindClose.KERNEL32(00000000), ref: 0027F0E4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                              • String ID: *.*
                                                              • API String ID: 1803514871-438819550
                                                              • Opcode ID: f6b15cc9a7807b1a186a29e1a5b56dc538e062f55f16d1c50ec997f347fc0c02
                                                              • Instruction ID: ad6a308591c691bbc5bbe6ac3d825874b25377771e1b2afae9a926dfdfdeac3c
                                                              • Opcode Fuzzy Hash: f6b15cc9a7807b1a186a29e1a5b56dc538e062f55f16d1c50ec997f347fc0c02
                                                              • Instruction Fuzzy Hash: 143107325151196BCB90DFB0ED48FEE77AC9F49320F108176E808E2191EB70DA60CA61
                                                              Function 00290857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00290953
                                                              • RegCreateKeyExW.ADVAPI32(?,?,00000000,0029F910,00000000,?,00000000,?,?), ref: 002909C1
                                                              • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00290A09
                                                              • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00290A92
                                                              • RegCloseKey.ADVAPI32(?), ref: 00290DB2
                                                              • RegCloseKey.ADVAPI32(00000000), ref: 00290DBF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Close$ConnectCreateRegistryValue
                                                              • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                              • API String ID: 536824911-966354055
                                                              • Opcode ID: d1235a66cdae7810920f002759415a26ab7573e16d52c298d6b04ce6d89da66f
                                                              • Instruction ID: f72a472c5f435547e9f8bf5006dae26df37baeaf6af3132a3c9fa5633527ae34
                                                              • Opcode Fuzzy Hash: d1235a66cdae7810920f002759415a26ab7573e16d52c298d6b04ce6d89da66f
                                                              • Instruction Fuzzy Hash: 480267756206119FCB54EF24C895E6AB7E5FF89310F05845DF88A9B262CB30EDA1CF81
                                                              Function 0029C5FE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfilenativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00212612: GetWindowLongW.USER32(?,000000EB), ref: 00212623
                                                              • DragQueryPoint.SHELL32(?,?), ref: 0029C627
                                                                • Part of subcall function 0029AB37: ClientToScreen.USER32(?,?), ref: 0029AB60
                                                                • Part of subcall function 0029AB37: GetWindowRect.USER32(?,?), ref: 0029ABD6
                                                                • Part of subcall function 0029AB37: PtInRect.USER32(?,?,0029C014), ref: 0029ABE6
                                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 0029C690
                                                              • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0029C69B
                                                              • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0029C6BE
                                                              • _wcscat.LIBCMT ref: 0029C6EE
                                                              • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0029C705
                                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 0029C71E
                                                              • SendMessageW.USER32(?,000000B1,?,?), ref: 0029C735
                                                              • SendMessageW.USER32(?,000000B1,?,?), ref: 0029C757
                                                              • DragFinish.SHELL32(?), ref: 0029C75E
                                                              • NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 0029C851
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen_wcscat
                                                              • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$@U=u
                                                              • API String ID: 2166380349-762882726
                                                              • Opcode ID: 8e46a913eb2d060ca91ef055b33377b82b7dff9c49ac218751c687e7948e20a8
                                                              • Instruction ID: 39a14df5ced71ad179436785f50bc3ac3e78ac9c141b2c63965d2e0c91721d53
                                                              • Opcode Fuzzy Hash: 8e46a913eb2d060ca91ef055b33377b82b7dff9c49ac218751c687e7948e20a8
                                                              • Instruction Fuzzy Hash: D5617D71118301AFC701DF64DC89D9FBBE8EF99710F10092EF595921A1DB709AA9CF52
                                                              Function 0027F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 0027F113
                                                              • _wcscmp.LIBCMT ref: 0027F128
                                                              • _wcscmp.LIBCMT ref: 0027F13F
                                                                • Part of subcall function 00274385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 002743A0
                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 0027F16E
                                                              • FindClose.KERNEL32(00000000), ref: 0027F179
                                                              • FindFirstFileW.KERNEL32(*.*,?), ref: 0027F195
                                                              • _wcscmp.LIBCMT ref: 0027F1BC
                                                              • _wcscmp.LIBCMT ref: 0027F1D3
                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 0027F1E5
                                                              • SetCurrentDirectoryW.KERNEL32(002C8920), ref: 0027F203
                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 0027F20D
                                                              • FindClose.KERNEL32(00000000), ref: 0027F21A
                                                              • FindClose.KERNEL32(00000000), ref: 0027F22C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                              • String ID: *.*
                                                              • API String ID: 1824444939-438819550
                                                              • Opcode ID: d343b4fe0eb9c804ca5f6219b50baa6ace5875680c8692f6728f014edaaab94e
                                                              • Instruction ID: 9dcec66e58097ace2f2d4f27c0afebdff278f30b9ec35aed9d2672c370feed20
                                                              • Opcode Fuzzy Hash: d343b4fe0eb9c804ca5f6219b50baa6ace5875680c8692f6728f014edaaab94e
                                                              • Instruction Fuzzy Hash: 6D31E73651421AAACB90EF74ED49FEE77AC9F49360F108176EC08E2191DB30DE65CE54
                                                              Function 0027A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0027A20F
                                                              • __swprintf.LIBCMT ref: 0027A231
                                                              • CreateDirectoryW.KERNEL32(?,00000000), ref: 0027A26E
                                                              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0027A293
                                                              • _memset.LIBCMT ref: 0027A2B2
                                                              • _wcsncpy.LIBCMT ref: 0027A2EE
                                                              • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0027A323
                                                              • CloseHandle.KERNEL32(00000000), ref: 0027A32E
                                                              • RemoveDirectoryW.KERNEL32(?), ref: 0027A337
                                                              • CloseHandle.KERNEL32(00000000), ref: 0027A341
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                              • String ID: :$\$\??\%s
                                                              • API String ID: 2733774712-3457252023
                                                              • Opcode ID: c76a8f1557172eb18c3821008dbe8adc46be32d1e2c39e103407b46345331c72
                                                              • Instruction ID: a799ca15b0811a134eaf73d7b0e1c3b5d89cdffe43d89fb03ed6b42d839322c8
                                                              • Opcode Fuzzy Hash: c76a8f1557172eb18c3821008dbe8adc46be32d1e2c39e103407b46345331c72
                                                              • Instruction Fuzzy Hash: 6C31C1B291410AABDB20DFA0DC49FEF77BCEF88710F1041B6F908D2161EB7096548B25
                                                              Function 0029C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windownativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00212612: GetWindowLongW.USER32(?,000000EB), ref: 00212623
                                                              • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0029C1FC
                                                              • GetFocus.USER32 ref: 0029C20C
                                                              • GetDlgCtrlID.USER32(00000000), ref: 0029C217
                                                              • _memset.LIBCMT ref: 0029C342
                                                              • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0029C36D
                                                              • GetMenuItemCount.USER32(?), ref: 0029C38D
                                                              • GetMenuItemID.USER32(?,00000000), ref: 0029C3A0
                                                              • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0029C3D4
                                                              • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0029C41C
                                                              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0029C454
                                                              • NtdllDialogWndProc_W.NTDLL(?,00000111,?,?,?,?,?,?,?), ref: 0029C489
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow_memset
                                                              • String ID: 0
                                                              • API String ID: 3616455698-4108050209
                                                              • Opcode ID: f1d3d20d9e1d272292b7cbff966dbd537f3efa39e424e500d4aa8159096ea25b
                                                              • Instruction ID: 68d32838a99d7bc1d15fdfe88508855269455eb05a25c4887bf23384e48a99b1
                                                              • Opcode Fuzzy Hash: f1d3d20d9e1d272292b7cbff966dbd537f3efa39e424e500d4aa8159096ea25b
                                                              • Instruction Fuzzy Hash: FB81AD706283529FDB10DF24D994A6BBBE8FF88314F20492EF99597291C770DD24CB62
                                                              Function 002266E1 Relevance: 20.9, Strings: 16, Instructions: 889COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 3c"$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$_"
                                                              • API String ID: 0-1150863245
                                                              • Opcode ID: bf2be9c537bb00bcccaad4d260c2c4da68d93d33b95d828fc67bbf7921c5aacb
                                                              • Instruction ID: a3afb949a996d81d728d8e5e49dfdf9564bc7a7b5a1c17739cedecb1b03c6971
                                                              • Opcode Fuzzy Hash: bf2be9c537bb00bcccaad4d260c2c4da68d93d33b95d828fc67bbf7921c5aacb
                                                              • Instruction Fuzzy Hash: A9726275D20225DBDF14DF99D8847ADB7B5FF48310F14816AE809EB290DB709DA1CB90
                                                              Function 0027001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetKeyboardState.USER32(?), ref: 00270097
                                                              • SetKeyboardState.USER32(?), ref: 00270102
                                                              • GetAsyncKeyState.USER32(000000A0), ref: 00270122
                                                              • GetKeyState.USER32(000000A0), ref: 00270139
                                                              • GetAsyncKeyState.USER32(000000A1), ref: 00270168
                                                              • GetKeyState.USER32(000000A1), ref: 00270179
                                                              • GetAsyncKeyState.USER32(00000011), ref: 002701A5
                                                              • GetKeyState.USER32(00000011), ref: 002701B3
                                                              • GetAsyncKeyState.USER32(00000012), ref: 002701DC
                                                              • GetKeyState.USER32(00000012), ref: 002701EA
                                                              • GetAsyncKeyState.USER32(0000005B), ref: 00270213
                                                              • GetKeyState.USER32(0000005B), ref: 00270221
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: State$Async$Keyboard
                                                              • String ID:
                                                              • API String ID: 541375521-0
                                                              • Opcode ID: da7186df5075886555f1e4f1f5b44c86d2b2cfb2e90efbcbf026363dd06555a9
                                                              • Instruction ID: cd7dda65b56e7b4d9e482133f2d6f9b4c045f5e7b66b4146bc8d98690de3f4a1
                                                              • Opcode Fuzzy Hash: da7186df5075886555f1e4f1f5b44c86d2b2cfb2e90efbcbf026363dd06555a9
                                                              • Instruction Fuzzy Hash: A9513D2091438999FB31DFA088957AABFB49F01380F48C59ED9CD561C3DAB49B9CCB61
                                                              Function 002903DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00290E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0028FDAD,?,?), ref: 00290E31
                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002904AC
                                                                • Part of subcall function 00219837: __itow.LIBCMT ref: 00219862
                                                                • Part of subcall function 00219837: __swprintf.LIBCMT ref: 002198AC
                                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0029054B
                                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 002905E3
                                                              • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00290822
                                                              • RegCloseKey.ADVAPI32(00000000), ref: 0029082F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                              • String ID:
                                                              • API String ID: 1240663315-0
                                                              • Opcode ID: 2acaf024b03660be58cc0f5f263fb3ee5b01431ad70ba339e47a4d359232ba9f
                                                              • Instruction ID: 409ea18de6835a85b809334055e33f10119b290b08c6a42034035c7bc2444513
                                                              • Opcode Fuzzy Hash: 2acaf024b03660be58cc0f5f263fb3ee5b01431ad70ba339e47a4d359232ba9f
                                                              • Instruction Fuzzy Hash: ECE16C31214215AFCB54DF24C895E6ABBE8FF89314F04856DF84ADB261DA30ED61CF91
                                                              Function 0029D43E Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 257windownativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00212612: GetWindowLongW.USER32(?,000000EB), ref: 00212623
                                                              • GetSystemMetrics.USER32(0000000F), ref: 0029D47C
                                                              • GetSystemMetrics.USER32(0000000F), ref: 0029D49C
                                                              • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0029D6D7
                                                              • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0029D6F5
                                                              • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0029D716
                                                              • ShowWindow.USER32(00000003,00000000), ref: 0029D735
                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 0029D75A
                                                              • NtdllDialogWndProc_W.NTDLL(?,00000005,?,?), ref: 0029D77D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Window$MessageMetricsSendSystem$DialogInvalidateLongMoveNtdllProc_RectShow
                                                              • String ID: @U=u
                                                              • API String ID: 830902736-2594219639
                                                              • Opcode ID: d0238b28b5ece3006035d242ec230b55fe27c24112e478b2144caff4754f068c
                                                              • Instruction ID: fa77997a16dcb09c34299db784babbe1b4ec8ce9bceae75679cf3149625ed80c
                                                              • Opcode Fuzzy Hash: d0238b28b5ece3006035d242ec230b55fe27c24112e478b2144caff4754f068c
                                                              • Instruction Fuzzy Hash: 39B19B75A00226EBDF14CF68D9C97ED7BB1BF04701F088069EC489B295D774A960DB50
                                                              Function 002883BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00219837: __itow.LIBCMT ref: 00219862
                                                                • Part of subcall function 00219837: __swprintf.LIBCMT ref: 002198AC
                                                              • CoInitialize.OLE32 ref: 00288403
                                                              • CoUninitialize.COMBASE ref: 0028840E
                                                              • CoCreateInstance.COMBASE(?,00000000,00000017,002A2BEC,?), ref: 0028846E
                                                              • IIDFromString.COMBASE(?,?), ref: 002884E1
                                                              • VariantInit.OLEAUT32(?), ref: 0028857B
                                                              • VariantClear.OLEAUT32(?), ref: 002885DC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                              • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                              • API String ID: 834269672-1287834457
                                                              • Opcode ID: 6fc96a5a254a001c54af557fa6bbec0e78e77cf9b09daefd0f672342f6a345f3
                                                              • Instruction ID: deab1ad21f6dffe9930ac78b48b77526cd7aa5e1e2210734ac0039c81af6687b
                                                              • Opcode Fuzzy Hash: 6fc96a5a254a001c54af557fa6bbec0e78e77cf9b09daefd0f672342f6a345f3
                                                              • Instruction Fuzzy Hash: E961FF752293129FC710EF14C848F6EB7E8AF49704F80481DF9829B291CB70EDA4CB92
                                                              Function 00284164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                              • String ID:
                                                              • API String ID: 1737998785-0
                                                              • Opcode ID: 96384c81079faf55ef64e42ff630e0647a20e8b400e8f34f1a9d1e719c7f0b12
                                                              • Instruction ID: a325c46948fe6ff51cc521f21129ef346b3e691a55e1bcd9523628fbf6df52fb
                                                              • Opcode Fuzzy Hash: 96384c81079faf55ef64e42ff630e0647a20e8b400e8f34f1a9d1e719c7f0b12
                                                              • Instruction Fuzzy Hash: 9921BF356122159FDB40BF24ED0DB6A7BA8EF15710F10802AF946DB2A1DB70AC61CB44
                                                              Function 002737EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00214750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00214743,?,?,002137AE,?), ref: 00214770
                                                                • Part of subcall function 00274A31: GetFileAttributesW.KERNEL32(?,0027370B), ref: 00274A32
                                                              • FindFirstFileW.KERNEL32(?,?), ref: 002738A3
                                                              • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 0027394B
                                                              • MoveFileW.KERNEL32(?,?), ref: 0027395E
                                                              • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 0027397B
                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 0027399D
                                                              • FindClose.KERNEL32(00000000,?,?,?,?), ref: 002739B9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                              • String ID: \*.*
                                                              • API String ID: 4002782344-1173974218
                                                              • Opcode ID: e3929e283636020fd99255ced17e7c36268e00b0f5c7fa62092c525fb8d70cb9
                                                              • Instruction ID: eba41c3922b964de77129afa005755c166477b9725801f614421cc183cdd1bed
                                                              • Opcode Fuzzy Hash: e3929e283636020fd99255ced17e7c36268e00b0f5c7fa62092c525fb8d70cb9
                                                              • Instruction Fuzzy Hash: 2351813182514DEACF05EBA0DA929EDB7B8AF64300F6040A9E409B7191EF316F59DF91
                                                              Function 0027F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00217DE1: _memmove.LIBCMT ref: 00217E22
                                                              • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0027F440
                                                              • Sleep.KERNEL32(0000000A), ref: 0027F470
                                                              • _wcscmp.LIBCMT ref: 0027F484
                                                              • _wcscmp.LIBCMT ref: 0027F49F
                                                              • FindNextFileW.KERNEL32(?,?), ref: 0027F53D
                                                              • FindClose.KERNEL32(00000000), ref: 0027F553
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                              • String ID: *.*
                                                              • API String ID: 713712311-438819550
                                                              • Opcode ID: 1993fe0689c64f8d4de12a81e4aa4db383e20af00a04faf075eb1e7863cfc55c
                                                              • Instruction ID: c2b1c6532fe82c44de4086fb019c9bb9ba5203f557211043f48133d803427785
                                                              • Opcode Fuzzy Hash: 1993fe0689c64f8d4de12a81e4aa4db383e20af00a04faf075eb1e7863cfc55c
                                                              • Instruction Fuzzy Hash: E241B37192421A9FCF90DF64DD49AEEBBB4FF05310F508466E819A3190EB309EA4CF90
                                                              Function 00223030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: __itow__swprintf
                                                              • String ID: 3c"$_"
                                                              • API String ID: 674341424-2711503754
                                                              • Opcode ID: 5bcc065175e640d044dc3b6de5c7131e5638bf902893d1cf6600410805f5c1df
                                                              • Instruction ID: 4769b443b5c95801f1f14af6d22259c9de899e715e59a65dba3ea2468d9a0971
                                                              • Opcode Fuzzy Hash: 5bcc065175e640d044dc3b6de5c7131e5638bf902893d1cf6600410805f5c1df
                                                              • Instruction Fuzzy Hash: 8F22BE71628311AFC724DF54D891BAEB7E4BF84310F40491DF88A97291DB74EA68CF92
                                                              Function 0026E616 Relevance: 11.1, APIs: 1, Strings: 6, Instructions: 561stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • lstrlenW.KERNEL32(?,?,?,00000000), ref: 0026E628
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: lstrlen
                                                              • String ID: ($AddRef$InterfaceDispatch$QueryInterface$Release$|
                                                              • API String ID: 1659193697-2318614619
                                                              • Opcode ID: f3d9da7ab4ccfd0f49cacab9cc98296c8edff9f04586f7c7ecfd63940db67b48
                                                              • Instruction ID: 6a76243a40b443049d47dc10fe7a36882429857af7b90cf9f0669733f500949e
                                                              • Opcode Fuzzy Hash: f3d9da7ab4ccfd0f49cacab9cc98296c8edff9f04586f7c7ecfd63940db67b48
                                                              • Instruction Fuzzy Hash: 0A323679A107059FDB28CF59C48196AB7F0FF48310B16C56EE89ADB3A1E770E991CB40
                                                              Function 00225760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: _memmove
                                                              • String ID:
                                                              • API String ID: 4104443479-0
                                                              • Opcode ID: a5d20df58a551792053df6534afaa06e059acaf9474a20b6dff22e853435875a
                                                              • Instruction ID: ca0dd57fce2a17b9e6a6f951428451c304cde3c6f23b6b8f4f1d0413c10b3bcc
                                                              • Opcode Fuzzy Hash: a5d20df58a551792053df6534afaa06e059acaf9474a20b6dff22e853435875a
                                                              • Instruction Fuzzy Hash: 5E129C70A20629EFDF04DFA5D981AEEB3F5FF48300F108569E406A7250EB75ADA0CB50
                                                              Function 002751BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 002687E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0026882B
                                                                • Part of subcall function 002687E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00268858
                                                                • Part of subcall function 002687E1: GetLastError.KERNEL32 ref: 00268865
                                                              • ExitWindowsEx.USER32(?,00000000), ref: 002751F9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                              • String ID: $@$SeShutdownPrivilege
                                                              • API String ID: 2234035333-194228
                                                              • Opcode ID: 4d3d05632d9e0cd65f7011bae0364846c60d28bf937d3fb6d3bf24c9429731b0
                                                              • Instruction ID: d0b4f7c7142e245720ecd92272d1ddae5d671390f0f9348efd5336a4e596bce8
                                                              • Opcode Fuzzy Hash: 4d3d05632d9e0cd65f7011bae0364846c60d28bf937d3fb6d3bf24c9429731b0
                                                              • Instruction Fuzzy Hash: CD01F7357B16226BE7686A68AC8AFBBF2589B05341F618525FD0FE20D3D9F11C208590
                                                              Function 00286283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • socket.WS2_32(00000002,00000001,00000006), ref: 002862DC
                                                              • WSAGetLastError.WS2_32(00000000), ref: 002862EB
                                                              • bind.WS2_32(00000000,?,00000010), ref: 00286307
                                                              • listen.WS2_32(00000000,00000005), ref: 00286316
                                                              • WSAGetLastError.WS2_32(00000000), ref: 00286330
                                                              • closesocket.WS2_32(00000000), ref: 00286344
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$bindclosesocketlistensocket
                                                              • String ID:
                                                              • API String ID: 1279440585-0
                                                              • Opcode ID: 64cc91cc09b6ca3033714f1e8410ef990d2a73a42eff4e08999ced47def5f20d
                                                              • Instruction ID: a241f9ae93a221834dc7d9deb47def7fbd661b7229f298e1b5f623dd5127047a
                                                              • Opcode Fuzzy Hash: 64cc91cc09b6ca3033714f1e8410ef990d2a73a42eff4e08999ced47def5f20d
                                                              • Instruction Fuzzy Hash: 0721D2346102049FCB40EF64D949BAEB7E9EF45720F158169E816E73D1C770AD91CB51
                                                              Function 00225520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00230DB6: std::exception::exception.LIBCMT ref: 00230DEC
                                                                • Part of subcall function 00230DB6: __CxxThrowException@8.LIBCMT ref: 00230E01
                                                              • _memmove.LIBCMT ref: 00260258
                                                              • _memmove.LIBCMT ref: 0026036D
                                                              • _memmove.LIBCMT ref: 00260414
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                              • String ID:
                                                              • API String ID: 1300846289-0
                                                              • Opcode ID: c9922522403864e92a8bcb24716bc56e3e217896af3e7cbd9aff4e22104e6337
                                                              • Instruction ID: ca3757028b0f481496a8c1c6a771e0cbe1f123aec3228d26b27977a0b7f9e7cb
                                                              • Opcode Fuzzy Hash: c9922522403864e92a8bcb24716bc56e3e217896af3e7cbd9aff4e22104e6337
                                                              • Instruction Fuzzy Hash: 4D02B3B0A20219DBCF04DF64D9D1ABE77F5EF44300F5480A9E80ADB255EB35D9A0DB91
                                                              Function 00211287 Relevance: 7.9, APIs: 5, Instructions: 379nativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00212612: GetWindowLongW.USER32(?,000000EB), ref: 00212623
                                                              • NtdllDialogWndProc_W.NTDLL(?,?,?,?,?), ref: 002119FA
                                                              • GetSysColor.USER32(0000000F), ref: 00211A4E
                                                              • SetBkColor.GDI32(?,00000000), ref: 00211A61
                                                                • Part of subcall function 00211290: NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 002112D8
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: ColorDialogNtdllProc_$LongWindow
                                                              • String ID:
                                                              • API String ID: 591255283-0
                                                              • Opcode ID: 039249d2937e646065035bc44b8dc7d3755cccc78761c0ac158a77a1d37c8fd2
                                                              • Instruction ID: f40a0be14c482912f89c2b71496d7e6a2132c7ee6552c515e1f9ae14a3ab4eb9
                                                              • Opcode Fuzzy Hash: 039249d2937e646065035bc44b8dc7d3755cccc78761c0ac158a77a1d37c8fd2
                                                              • Instruction Fuzzy Hash: E7A16870136556BAEB29AF289C48DFF29DCDF69341B24011AF702D2192CA74DDB0DAB1
                                                              Function 00286747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00287D8B: inet_addr.WS2_32(00000000), ref: 00287DB6
                                                              • socket.WS2_32(00000002,00000002,00000011), ref: 0028679E
                                                              • WSAGetLastError.WS2_32(00000000), ref: 002867C7
                                                              • bind.WS2_32(00000000,?,00000010), ref: 00286800
                                                              • WSAGetLastError.WS2_32(00000000), ref: 0028680D
                                                              • closesocket.WS2_32(00000000), ref: 00286821
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                              • String ID:
                                                              • API String ID: 99427753-0
                                                              • Opcode ID: 2e08171012144ebfd20b47caac3b5300468606d92223189b11e94b2067c4a8a8
                                                              • Instruction ID: b985c708910733dbf78a96d443e3a0b2a25f88bbb831b14fbfe6aaee68917490
                                                              • Opcode Fuzzy Hash: 2e08171012144ebfd20b47caac3b5300468606d92223189b11e94b2067c4a8a8
                                                              • Instruction Fuzzy Hash: 6E410675A102046FDB50BF249C96FBE77E8EF19714F04845CF915AB3C2CA709D908B91
                                                              Function 00295376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                              • String ID:
                                                              • API String ID: 292994002-0
                                                              • Opcode ID: f4e87fed02b95c13202ea949d13c7de1584f67f00a6d326f0281025518c11fdb
                                                              • Instruction ID: 55e141f155dc5d7a45eae1e3e6f926951d54a94a2834cae10f7cf6e13089cbf7
                                                              • Opcode Fuzzy Hash: f4e87fed02b95c13202ea949d13c7de1584f67f00a6d326f0281025518c11fdb
                                                              • Instruction Fuzzy Hash: BE11C8313209216FEF625F269C48A6EBB9CEF557A1F514079F845D3241CBB0DC51CB94
                                                              Function 002680A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 002680C0
                                                              • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 002680CA
                                                              • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 002680D9
                                                              • RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 002680E0
                                                              • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 002680F6
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: HeapInformationToken$AllocateErrorLastProcess
                                                              • String ID:
                                                              • API String ID: 47921759-0
                                                              • Opcode ID: 4476195efece6c6dcd59d13570a90737397fd044e1865c610da20588103d896f
                                                              • Instruction ID: d49c2aac6bed398ee0a22d97f9d7474e09e3c10e4b3c93dc04d783d9722d7c11
                                                              • Opcode Fuzzy Hash: 4476195efece6c6dcd59d13570a90737397fd044e1865c610da20588103d896f
                                                              • Instruction Fuzzy Hash: F7F0C230210205BFEB500FA4EC8DE6B3BACEF4A754B000166F90DD2150CF609C52DA60
                                                              Function 00214B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,00214AD0), ref: 00214B45
                                                              • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00214B57
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: AddressLibraryLoadProc
                                                              • String ID: GetNativeSystemInfo$kernel32.dll
                                                              • API String ID: 2574300362-192647395
                                                              • Opcode ID: d2e457df7e4ec912ec9798616f066ded277a140e06ea9831e63dc75ffc8edd0c
                                                              • Instruction ID: 47f74129e3a2a67fd8d7ea18dde21df0d1f00f680f8ea285569c47806fc10aa6
                                                              • Opcode Fuzzy Hash: d2e457df7e4ec912ec9798616f066ded277a140e06ea9831e63dc75ffc8edd0c
                                                              • Instruction Fuzzy Hash: 7FD01274A20713CFDBA09F31E928B4676E4AF16355B15883A9489D6550D670D4D0C694
                                                              Function 0028EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateToolhelp32Snapshot.KERNEL32 ref: 0028EE3D
                                                              • Process32FirstW.KERNEL32(00000000,?), ref: 0028EE4B
                                                                • Part of subcall function 00217DE1: _memmove.LIBCMT ref: 00217E22
                                                              • Process32NextW.KERNEL32(00000000,?), ref: 0028EF0B
                                                              • CloseHandle.KERNEL32(00000000,?,?,?), ref: 0028EF1A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                              • String ID:
                                                              • API String ID: 2576544623-0
                                                              • Opcode ID: d8bde9075f574dfdce7dccdc2728ae6c3b617352dec56a91c4d788c5fa0e1a73
                                                              • Instruction ID: a0f3b7a1e779f7b0e381e4869d57e7ed04cdf31f52ffc82b846d6e908face3fa
                                                              • Opcode Fuzzy Hash: d8bde9075f574dfdce7dccdc2728ae6c3b617352dec56a91c4d788c5fa0e1a73
                                                              • Instruction Fuzzy Hash: 4851AE71518311AFD310EF20DC85EABB7E8EFA8710F10482DF595972A1EB70E958CB92
                                                              Function 0029C498 Relevance: 6.1, APIs: 4, Instructions: 83nativewindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00212612: GetWindowLongW.USER32(?,000000EB), ref: 00212623
                                                              • GetCursorPos.USER32(?), ref: 0029C4D2
                                                              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0024B9AB,?,?,?,?,?), ref: 0029C4E7
                                                              • GetCursorPos.USER32(?), ref: 0029C534
                                                              • NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,?,?,?,?,?,?,?,?,0024B9AB,?,?,?), ref: 0029C56E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
                                                              • String ID:
                                                              • API String ID: 1423138444-0
                                                              • Opcode ID: 09c0f4f8256bbdc82125cef87c56fdde98de6c958b488cd349569be08009e42d
                                                              • Instruction ID: 8f00a7bbcfedcd1cc3506b7246b65aef42268e05a07a3a6eb0649fc9ffd65212
                                                              • Opcode Fuzzy Hash: 09c0f4f8256bbdc82125cef87c56fdde98de6c958b488cd349569be08009e42d
                                                              • Instruction Fuzzy Hash: 0931A035610068EFCF25CF58D898EEA7BB9EB09310F95406AF9059B261C731AD60DFA4
                                                              Function 00211290 Relevance: 6.1, APIs: 4, Instructions: 59nativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00212612: GetWindowLongW.USER32(?,000000EB), ref: 00212623
                                                              • NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 002112D8
                                                              • GetClientRect.USER32(?,?), ref: 0024B5FB
                                                              • GetCursorPos.USER32(?), ref: 0024B605
                                                              • ScreenToClient.USER32(?,?), ref: 0024B610
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Client$CursorDialogLongNtdllProc_RectScreenWindow
                                                              • String ID:
                                                              • API String ID: 1010295502-0
                                                              • Opcode ID: 23c128e5405d4c8b1c838ac2e0bb866320f07759425ad1e08da45785bf83d405
                                                              • Instruction ID: 7d5e001f6f759a22256cd9fb0db57ff03f4baf7b0533f2ac26beb547ba994566
                                                              • Opcode Fuzzy Hash: 23c128e5405d4c8b1c838ac2e0bb866320f07759425ad1e08da45785bf83d405
                                                              • Instruction Fuzzy Hash: 31113A35A21129EFCF10EF98D9899EE77F8EB15301F500456FA11E7240C774BAB18BA5
                                                              Function 0029C57D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46nativewindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00212612: GetWindowLongW.USER32(?,000000EB), ref: 00212623
                                                              • NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,?,?,?,?,?,0024B93A,?,?,?), ref: 0029C5F1
                                                                • Part of subcall function 002125DB: GetWindowLongW.USER32(?,000000EB), ref: 002125EC
                                                              • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 0029C5D7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: LongWindow$DialogMessageNtdllProc_Send
                                                              • String ID: @U=u
                                                              • API String ID: 1273190321-2594219639
                                                              • Opcode ID: cc5e69ca9ea1d6613ece2ec99077832b3a7099653dc3ad4802749298d697ccb7
                                                              • Instruction ID: b946ba4cf109c01e047b7bb9c0bbebe7da51a0a3347be4afb0a92d5660a5edbc
                                                              • Opcode Fuzzy Hash: cc5e69ca9ea1d6613ece2ec99077832b3a7099653dc3ad4802749298d697ccb7
                                                              • Instruction Fuzzy Hash: 5601B131211214EBCF255F14DC98F6A7BA6FF85360F650129F9516B2E0CB72AC61EB90
                                                              Function 002822EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0028180A,00000000), ref: 002823E1
                                                              • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00282418
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Internet$AvailableDataFileQueryRead
                                                              • String ID:
                                                              • API String ID: 599397726-0
                                                              • Opcode ID: 45a6114c10c46e95a79a9631611d447c37fd1a894f50621fddd30886f8e1bbb8
                                                              • Instruction ID: dcd237ce98de4f8a3e9b24f76ee012a983523fb4e69ab2de34bfc2912c547e31
                                                              • Opcode Fuzzy Hash: 45a6114c10c46e95a79a9631611d447c37fd1a894f50621fddd30886f8e1bbb8
                                                              • Instruction Fuzzy Hash: 59411975521209FFEB10EE95DC85EBBB7BCEB40314F10406AFA01A61C0DAB49E659B60
                                                              Function 0027B333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetErrorMode.KERNEL32(00000001), ref: 0027B343
                                                              • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0027B39D
                                                              • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0027B3EA
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: ErrorMode$DiskFreeSpace
                                                              • String ID:
                                                              • API String ID: 1682464887-0
                                                              • Opcode ID: 20dab60257f6635dfad1fe4d2205b72eacec91055e6248d6b091bbd43326e20a
                                                              • Instruction ID: 9125f51629efa74348b037018e5e2328d1892d7f587aba698820fd990bca12e8
                                                              • Opcode Fuzzy Hash: 20dab60257f6635dfad1fe4d2205b72eacec91055e6248d6b091bbd43326e20a
                                                              • Instruction Fuzzy Hash: 56215135A10518DFCB00EFA5D885AEDBBB8FF49310F1480AAE905AB351CB319955CF51
                                                              Function 002687E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00230DB6: std::exception::exception.LIBCMT ref: 00230DEC
                                                                • Part of subcall function 00230DB6: __CxxThrowException@8.LIBCMT ref: 00230E01
                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0026882B
                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00268858
                                                              • GetLastError.KERNEL32 ref: 00268865
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                              • String ID:
                                                              • API String ID: 1922334811-0
                                                              • Opcode ID: c0abc3264d240a64e2e39cf6fe38f8d407216d3a309ec53773e0eb9a64d59b0f
                                                              • Instruction ID: c2e1ce3f0cd3764824f842296c339b285aeb413792e59d134f67065da8b5fbbc
                                                              • Opcode Fuzzy Hash: c0abc3264d240a64e2e39cf6fe38f8d407216d3a309ec53773e0eb9a64d59b0f
                                                              • Instruction Fuzzy Hash: 59118FB2524209AFE718DFA4EC85D6BB7FDEB44710B20862EF45597241EB70BC508B60
                                                              Function 0026874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00268774
                                                              • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0026878B
                                                              • FreeSid.ADVAPI32(?), ref: 0026879B
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: AllocateCheckFreeInitializeMembershipToken
                                                              • String ID:
                                                              • API String ID: 3429775523-0
                                                              • Opcode ID: b037ec748419c6cc1dc2dcc99d68939c793b6cf8d54fd34e0c66078845628771
                                                              • Instruction ID: 8b7db7fff6106fe8ad074b61c82899c720fa649cc14924c5194a4ab0792dcb44
                                                              • Opcode Fuzzy Hash: b037ec748419c6cc1dc2dcc99d68939c793b6cf8d54fd34e0c66078845628771
                                                              • Instruction Fuzzy Hash: CFF06D75A1130DBFDF40DFF4DD89ABEBBBCEF08201F1045A9A901E2181E7716A548B50
                                                              Function 002116DE Relevance: 3.1, APIs: 2, Instructions: 83nativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00212612: GetWindowLongW.USER32(?,000000EB), ref: 00212623
                                                                • Part of subcall function 002125DB: GetWindowLongW.USER32(?,000000EB), ref: 002125EC
                                                              • GetParent.USER32(?), ref: 0024B7BA
                                                              • NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,?,?,?,?,?,?,002119B3,?,?,?,00000006,?), ref: 0024B834
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: LongWindow$DialogNtdllParentProc_
                                                              • String ID:
                                                              • API String ID: 314495775-0
                                                              • Opcode ID: 0327eeccce90cb3c4c57e73e62e37667686ff79ea303755931b55ff3b8849911
                                                              • Instruction ID: 61d138808bce4efb6e5dda30ff57f3a1209fb90c3158f07ad3044593a69a9d9c
                                                              • Opcode Fuzzy Hash: 0327eeccce90cb3c4c57e73e62e37667686ff79ea303755931b55ff3b8849911
                                                              • Instruction Fuzzy Hash: 31217730621515AFCB258F28C888DEA7BD6EF1A320F584251F6294B3F2C7719DB2DB10
                                                              Function 0027C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileW.KERNEL32(?,?), ref: 0027C6FB
                                                              • FindClose.KERNEL32(00000000), ref: 0027C72B
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Find$CloseFileFirst
                                                              • String ID:
                                                              • API String ID: 2295610775-0
                                                              • Opcode ID: 1e4d466761345c93a7e228f5ab59b59c633970f06247a3b145be9a98cf91fe8e
                                                              • Instruction ID: d441f6b4834f9244b39788d95e9305bc433b1f2cef49cb5a1b98a45e74e7f93d
                                                              • Opcode Fuzzy Hash: 1e4d466761345c93a7e228f5ab59b59c633970f06247a3b145be9a98cf91fe8e
                                                              • Instruction Fuzzy Hash: 08118E726102049FDB10EF29D899A6AF7E8EF95320F11851EF8A9C7290DB30A851CF81
                                                              Function 0029C93E Relevance: 3.0, APIs: 2, Instructions: 33nativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ClientToScreen.USER32(?,?), ref: 0029C961
                                                              • NtdllDialogWndProc_W.NTDLL(?,00000200,?,?,?,?,?,?,?,0024BA16,?,?,?,?,?), ref: 0029C98A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: ClientDialogNtdllProc_Screen
                                                              • String ID:
                                                              • API String ID: 3420055661-0
                                                              • Opcode ID: ef751e6e82e6fe313112f66510afc58ad45424e4a5038ecef55d9e0422d678ae
                                                              • Instruction ID: 0436ca9e6c6bd19cb6b164b567fac1a2f5d685bfb607c1434bc291f1838efb70
                                                              • Opcode Fuzzy Hash: ef751e6e82e6fe313112f66510afc58ad45424e4a5038ecef55d9e0422d678ae
                                                              • Instruction Fuzzy Hash: C0F01772410218FFEF448F85ED099AE7BB9FB48311F10416AF901A2161D371AA60EBA4
                                                              Function 0027A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00289468,?,0029FB84,?), ref: 0027A097
                                                              • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00289468,?,0029FB84,?), ref: 0027A0A9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: ErrorFormatLastMessage
                                                              • String ID:
                                                              • API String ID: 3479602957-0
                                                              • Opcode ID: 1f10c8b6466ae0d9d88d244970f070d0742a2e79bf817deb2a28bc06139ac38d
                                                              • Instruction ID: 094f6fddd41b3581689bb67bfb39954d322b30fdfae2532f7e461a1743ee3f9f
                                                              • Opcode Fuzzy Hash: 1f10c8b6466ae0d9d88d244970f070d0742a2e79bf817deb2a28bc06139ac38d
                                                              • Instruction Fuzzy Hash: E0F0E23511422DBBDB609FA4DC48FEE736CBF08361F008166F809D2181CA309950CBA1
                                                              Function 0029CA7C Relevance: 3.0, APIs: 2, Instructions: 23nativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetWindowLongW.USER32(?,000000EC), ref: 0029CA84
                                                              • NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?,?,0024B995,?,?,?,?), ref: 0029CAB2
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: DialogLongNtdllProc_Window
                                                              • String ID:
                                                              • API String ID: 2065330234-0
                                                              • Opcode ID: 4c1f80b2bd7699cf27533932c8d1dad83316dad1fc044ca0799d91107bcf2c75
                                                              • Instruction ID: 598ac76b5787cc60b9ac5fe804bc7dabfaffc484e3714710eb1499bfc4e8d24d
                                                              • Opcode Fuzzy Hash: 4c1f80b2bd7699cf27533932c8d1dad83316dad1fc044ca0799d91107bcf2c75
                                                              • Instruction Fuzzy Hash: 2DE08670100219BFEF549F19DC0AFBA3B58EB04791F50811AF956D91E1C7709860D760
                                                              Function 002681CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00268309), ref: 002681E0
                                                              • CloseHandle.KERNEL32(?,?,00268309), ref: 002681F2
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: AdjustCloseHandlePrivilegesToken
                                                              • String ID:
                                                              • API String ID: 81990902-0
                                                              • Opcode ID: dd2f5ba59f16da887a93172ea595c47c3c694cc4a05e6804498acca34ace4fd6
                                                              • Instruction ID: e78f3eac202bfce43b1917a0ec625a0ba9f53ab7e98e8c0dc25f85a1cff9dfe6
                                                              • Opcode Fuzzy Hash: dd2f5ba59f16da887a93172ea595c47c3c694cc4a05e6804498acca34ace4fd6
                                                              • Instruction Fuzzy Hash: D7E0E672024511AFE7652B70FC09D7777EDEF04310B14896DF465C4470DB625CA1DB50
                                                              Function 0023A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000,002A4178,00238D57,t of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.,?,?,00000001), ref: 0023A15A
                                                              • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0023A163
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFilterUnhandled
                                                              • String ID:
                                                              • API String ID: 3192549508-0
                                                              • Opcode ID: aa834b387adfe8e4aa61d3b285fbbe35d443bb78639afd7218d58583c41771d4
                                                              • Instruction ID: caeba3d25a09ea7c5a4406876e7fb6f749f7aa62b1dff091c2d80c8b91a2e145
                                                              • Opcode Fuzzy Hash: aa834b387adfe8e4aa61d3b285fbbe35d443bb78639afd7218d58583c41771d4
                                                              • Instruction Fuzzy Hash: A3B09231054248EBCAC02BA1FD0DB883F68EB44BA2F4040A2FE0DC4060CB6654A08A99
                                                              Function 0021E6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • Variable must be of type 'Object'., xrefs: 00253E62
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Variable must be of type 'Object'.
                                                              • API String ID: 0-109567571
                                                              • Opcode ID: 87346ae722c5f9eab28e4e46b63ee6554d438cbf6c979776aa6e249886a308d0
                                                              • Instruction ID: 4a6963012439a421132233579b813b5632dc34334662d5b747132e09215ccb77
                                                              • Opcode Fuzzy Hash: 87346ae722c5f9eab28e4e46b63ee6554d438cbf6c979776aa6e249886a308d0
                                                              • Instruction Fuzzy Hash: F1A26C74A20206CBCF24CF54C884AEAB7F1FF69314F26805AEC159B351D771ADA6CB90
                                                              Function 0023F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2455177201d59c4c89735a9f094db849a45f318be9e8c056b45f7960fe51e68d
                                                              • Instruction ID: 3c1b310ca4b4df59d436dc01645050d6a81c9ec2241321a76b93eccf110e213f
                                                              • Opcode Fuzzy Hash: 2455177201d59c4c89735a9f094db849a45f318be9e8c056b45f7960fe51e68d
                                                              • Instruction Fuzzy Hash: 1A32F2A1D39F414ED7639A34ED26336A248AFB73D8F15D737E819B59A6EF28C4834100
                                                              Function 0024242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8bcbc94961dfd812a7c22984440d58a9060d9baeaeb5a4381abf70fe5fec7d41
                                                              • Instruction ID: 0a9417379d0d3edb123123879c0a017ed93106d93a5c8967d508583d26e3823b
                                                              • Opcode Fuzzy Hash: 8bcbc94961dfd812a7c22984440d58a9060d9baeaeb5a4381abf70fe5fec7d41
                                                              • Instruction Fuzzy Hash: 7DB10120D2AF408ED76396399835336BB5CAFBB2D5F91D71BFC2674D22EB2185838141
                                                              Function 00278889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __time64.LIBCMT ref: 0027889B
                                                                • Part of subcall function 0023520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00278F6E,00000000,?,?,?,?,0027911F,00000000,?), ref: 00235213
                                                                • Part of subcall function 0023520A: __aulldiv.LIBCMT ref: 00235233
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Time$FileSystem__aulldiv__time64
                                                              • String ID:
                                                              • API String ID: 2893107130-0
                                                              • Opcode ID: 5732ac6aa3dc19f530b02be352a96df3f293e3b87e28699a1785fda276e6732f
                                                              • Instruction ID: 5a4ec0d7b6608d76f5413b8c93e950a92f49e7ffc5240f6c66855d2407e0bd79
                                                              • Opcode Fuzzy Hash: 5732ac6aa3dc19f530b02be352a96df3f293e3b87e28699a1785fda276e6732f
                                                              • Instruction Fuzzy Hash: E021E432A355118BC329CF25E845A52B3E1EFA5310F688E6DD0F9CB2C0CA34BD45CB54
                                                              Function 0029D78C Relevance: 1.6, APIs: 1, Instructions: 66nativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00212612: GetWindowLongW.USER32(?,000000EB), ref: 00212623
                                                              • NtdllDialogWndProc_W.NTDLL(?,00000112,?,00000000), ref: 0029D838
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: DialogLongNtdllProc_Window
                                                              • String ID:
                                                              • API String ID: 2065330234-0
                                                              • Opcode ID: 88f2c87a74087ef4a3f5f1f115efd97a476fba196ab676ded7ad39320f2dbd64
                                                              • Instruction ID: e2da38cf1c5acb8adcf9226d3cb8081137cf923231dc59458f7eca69cb45c075
                                                              • Opcode Fuzzy Hash: 88f2c87a74087ef4a3f5f1f115efd97a476fba196ab676ded7ad39320f2dbd64
                                                              • Instruction Fuzzy Hash: 0E11EB34224265ABFF255E2CCD09FBE7754EB41720F204315F5155A6E3CAA09D21A6A4
                                                              Function 0029D3B8 Relevance: 1.5, APIs: 1, Instructions: 47nativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 002125DB: GetWindowLongW.USER32(?,000000EB), ref: 002125EC
                                                              • NtdllDialogWndProc_W.NTDLL(?,00000115,?,?,?,?,?,?,0024B952,?,?,?,?,00000000,?), ref: 0029D432
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: DialogLongNtdllProc_Window
                                                              • String ID:
                                                              • API String ID: 2065330234-0
                                                              • Opcode ID: 2817e424acffa0ee704eb3958042873df7e8fae4d94b6ace4b6ac8b2a909478c
                                                              • Instruction ID: b0b4a4d9bee094059ea3809abb61840e14904b00dd1e22bfaefe1015a699e543
                                                              • Opcode Fuzzy Hash: 2817e424acffa0ee704eb3958042873df7e8fae4d94b6ace4b6ac8b2a909478c
                                                              • Instruction Fuzzy Hash: 94014731610019AFDF14CF28D889BFA3B92EF46321F844165FA065B291C331BC72EBA0
                                                              Function 0021189B Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00212612: GetWindowLongW.USER32(?,000000EB), ref: 00212623
                                                              • NtdllDialogWndProc_W.NTDLL(?,00000006,00000000,?,?,?,00211B04,?,?,?,?,?), ref: 002118E2
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: DialogLongNtdllProc_Window
                                                              • String ID:
                                                              • API String ID: 2065330234-0
                                                              • Opcode ID: c3f99b4cf191afd050b6668f07c6fd14c50627990b4ed99209bae55fb47a1af0
                                                              • Instruction ID: 8f9a60779edeb1ea062bc73974cf9d12f85b67ac47e821ec7df9028b4ebfb104
                                                              • Opcode Fuzzy Hash: c3f99b4cf191afd050b6668f07c6fd14c50627990b4ed99209bae55fb47a1af0
                                                              • Instruction Fuzzy Hash: B8F0BE30A11629DFEB08DF08E854AA637E2EB50310F60812AF9528B2E0C771DCB0EB50
                                                              Function 0029C8BE Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 0029C8FE
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: DialogNtdllProc_
                                                              • String ID:
                                                              • API String ID: 3239928679-0
                                                              • Opcode ID: 063f75a15e011933a5e2df69c9a70da336382c0da03f62ca2af14c59f89182e5
                                                              • Instruction ID: 31a268cb4360631a8c9d263e10f64fd8888c0bcb1655aa166ef8f3095e41e93d
                                                              • Opcode Fuzzy Hash: 063f75a15e011933a5e2df69c9a70da336382c0da03f62ca2af14c59f89182e5
                                                              • Instruction Fuzzy Hash: E9F06D31211295AFDF21EF58DC09FC67B95EB09320F544019BA15672E2CBB06C20EBA0
                                                              Function 00274C27 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00274C4A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: mouse_event
                                                              • String ID:
                                                              • API String ID: 2434400541-0
                                                              • Opcode ID: 541c10dcfc6f7d704d6a806e32d250175fea515c96942021d9df270c9f88bd91
                                                              • Instruction ID: 036ffc649c1bde3a9d919ac12dff3e5dedf594fe2ee9c7001351ac2629392ddc
                                                              • Opcode Fuzzy Hash: 541c10dcfc6f7d704d6a806e32d250175fea515c96942021d9df270c9f88bd91
                                                              • Instruction Fuzzy Hash: E5D05E9117520A78FC5D2B249E0FF7A0508E30078AFD0D14F7509CA0C1EFF05C605032
                                                              Function 002687B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00268389), ref: 002687D1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: LogonUser
                                                              • String ID:
                                                              • API String ID: 1244722697-0
                                                              • Opcode ID: 7f82595ad00fd5c9b54f8e3fd4281aaf26646fe3eb8f979ec2d51275704b098e
                                                              • Instruction ID: 8c575ddcbfe81d47aae7ca4d09c65a5a7839f5769440729b360fff215dbd3f74
                                                              • Opcode Fuzzy Hash: 7f82595ad00fd5c9b54f8e3fd4281aaf26646fe3eb8f979ec2d51275704b098e
                                                              • Instruction Fuzzy Hash: C6D05E3226450EABEF418EA4ED05EAE3B69EB04B01F408111FE15C50A1C775D835AB60
                                                              Function 0029C909 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,?,0024B9BC,?,?,?,?,?,?), ref: 0029C934
                                                                • Part of subcall function 0029B635: _memset.LIBCMT ref: 0029B644
                                                                • Part of subcall function 0029B635: _memset.LIBCMT ref: 0029B653
                                                                • Part of subcall function 0029B635: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,002D6F20,002D6F64), ref: 0029B682
                                                                • Part of subcall function 0029B635: CloseHandle.KERNEL32 ref: 0029B694
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: _memset$CloseCreateDialogHandleNtdllProc_Process
                                                              • String ID:
                                                              • API String ID: 2364484715-0
                                                              • Opcode ID: 73d362c387fbf93a31d28b1a2e206b8f5b009db961451c9e2fc86b6be9766cb3
                                                              • Instruction ID: 77b6451f60616d6993cbcda6a0c99eb2ed3765f47aaa5085a8c970b3cb9c0a1b
                                                              • Opcode Fuzzy Hash: 73d362c387fbf93a31d28b1a2e206b8f5b009db961451c9e2fc86b6be9766cb3
                                                              • Instruction Fuzzy Hash: C2E01231120208EFCF01AF48ED14E9537A5FB08301F018011FA05472B2C771AD70EF50
                                                              Function 0021167D Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00212612: GetWindowLongW.USER32(?,000000EB), ref: 00212623
                                                              • NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,?,?,00211AEE,?,?,?), ref: 002116AB
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: DialogLongNtdllProc_Window
                                                              • String ID:
                                                              • API String ID: 2065330234-0
                                                              • Opcode ID: 4ae007b203982e442b77dac98375f5bc9dab1652b8cd69f4d3a21c4c08ec8e5b
                                                              • Instruction ID: d37b893372e18fabab8d9da92e113c9de225d37c696f7e920b261a01acbe350a
                                                              • Opcode Fuzzy Hash: 4ae007b203982e442b77dac98375f5bc9dab1652b8cd69f4d3a21c4c08ec8e5b
                                                              • Instruction Fuzzy Hash: 0CE0C230500218FBCF05AF90DC15E643B2AFB58300F608019FA454B2A1CB73A871EF10
                                                              Function 0029C860 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • NtdllDialogWndProc_W.NTDLL ref: 0029C885
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: DialogNtdllProc_
                                                              • String ID:
                                                              • API String ID: 3239928679-0
                                                              • Opcode ID: f4279dd5e4d02b6b273547b3330c9340f1d29e2640c505a353362de8dca1a887
                                                              • Instruction ID: d805b94511214448ea604e16a5c7beb3e2e6139eb3fbfd1867179f948bf6b33a
                                                              • Opcode Fuzzy Hash: f4279dd5e4d02b6b273547b3330c9340f1d29e2640c505a353362de8dca1a887
                                                              • Instruction Fuzzy Hash: B7E0E235200248EFCB41DF88E888E863BA5AB1D300F014055FA0587262C771A820EB61
                                                              Function 0029C88F Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • NtdllDialogWndProc_W.NTDLL ref: 0029C8B4
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: DialogNtdllProc_
                                                              • String ID:
                                                              • API String ID: 3239928679-0
                                                              • Opcode ID: c09b1bcc8c6f5d327151240a1e0e546b889dd8d9577ae2b2c2c111cb435f3b7e
                                                              • Instruction ID: ab953f488030a85754352186e514a6278216a8cb8ae51cacdea55b9105ee9863
                                                              • Opcode Fuzzy Hash: c09b1bcc8c6f5d327151240a1e0e546b889dd8d9577ae2b2c2c111cb435f3b7e
                                                              • Instruction Fuzzy Hash: D1E04275240249EFDB41DF88E949D963BA5AB1D700F414055FA1587262C771A860EBA1
                                                              Function 002116B5 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00212612: GetWindowLongW.USER32(?,000000EB), ref: 00212623
                                                                • Part of subcall function 0021201B: DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 002120D3
                                                                • Part of subcall function 0021201B: KillTimer.USER32(-00000001,?,?,?,?,002116CB,00000000,?,?,00211AE2,?,?), ref: 0021216E
                                                              • NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,00000000,?,?,00211AE2,?,?), ref: 002116D4
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Window$DestroyDialogKillLongNtdllProc_Timer
                                                              • String ID:
                                                              • API String ID: 2797419724-0
                                                              • Opcode ID: 5fc8af077b31be8b1b12de157a6f210f7851d83a737251dbd160c1405a80280b
                                                              • Instruction ID: cd3ebe5ffbe1275bc503a5e27115ce7121c867ace5b7252afd7c3bf1137a19b3
                                                              • Opcode Fuzzy Hash: 5fc8af077b31be8b1b12de157a6f210f7851d83a737251dbd160c1405a80280b
                                                              • Instruction Fuzzy Hash: EFD01270150728F7DB102B50DD1BF897A5D9B68750F908021BA04691D3CAB1AC70A958
                                                              Function 0023A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0023A12A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFilterUnhandled
                                                              • String ID:
                                                              • API String ID: 3192549508-0
                                                              • Opcode ID: 39528305192aeea256e480e4044067e2cab58578eec4286825962c8863d463b4
                                                              • Instruction ID: 1ab1f35777c9009b08e6bda62e89a097c55108f70c7fe07f58dbe7be5b7646f0
                                                              • Opcode Fuzzy Hash: 39528305192aeea256e480e4044067e2cab58578eec4286825962c8863d463b4
                                                              • Instruction Fuzzy Hash: 9EA0123000010CE78A401B51FC084447F5CD6001907004061FC0C80021873254504584
                                                              Function 00228808 Relevance: .6, Instructions: 590COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b9a4b7ba64d37a8128844076804115772ec307dbb09e9efd8751d1b414f42697
                                                              • Instruction ID: b7dc283ce0765c9b28c86c24710888b367827d64ece67725be92c3a5d51f5490
                                                              • Opcode Fuzzy Hash: b9a4b7ba64d37a8128844076804115772ec307dbb09e9efd8751d1b414f42697
                                                              • Instruction Fuzzy Hash: E2220230935577ABDF388EA4E49477C77A1BB01304F28806AD9868B692DFB4DDF1CA41
                                                              Function 002321C5 Relevance: .3, Instructions: 345COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                              • Instruction ID: 822a48012d0f4061548fa3314d52139d12a2ad3811ffcd6eee62e499a2b1399f
                                                              • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                              • Instruction Fuzzy Hash: 09C1A7B22251934ADF2D4A39C43403EFBA15EA3BB171A075DD8B3DB1D4EE20D979D620
                                                              Function 002325FA Relevance: .3, Instructions: 341COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                              • Instruction ID: 3aeabf258fce6c91e52cfb6998e6ad0590f2c3ef20d7ebdaa33136692174151f
                                                              • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                              • Instruction Fuzzy Hash: 87C187B22251934ADF2D4A39C43413EFBA15EA3BB171A076DD4B3DB1D5EE20C939D620
                                                              Function 00231978 Relevance: .3, Instructions: 323COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                              • Instruction ID: e95f06de171562e8aa97a8da726dd0fc67225367fd9cffc5c927cc64ad9f1a80
                                                              • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                              • Instruction Fuzzy Hash: 08C184B222519309DF2D4A39C47413EFBA15EA3BB271A176ED4B3CB1D4EE20C975D620
                                                              Function 015A4538 Relevance: .1, Instructions: 92COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1432043469.00000000015A0000.00000040.00000020.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_15a0000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                              • Instruction ID: 5c1d38474468dd028864f270616896f03314a79c13fb75836f6de17c8909577f
                                                              • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                              • Instruction Fuzzy Hash: 9341D571D1051CDBCF48CFADC991AEEBBF1AF88201F548299D516AB345D730AB41DB40
                                                              Function 015A43C8 Relevance: .0, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1432043469.00000000015A0000.00000040.00000020.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_15a0000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                              • Instruction ID: 1d5cde2f0c00b9e3bb1e87047a67f6dfde94951a00c17186b1db623ef2ef6b5e
                                                              • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                              • Instruction Fuzzy Hash: CC01A478A00109EFCB44DF98D5909AEF7F5FF88310F648599D909AB705D730AE51DB80
                                                              Function 015A4428 Relevance: .0, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1432043469.00000000015A0000.00000040.00000020.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_15a0000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                              • Instruction ID: f4d0be235c36a73ba817582afac9aa5cb243ff470dbb0ea4ecfccbd4c594a695
                                                              • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                              • Instruction Fuzzy Hash: A2019278A01109EFCB44DF98C5909AEF7F5FF88310F648699E819AB705D770AE41DB80
                                                              Function 015A2D98 Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1432043469.00000000015A0000.00000040.00000020.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_15a0000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                              • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                                              • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                              • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                                              Function 00287806 Relevance: 79.2, APIs: 40, Strings: 5, Instructions: 491filecommemoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DeleteObject.GDI32(00000000), ref: 0028785B
                                                              • DeleteObject.GDI32(00000000), ref: 0028786D
                                                              • DestroyWindow.USER32 ref: 0028787B
                                                              • GetDesktopWindow.USER32 ref: 00287895
                                                              • GetWindowRect.USER32(00000000), ref: 0028789C
                                                              • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 002879DD
                                                              • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 002879ED
                                                              • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00287A35
                                                              • GetClientRect.USER32(00000000,?), ref: 00287A41
                                                              • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00287A7B
                                                              • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00287A9D
                                                              • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00287AB0
                                                              • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00287ABB
                                                              • GlobalLock.KERNEL32(00000000), ref: 00287AC4
                                                              • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00287AD3
                                                              • GlobalUnlock.KERNEL32(00000000), ref: 00287ADC
                                                              • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00287AE3
                                                              • GlobalFree.KERNEL32(00000000), ref: 00287AEE
                                                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,88C00000), ref: 00287B00
                                                              • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,002A2CAC,00000000), ref: 00287B16
                                                              • GlobalFree.KERNEL32(00000000), ref: 00287B26
                                                              • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00287B4C
                                                              • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00287B6B
                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00287B8D
                                                              • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00287D7A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                              • String ID: $@U=u$AutoIt v3$DISPLAY$static
                                                              • API String ID: 2211948467-3613752883
                                                              • Opcode ID: 19be3027fef4a375b82073c8ace4429c4a246c5e4bd14a5cc324dfb86059702a
                                                              • Instruction ID: 00563619233c1301167633c03bfc85f6aac03cf6393d81d623973aaac6879398
                                                              • Opcode Fuzzy Hash: 19be3027fef4a375b82073c8ace4429c4a246c5e4bd14a5cc324dfb86059702a
                                                              • Instruction Fuzzy Hash: 45029875911215EFDB44EFA4DD88EAE7BB9EB48310F10811AF815EB2A0C770ED51CB60
                                                              Function 0029A5DA Relevance: 59.8, APIs: 33, Strings: 1, Instructions: 260COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetTextColor.GDI32(?,00000000), ref: 0029A630
                                                              • GetSysColorBrush.USER32(0000000F), ref: 0029A661
                                                              • GetSysColor.USER32(0000000F), ref: 0029A66D
                                                              • SetBkColor.GDI32(?,000000FF), ref: 0029A687
                                                              • SelectObject.GDI32(?,00000000), ref: 0029A696
                                                              • InflateRect.USER32(?,000000FF,000000FF), ref: 0029A6C1
                                                              • GetSysColor.USER32(00000010), ref: 0029A6C9
                                                              • CreateSolidBrush.GDI32(00000000), ref: 0029A6D0
                                                              • FrameRect.USER32(?,?,00000000), ref: 0029A6DF
                                                              • DeleteObject.GDI32(00000000), ref: 0029A6E6
                                                              • InflateRect.USER32(?,000000FE,000000FE), ref: 0029A731
                                                              • FillRect.USER32(?,?,00000000), ref: 0029A763
                                                              • GetWindowLongW.USER32(?,000000F0), ref: 0029A78E
                                                                • Part of subcall function 0029A8CA: GetSysColor.USER32(00000012), ref: 0029A903
                                                                • Part of subcall function 0029A8CA: SetTextColor.GDI32(?,?), ref: 0029A907
                                                                • Part of subcall function 0029A8CA: GetSysColorBrush.USER32(0000000F), ref: 0029A91D
                                                                • Part of subcall function 0029A8CA: GetSysColor.USER32(0000000F), ref: 0029A928
                                                                • Part of subcall function 0029A8CA: GetSysColor.USER32(00000011), ref: 0029A945
                                                                • Part of subcall function 0029A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0029A953
                                                                • Part of subcall function 0029A8CA: SelectObject.GDI32(?,00000000), ref: 0029A964
                                                                • Part of subcall function 0029A8CA: SetBkColor.GDI32(?,00000000), ref: 0029A96D
                                                                • Part of subcall function 0029A8CA: SelectObject.GDI32(?,?), ref: 0029A97A
                                                                • Part of subcall function 0029A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 0029A999
                                                                • Part of subcall function 0029A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0029A9B0
                                                                • Part of subcall function 0029A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 0029A9C5
                                                                • Part of subcall function 0029A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0029A9ED
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                              • String ID: @U=u
                                                              • API String ID: 3521893082-2594219639
                                                              • Opcode ID: e16a97a0859524303da9de37b4f1a2c50a653d51ebae8b2839a8927d23401f2e
                                                              • Instruction ID: 98b526c4b2af613795a44a16e9f3966056ff217139f386d4c62ec690731853f8
                                                              • Opcode Fuzzy Hash: e16a97a0859524303da9de37b4f1a2c50a653d51ebae8b2839a8927d23401f2e
                                                              • Instruction Fuzzy Hash: 23918F71418301FFCB909F64ED0CA9BBBA9FF88321F100A2AF566D61A0D771D954CB92
                                                              Function 0029356B Relevance: 52.9, APIs: 6, Strings: 24, Instructions: 365windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CharUpperBuffW.USER32(?,?,0029F910), ref: 00293627
                                                              • IsWindowVisible.USER32(?), ref: 0029364B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: BuffCharUpperVisibleWindow
                                                              • String ID: @U=u$ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                              • API String ID: 4105515805-3469695742
                                                              • Opcode ID: 376b58d218200bffceb686748b94822c1602e220455f067314fe04170d4559f1
                                                              • Instruction ID: 4c5f19a1fac07be9b11f4511fd8666c7a76e0a2c9887da13b28aa51465218dbc
                                                              • Opcode Fuzzy Hash: 376b58d218200bffceb686748b94822c1602e220455f067314fe04170d4559f1
                                                              • Instruction Fuzzy Hash: 44D19E702343019BCF04EF10C4A5AAEB7E5AF95754F144568F8865B3A2CB31EEAACF51
                                                              Function 002874AB Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 284windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DestroyWindow.USER32(00000000), ref: 002874DE
                                                              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0028759D
                                                              • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 002875DB
                                                              • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 002875ED
                                                              • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00287633
                                                              • GetClientRect.USER32(00000000,?), ref: 0028763F
                                                              • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00287683
                                                              • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00287692
                                                              • GetStockObject.GDI32(00000011), ref: 002876A2
                                                              • SelectObject.GDI32(00000000,00000000), ref: 002876A6
                                                              • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 002876B6
                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 002876BF
                                                              • DeleteDC.GDI32(00000000), ref: 002876C8
                                                              • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 002876F4
                                                              • SendMessageW.USER32(00000030,00000000,00000001), ref: 0028770B
                                                              • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00287746
                                                              • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0028775A
                                                              • SendMessageW.USER32(00000404,00000001,00000000), ref: 0028776B
                                                              • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0028779B
                                                              • GetStockObject.GDI32(00000011), ref: 002877A6
                                                              • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 002877B1
                                                              • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 002877BB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                              • String ID: @U=u$AutoIt v3$DISPLAY$msctls_progress32$static
                                                              • API String ID: 2910397461-2771358697
                                                              • Opcode ID: 58f6431ed340873e14671017c59a525dbbb74cfe422cac9c08c10faf0be13a5c
                                                              • Instruction ID: e92b8a303de8aa4c514733974ff9bc2aabbc4a28f818da201981a6ef1271d5bf
                                                              • Opcode Fuzzy Hash: 58f6431ed340873e14671017c59a525dbbb74cfe422cac9c08c10faf0be13a5c
                                                              • Instruction Fuzzy Hash: 6EA18D71A51215BFEB54DBA4ED4AFAE7BA9EB08710F108115FA14E72E0C6B0AD50CF60
                                                              Function 0029A8CA Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 187windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetSysColor.USER32(00000012), ref: 0029A903
                                                              • SetTextColor.GDI32(?,?), ref: 0029A907
                                                              • GetSysColorBrush.USER32(0000000F), ref: 0029A91D
                                                              • GetSysColor.USER32(0000000F), ref: 0029A928
                                                              • CreateSolidBrush.GDI32(?), ref: 0029A92D
                                                              • GetSysColor.USER32(00000011), ref: 0029A945
                                                              • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0029A953
                                                              • SelectObject.GDI32(?,00000000), ref: 0029A964
                                                              • SetBkColor.GDI32(?,00000000), ref: 0029A96D
                                                              • SelectObject.GDI32(?,?), ref: 0029A97A
                                                              • InflateRect.USER32(?,000000FF,000000FF), ref: 0029A999
                                                              • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0029A9B0
                                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 0029A9C5
                                                              • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0029A9ED
                                                              • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0029AA14
                                                              • InflateRect.USER32(?,000000FD,000000FD), ref: 0029AA32
                                                              • DrawFocusRect.USER32(?,?), ref: 0029AA3D
                                                              • GetSysColor.USER32(00000011), ref: 0029AA4B
                                                              • SetTextColor.GDI32(?,00000000), ref: 0029AA53
                                                              • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0029AA67
                                                              • SelectObject.GDI32(?,0029A5FA), ref: 0029AA7E
                                                              • DeleteObject.GDI32(?), ref: 0029AA89
                                                              • SelectObject.GDI32(?,?), ref: 0029AA8F
                                                              • DeleteObject.GDI32(?), ref: 0029AA94
                                                              • SetTextColor.GDI32(?,?), ref: 0029AA9A
                                                              • SetBkColor.GDI32(?,?), ref: 0029AAA4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                              • String ID: @U=u
                                                              • API String ID: 1996641542-2594219639
                                                              • Opcode ID: 1d67f3b6366489417c07a5e87881eedb181658a2af4f521697885edc7a5a3e5a
                                                              • Instruction ID: 171605b3f8b3da7ecf8fbb1aa75ae00fea1f50cb64f225e405086ff61a30f5c3
                                                              • Opcode Fuzzy Hash: 1d67f3b6366489417c07a5e87881eedb181658a2af4f521697885edc7a5a3e5a
                                                              • Instruction Fuzzy Hash: 2A513C71900218EFDF509FA4ED48AAE7BB9FB08320F114226F915EB2A1D7719950DF90
                                                              Function 0027AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetErrorMode.KERNEL32(00000001), ref: 0027AD1E
                                                              • GetDriveTypeW.KERNEL32(?,0029FAC0,?,\\.\,0029F910), ref: 0027ADFB
                                                              • SetErrorMode.KERNEL32(00000000,0029FAC0,?,\\.\,0029F910), ref: 0027AF59
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: ErrorMode$DriveType
                                                              • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                              • API String ID: 2907320926-4222207086
                                                              • Opcode ID: 5595c9a66b2825de8b2a59c5f3849fa170f730f9a0a2b17193842d99b09d3108
                                                              • Instruction ID: 030456585db184f60ab7b940460d0fb54af5355304750ea750e458f715b0e276
                                                              • Opcode Fuzzy Hash: 5595c9a66b2825de8b2a59c5f3849fa170f730f9a0a2b17193842d99b09d3108
                                                              • Instruction Fuzzy Hash: 3C5181B1679205EB8B10DF10C952DBE73A0EB99724720C16BE40BA76D0DA729D71DB83
                                                              Function 00212C18 Relevance: 44.2, APIs: 23, Strings: 2, Instructions: 486windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DestroyWindow.USER32(?,?,?), ref: 00212CA2
                                                              • DeleteObject.GDI32(00000000), ref: 00212CE8
                                                              • DeleteObject.GDI32(00000000), ref: 00212CF3
                                                              • DestroyCursor.USER32(00000000), ref: 00212CFE
                                                              • DestroyWindow.USER32(00000000,?,?,?), ref: 00212D09
                                                              • SendMessageW.USER32(?,00001308,?,00000000), ref: 0024C43B
                                                              • 6FB80200.COMCTL32(?,000000FF,?), ref: 0024C474
                                                              • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0024C89D
                                                                • Part of subcall function 00211B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00212036,?,00000000,?,?,?,?,002116CB,00000000,?), ref: 00211B9A
                                                              • SendMessageW.USER32(?,00001053), ref: 0024C8DA
                                                              • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0024C8F1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: DestroyMessageSendWindow$DeleteObject$B80200CursorInvalidateMoveRect
                                                              • String ID: 0$@U=u
                                                              • API String ID: 295266683-975001249
                                                              • Opcode ID: 8c4f57a50957742e3624cdb1b22b33d4159683cb241a29ccdfb58a92dd167e43
                                                              • Instruction ID: b8c2c6d71d94baecfcf2f9dfa470f9736cb45e55f5062f60deeecad5c57ef16e
                                                              • Opcode Fuzzy Hash: 8c4f57a50957742e3624cdb1b22b33d4159683cb241a29ccdfb58a92dd167e43
                                                              • Instruction Fuzzy Hash: 5B12BF30121202EFDB99CF28C988BA9B7E5BF54300F65416AF595DB262C731E8B5CF90
                                                              Function 00299A1C Relevance: 44.2, APIs: 23, Strings: 2, Instructions: 455windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00299AD2
                                                              • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00299B8B
                                                              • SendMessageW.USER32(?,00001102,00000002,?), ref: 00299BA7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Window
                                                              • String ID: 0$@U=u
                                                              • API String ID: 2326795674-975001249
                                                              • Opcode ID: 856dc8f944142d8f52327f647de0250affc85b8de27898881da9773a005ce84a
                                                              • Instruction ID: 59adbccc3369173c877cd8bc2ccb40fa8414f04c27330be9b9b52029ca359c11
                                                              • Opcode Fuzzy Hash: 856dc8f944142d8f52327f647de0250affc85b8de27898881da9773a005ce84a
                                                              • Instruction Fuzzy Hash: 0402E230124302AFEB25CF18CC49BAABBE5FF49324F04452EF999D62A1C775D8A4CB51
                                                              Function 002168DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: __wcsnicmp
                                                              • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                              • API String ID: 1038674560-86951937
                                                              • Opcode ID: 9da8bd2a6e16fda3d6a2eb5c158d9f1a11887e147ecd2da383ed3a6d52c1c1a6
                                                              • Instruction ID: 734acd215eef23c6cd0c7180f74f5c9db00d8f9de64635a774e3f7f43213d491
                                                              • Opcode Fuzzy Hash: 9da8bd2a6e16fda3d6a2eb5c158d9f1a11887e147ecd2da383ed3a6d52c1c1a6
                                                              • Instruction Fuzzy Hash: 55810CB1670206ABDF15EE60DC56FFE77ACAF25700F044024F805AA191EB61DAB5CA61
                                                              Function 002989D5 Relevance: 40.7, APIs: 21, Strings: 2, Instructions: 401windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00298AC1
                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00298AD2
                                                              • CharNextW.USER32(0000014E), ref: 00298B01
                                                              • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00298B42
                                                              • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00298B58
                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00298B69
                                                              • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00298B86
                                                              • SetWindowTextW.USER32(?,0000014E), ref: 00298BD8
                                                              • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00298BEE
                                                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 00298C1F
                                                              • _memset.LIBCMT ref: 00298C44
                                                              • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00298C8D
                                                              • _memset.LIBCMT ref: 00298CEC
                                                              • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00298D16
                                                              • SendMessageW.USER32(?,00001074,?,00000001), ref: 00298D6E
                                                              • SendMessageW.USER32(?,0000133D,?,?), ref: 00298E1B
                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 00298E3D
                                                              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00298E87
                                                              • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00298EB4
                                                              • DrawMenuBar.USER32(?), ref: 00298EC3
                                                              • SetWindowTextW.USER32(?,0000014E), ref: 00298EEB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                              • String ID: 0$@U=u
                                                              • API String ID: 1073566785-975001249
                                                              • Opcode ID: a28f3d84b6a646e80e445a5858276cd2d2106a539f6864519dbbd1b1e90677e2
                                                              • Instruction ID: 0ffc0826d15f76d7480e3df047b4d580b349c38d088f04d738acf723867faabb
                                                              • Opcode Fuzzy Hash: a28f3d84b6a646e80e445a5858276cd2d2106a539f6864519dbbd1b1e90677e2
                                                              • Instruction Fuzzy Hash: 40E18471920219AFDF20DF60DC88EEE7B79EF0A710F148156F915AB190DB7489A4DF60
                                                              Function 0029488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCursorPos.USER32(?), ref: 002949CA
                                                              • GetDesktopWindow.USER32 ref: 002949DF
                                                              • GetWindowRect.USER32(00000000), ref: 002949E6
                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00294A48
                                                              • DestroyWindow.USER32(?), ref: 00294A74
                                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00294A9D
                                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00294ABB
                                                              • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00294AE1
                                                              • SendMessageW.USER32(?,00000421,?,?), ref: 00294AF6
                                                              • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00294B09
                                                              • IsWindowVisible.USER32(?), ref: 00294B29
                                                              • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00294B44
                                                              • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00294B58
                                                              • GetWindowRect.USER32(?,?), ref: 00294B70
                                                              • MonitorFromPoint.USER32(?,?,00000002), ref: 00294B96
                                                              • GetMonitorInfoW.USER32(00000000,?), ref: 00294BB0
                                                              • CopyRect.USER32(?,?), ref: 00294BC7
                                                              • SendMessageW.USER32(?,00000412,00000000), ref: 00294C32
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                              • String ID: ($0$tooltips_class32
                                                              • API String ID: 698492251-4156429822
                                                              • Opcode ID: fa43bbe4b1442bbdb75900e148587d4ea6ebb5788dc97d7b7e8150dcbd7b8659
                                                              • Instruction ID: aeecbd6c291767fe9f16162e98824130bc24d4fd58b21a263b96688a4ae4e6fd
                                                              • Opcode Fuzzy Hash: fa43bbe4b1442bbdb75900e148587d4ea6ebb5788dc97d7b7e8150dcbd7b8659
                                                              • Instruction Fuzzy Hash: 86B1BC70628301AFDB44EF64C858F5BBBE4BF88304F008A1DF5999B2A1D770E956CB91
                                                              Function 002127D9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 286windowtimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 002128BC
                                                              • GetSystemMetrics.USER32(00000007), ref: 002128C4
                                                              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 002128EF
                                                              • GetSystemMetrics.USER32(00000008), ref: 002128F7
                                                              • GetSystemMetrics.USER32(00000004), ref: 0021291C
                                                              • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00212939
                                                              • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00212949
                                                              • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0021297C
                                                              • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00212990
                                                              • GetClientRect.USER32(00000000,000000FF), ref: 002129AE
                                                              • GetStockObject.GDI32(00000011), ref: 002129CA
                                                              • SendMessageW.USER32(00000000,00000030,00000000), ref: 002129D5
                                                                • Part of subcall function 00212344: GetCursorPos.USER32(?), ref: 00212357
                                                                • Part of subcall function 00212344: ScreenToClient.USER32(002D57B0,?), ref: 00212374
                                                                • Part of subcall function 00212344: GetAsyncKeyState.USER32(00000001), ref: 00212399
                                                                • Part of subcall function 00212344: GetAsyncKeyState.USER32(00000002), ref: 002123A7
                                                              • SetTimer.USER32(00000000,00000000,00000028,00211256), ref: 002129FC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                              • String ID: @U=u$AutoIt v3 GUI
                                                              • API String ID: 1458621304-2077007950
                                                              • Opcode ID: ef14c93390c1b8a341ad045a6d2e58382979e7cb1cff6fba3f4308c86471ed90
                                                              • Instruction ID: 46c1473e9d3ed948a5457ec589bbed734aefe0edfc73663bf8deada7a35b597d
                                                              • Opcode Fuzzy Hash: ef14c93390c1b8a341ad045a6d2e58382979e7cb1cff6fba3f4308c86471ed90
                                                              • Instruction Fuzzy Hash: 56B17F71A1120ADFDB54DFA8DD49BEE7BB4FB18311F20412AFA15E7290DB7498A0CB50
                                                              Function 0027449A Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 179COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: _wcscat$75381560_wcscmp_wcscpy_wcsncpy_wcsstr
                                                              • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                              • API String ID: 2056390432-1459072770
                                                              • Opcode ID: e7184a5054637a074532aff7696a61f5409168ac4f22a16371786503e15018e4
                                                              • Instruction ID: 104f159038c01e160e8a5fd015458c27b4725e8c0b8915769ecdf07de6c28c9c
                                                              • Opcode Fuzzy Hash: e7184a5054637a074532aff7696a61f5409168ac4f22a16371786503e15018e4
                                                              • Instruction Fuzzy Hash: 8A413A72630215BBDB10FB709C47EBF77ACDF46710F10406AF904E6182EB319A318AA9
                                                              Function 0029BA33 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 130filecommemoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 0029BA56
                                                              • GetFileSize.KERNEL32(00000000,00000000), ref: 0029BA6D
                                                              • GlobalAlloc.KERNEL32(00000002,00000000), ref: 0029BA78
                                                              • CloseHandle.KERNEL32(00000000), ref: 0029BA85
                                                              • GlobalLock.KERNEL32(00000000), ref: 0029BA8E
                                                              • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0029BA9D
                                                              • GlobalUnlock.KERNEL32(00000000), ref: 0029BAA6
                                                              • CloseHandle.KERNEL32(00000000), ref: 0029BAAD
                                                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0029BABE
                                                              • OleLoadPicture.OLEAUT32(?,00000000,00000000,002A2CAC,?), ref: 0029BAD7
                                                              • GlobalFree.KERNEL32(00000000), ref: 0029BAE7
                                                              • GetObjectW.GDI32(?,00000018,000000FF), ref: 0029BB0B
                                                              • CopyImage.USER32(?,00000000,?,?,00002000), ref: 0029BB36
                                                              • DeleteObject.GDI32(00000000), ref: 0029BB5E
                                                              • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0029BB74
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                              • String ID: @U=u
                                                              • API String ID: 3840717409-2594219639
                                                              • Opcode ID: 86dcaea879cb67508414ec2270373be56c90388e6951c88bdc611b9b66fb3385
                                                              • Instruction ID: 0a47db399c43e34311a8a17b0066b08f3d53ae6ae2e75ed6b50cfadae0a6bbcd
                                                              • Opcode Fuzzy Hash: 86dcaea879cb67508414ec2270373be56c90388e6951c88bdc611b9b66fb3385
                                                              • Instruction Fuzzy Hash: E7416975600209EFCB919F65EE8CEAABBB9FF89711F104069F909D72A0D7709D11CB60
                                                              Function 0026A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetClassNameW.USER32(?,?,00000100), ref: 0026A47A
                                                              • __swprintf.LIBCMT ref: 0026A51B
                                                              • _wcscmp.LIBCMT ref: 0026A52E
                                                              • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0026A583
                                                              • _wcscmp.LIBCMT ref: 0026A5BF
                                                              • GetClassNameW.USER32(?,?,00000400), ref: 0026A5F6
                                                              • GetDlgCtrlID.USER32(?), ref: 0026A648
                                                              • GetWindowRect.USER32(?,?), ref: 0026A67E
                                                              • GetParent.USER32(?), ref: 0026A69C
                                                              • ScreenToClient.USER32(00000000), ref: 0026A6A3
                                                              • GetClassNameW.USER32(?,?,00000100), ref: 0026A71D
                                                              • _wcscmp.LIBCMT ref: 0026A731
                                                              • GetWindowTextW.USER32(?,?,00000400), ref: 0026A757
                                                              • _wcscmp.LIBCMT ref: 0026A76B
                                                                • Part of subcall function 0023362C: _iswctype.LIBCMT ref: 00233634
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                              • String ID: %s%u
                                                              • API String ID: 3744389584-679674701
                                                              • Opcode ID: 2657a9522a2af9c9bc7ab6fda7b5ebf4bbe4eb871bf60bebae856d0c992df11c
                                                              • Instruction ID: 144322d5edfbf5f7ec4c5ed0e225101c5bf3d61499fa75c953eb53b2f69f8784
                                                              • Opcode Fuzzy Hash: 2657a9522a2af9c9bc7ab6fda7b5ebf4bbe4eb871bf60bebae856d0c992df11c
                                                              • Instruction Fuzzy Hash: 6DA1B271224307AFDB15DF64C884BAAF7E8FF44315F104529E99AE2150DB30E9A5CF92
                                                              Function 0026AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetClassNameW.USER32(00000008,?,00000400), ref: 0026AF18
                                                              • _wcscmp.LIBCMT ref: 0026AF29
                                                              • GetWindowTextW.USER32(00000001,?,00000400), ref: 0026AF51
                                                              • CharUpperBuffW.USER32(?,00000000), ref: 0026AF6E
                                                              • _wcscmp.LIBCMT ref: 0026AF8C
                                                              • _wcsstr.LIBCMT ref: 0026AF9D
                                                              • GetClassNameW.USER32(00000018,?,00000400), ref: 0026AFD5
                                                              • _wcscmp.LIBCMT ref: 0026AFE5
                                                              • GetWindowTextW.USER32(00000002,?,00000400), ref: 0026B00C
                                                              • GetClassNameW.USER32(00000018,?,00000400), ref: 0026B055
                                                              • _wcscmp.LIBCMT ref: 0026B065
                                                              • GetClassNameW.USER32(00000010,?,00000400), ref: 0026B08D
                                                              • GetWindowRect.USER32(00000004,?), ref: 0026B0F6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                              • String ID: @$ThumbnailClass
                                                              • API String ID: 1788623398-1539354611
                                                              • Opcode ID: 2e7d7b27955dd032a68c22efae133619c4b4d32b4d26f1b096a2cbe4b31aeb6c
                                                              • Instruction ID: f0fb1b44e93d87a1da1a361d524c3fd60f6ba40b4a08104cd2743f7e81d834f4
                                                              • Opcode Fuzzy Hash: 2e7d7b27955dd032a68c22efae133619c4b4d32b4d26f1b096a2cbe4b31aeb6c
                                                              • Instruction Fuzzy Hash: 2F81A171124206ABDB05DF10C885BAA7BE8EF44314F0484AAFD89DA091DB35DDE5CFA2
                                                              Function 0029A1B9 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 205windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 0029A259
                                                              • DestroyWindow.USER32(?,?), ref: 0029A2D3
                                                                • Part of subcall function 00217BCC: _memmove.LIBCMT ref: 00217C06
                                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0029A34D
                                                              • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0029A36F
                                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0029A382
                                                              • DestroyWindow.USER32(00000000), ref: 0029A3A4
                                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00210000,00000000), ref: 0029A3DB
                                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0029A3F4
                                                              • GetDesktopWindow.USER32 ref: 0029A40D
                                                              • GetWindowRect.USER32(00000000), ref: 0029A414
                                                              • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0029A42C
                                                              • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0029A444
                                                                • Part of subcall function 002125DB: GetWindowLongW.USER32(?,000000EB), ref: 002125EC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                              • String ID: 0$@U=u$tooltips_class32
                                                              • API String ID: 1297703922-1130792468
                                                              • Opcode ID: c35bb981cc5eaba1bf660d4ad1b32e3e5fdb9aef1b18b87287c52db9ace31224
                                                              • Instruction ID: b250ef6d59b291f6fec5bf1262e37b47032c17182f78abc9257fd62d70f756c0
                                                              • Opcode Fuzzy Hash: c35bb981cc5eaba1bf660d4ad1b32e3e5fdb9aef1b18b87287c52db9ace31224
                                                              • Instruction Fuzzy Hash: 0C719A70150305AFDB21CF28DC49FAA7BE9FB89304F04452DF985872A0D7B0E962DB92
                                                              Function 0026ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: __wcsnicmp
                                                              • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                              • API String ID: 1038674560-1810252412
                                                              • Opcode ID: 53bbb91bb60137b272c30edc83dc7e2877c3fb386087a9ec470880c00f955f8a
                                                              • Instruction ID: 1b4e762866216e86d274171d845437c4854148f039cbbc873d9f37fa0636da34
                                                              • Opcode Fuzzy Hash: 53bbb91bb60137b272c30edc83dc7e2877c3fb386087a9ec470880c00f955f8a
                                                              • Instruction Fuzzy Hash: 49316271978209AADB14EA50DD43FEE77B4AF21710F60052AF412710D1EF616FB48E92
                                                              Function 00284FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadCursorW.USER32(00000000,00007F8A), ref: 00285013
                                                              • LoadCursorW.USER32(00000000,00007F00), ref: 0028501E
                                                              • LoadCursorW.USER32(00000000,00007F03), ref: 00285029
                                                              • LoadCursorW.USER32(00000000,00007F8B), ref: 00285034
                                                              • LoadCursorW.USER32(00000000,00007F01), ref: 0028503F
                                                              • LoadCursorW.USER32(00000000,00007F81), ref: 0028504A
                                                              • LoadCursorW.USER32(00000000,00007F88), ref: 00285055
                                                              • LoadCursorW.USER32(00000000,00007F80), ref: 00285060
                                                              • LoadCursorW.USER32(00000000,00007F86), ref: 0028506B
                                                              • LoadCursorW.USER32(00000000,00007F83), ref: 00285076
                                                              • LoadCursorW.USER32(00000000,00007F85), ref: 00285081
                                                              • LoadCursorW.USER32(00000000,00007F82), ref: 0028508C
                                                              • LoadCursorW.USER32(00000000,00007F84), ref: 00285097
                                                              • LoadCursorW.USER32(00000000,00007F04), ref: 002850A2
                                                              • LoadCursorW.USER32(00000000,00007F02), ref: 002850AD
                                                              • LoadCursorW.USER32(00000000,00007F89), ref: 002850B8
                                                              • GetCursorInfo.USER32(?), ref: 002850C8
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Cursor$Load$Info
                                                              • String ID:
                                                              • API String ID: 2577412497-0
                                                              • Opcode ID: 740e330312d09e68afb41f1771eb217ef6eb198e3e6456498721dfb8190ae92d
                                                              • Instruction ID: 2db8b65d0d540f9d68c4920117bc149b90e1407c4ab577ca9ed0d62ab9d2a9e6
                                                              • Opcode Fuzzy Hash: 740e330312d09e68afb41f1771eb217ef6eb198e3e6456498721dfb8190ae92d
                                                              • Instruction Fuzzy Hash: 183115B1D5931E6ADF109FB68C8999FBFE8FF08750F50452AA50CE7280DA786500CF91
                                                              Function 00294392 Relevance: 24.8, APIs: 2, Strings: 12, Instructions: 251windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CharUpperBuffW.USER32(?,?), ref: 00294424
                                                              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0029446F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: BuffCharMessageSendUpper
                                                              • String ID: @U=u$CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                              • API String ID: 3974292440-383632319
                                                              • Opcode ID: 920f4a799d6b97abe8f8b48b7c2d8d7261d24a18dcdb63696a28c5b694f67584
                                                              • Instruction ID: 146dcbab653b5b693d8054e2c7e359225159b8b891cd5677b6ab1226cc439feb
                                                              • Opcode Fuzzy Hash: 920f4a799d6b97abe8f8b48b7c2d8d7261d24a18dcdb63696a28c5b694f67584
                                                              • Instruction Fuzzy Hash: CD916D702243019BCB04EF10C461EAEB7E5AF95754F45486CF8965B3A2CB31EDAACF91
                                                              Function 0029B7FE Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 197windowlibraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0029B8B4
                                                              • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00296B11,?), ref: 0029B910
                                                              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0029B949
                                                              • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0029B98C
                                                              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0029B9C3
                                                              • FreeLibrary.KERNEL32(?), ref: 0029B9CF
                                                              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0029B9DF
                                                              • DestroyCursor.USER32(?), ref: 0029B9EE
                                                              • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0029BA0B
                                                              • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0029BA17
                                                                • Part of subcall function 00232EFD: __wcsicmp_l.LIBCMT ref: 00232F86
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Load$Image$LibraryMessageSend$CursorDestroyExtractFreeIcon__wcsicmp_l
                                                              • String ID: .dll$.exe$.icl$@U=u
                                                              • API String ID: 3907162815-1639919054
                                                              • Opcode ID: 28587d5c5306989f239fa4a8357fde5fae9a1f4ae0de0cab9b7374416cf1ea4f
                                                              • Instruction ID: 733fc02df247a965eebaa1145192bead8c8497dab60c3b235484f09989cdbc84
                                                              • Opcode Fuzzy Hash: 28587d5c5306989f239fa4a8357fde5fae9a1f4ae0de0cab9b7374416cf1ea4f
                                                              • Instruction Fuzzy Hash: 0A61DE71920219BAEF15DF64EE45FBE7BACFB08710F10411AF915D61C0DB74AAA0DBA0
                                                              Function 0027A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00219837: __itow.LIBCMT ref: 00219862
                                                                • Part of subcall function 00219837: __swprintf.LIBCMT ref: 002198AC
                                                              • CharLowerBuffW.USER32(?,?), ref: 0027A3CB
                                                              • GetDriveTypeW.KERNEL32 ref: 0027A418
                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0027A460
                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0027A497
                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0027A4C5
                                                                • Part of subcall function 00217BCC: _memmove.LIBCMT ref: 00217C06
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                              • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                              • API String ID: 2698844021-4113822522
                                                              • Opcode ID: 8e1085b24b2d0aeba302c74691dc12661bd382c61c5782c6f23682d7d7bdb428
                                                              • Instruction ID: cfef502a979a26b9275dfadd64b4f16308c32b02510919a38105b8890eb5977d
                                                              • Opcode Fuzzy Hash: 8e1085b24b2d0aeba302c74691dc12661bd382c61c5782c6f23682d7d7bdb428
                                                              • Instruction Fuzzy Hash: CE513C711282059FC700EF10C891DAAB3F4EF99718F10896DF89A97251DB31EE5ACF92
                                                              Function 0026F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,0024E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 0026F8DF
                                                              • LoadStringW.USER32(00000000,?,0024E029,00000001), ref: 0026F8E8
                                                                • Part of subcall function 00217DE1: _memmove.LIBCMT ref: 00217E22
                                                              • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,0024E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 0026F90A
                                                              • LoadStringW.USER32(00000000,?,0024E029,00000001), ref: 0026F90D
                                                              • __swprintf.LIBCMT ref: 0026F95D
                                                              • __swprintf.LIBCMT ref: 0026F96E
                                                              • _wprintf.LIBCMT ref: 0026FA17
                                                              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0026FA2E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                              • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                              • API String ID: 984253442-2268648507
                                                              • Opcode ID: 2a1a1c7160486d8c16aca50009ac7bf5da619be3b5236053b63da371714a1527
                                                              • Instruction ID: ab608e11d761f104527b816f531fdf2e1c2d0e89fba90a10d6e94b89be286076
                                                              • Opcode Fuzzy Hash: 2a1a1c7160486d8c16aca50009ac7bf5da619be3b5236053b63da371714a1527
                                                              • Instruction Fuzzy Hash: DE412F7281411DAACF04FBE0DE4AEEE77BCAF64300F100465B505B6091EB316FA9CEA1
                                                              Function 00216A8C Relevance: 21.5, APIs: 4, Strings: 8, Instructions: 478COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00230957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00216B0C,?,00008000), ref: 00230973
                                                                • Part of subcall function 00214750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00214743,?,?,002137AE,?), ref: 00214770
                                                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00216BAD
                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00216CFA
                                                                • Part of subcall function 0021586D: _wcscpy.LIBCMT ref: 002158A5
                                                                • Part of subcall function 0023363D: _iswctype.LIBCMT ref: 00233645
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                              • String ID: #include depth exceeded. Make sure there are no recursive includes$/v!$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                              • API String ID: 537147316-3279897793
                                                              • Opcode ID: 913d035aa8354ec9b42a2604c22ce51dcca2ba684d8a3ab4651aa285c3eb9052
                                                              • Instruction ID: 327b019497ea00b71d435f1e795e4da97258e23d91b36f87288da2bc3672e0e7
                                                              • Opcode Fuzzy Hash: 913d035aa8354ec9b42a2604c22ce51dcca2ba684d8a3ab4651aa285c3eb9052
                                                              • Instruction Fuzzy Hash: BE02AE701283419FCB24EF20D8819AFBBE5BFA9314F14491DF489972A1DB70D9A9CF52
                                                              Function 0027D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __wsplitpath.LIBCMT ref: 0027DA10
                                                              • _wcscat.LIBCMT ref: 0027DA28
                                                              • _wcscat.LIBCMT ref: 0027DA3A
                                                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0027DA4F
                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 0027DA63
                                                              • GetFileAttributesW.KERNEL32(?), ref: 0027DA7B
                                                              • SetFileAttributesW.KERNEL32(?,00000000), ref: 0027DA95
                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 0027DAA7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                              • String ID: *.*
                                                              • API String ID: 34673085-438819550
                                                              • Opcode ID: 4f34758a3845469bfb432587744354e2598df8fd1b755ef6ba80fbddc755c351
                                                              • Instruction ID: 89fe38a1c4dfa54c212ce34c6d813c7693fc48e806b17927564eae78f48ae401
                                                              • Opcode Fuzzy Hash: 4f34758a3845469bfb432587744354e2598df8fd1b755ef6ba80fbddc755c351
                                                              • Instruction Fuzzy Hash: 3381B272524342DFCB64EF64C845AAAB7F4BF89310F18882EF98DC7251E630D995CB52
                                                              Function 0028731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDC.USER32(00000000), ref: 0028738F
                                                              • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0028739B
                                                              • CreateCompatibleDC.GDI32(?), ref: 002873A7
                                                              • SelectObject.GDI32(00000000,?), ref: 002873B4
                                                              • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00287408
                                                              • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00287444
                                                              • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00287468
                                                              • SelectObject.GDI32(00000006,?), ref: 00287470
                                                              • DeleteObject.GDI32(?), ref: 00287479
                                                              • DeleteDC.GDI32(00000006), ref: 00287480
                                                              • ReleaseDC.USER32(00000000,?), ref: 0028748B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                              • String ID: (
                                                              • API String ID: 2598888154-3887548279
                                                              • Opcode ID: 7cd141e0ddce4a64f4063cdae9bed3a08a6b07ac3021319c76ce16fcec2a588b
                                                              • Instruction ID: d1f6670712c7eb9d9b813278e4cd57dc4267c5e10f022f16e5ebea56ed44eb7c
                                                              • Opcode Fuzzy Hash: 7cd141e0ddce4a64f4063cdae9bed3a08a6b07ac3021319c76ce16fcec2a588b
                                                              • Instruction Fuzzy Hash: 2B516875914309EFCB54DFA8DC88EAEBBB9EF48310F24842AF959D7250D731A8508B60
                                                              Function 00274F75 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 72sleepwindowtimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • timeGetTime.WINMM ref: 00274F7A
                                                                • Part of subcall function 0023049F: timeGetTime.WINMM(?,753DB400,00220E7B), ref: 002304A3
                                                              • Sleep.KERNEL32(0000000A), ref: 00274FA6
                                                              • EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00274FCA
                                                              • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00274FEC
                                                              • SetActiveWindow.USER32 ref: 0027500B
                                                              • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00275019
                                                              • SendMessageW.USER32(00000010,00000000,00000000), ref: 00275038
                                                              • Sleep.KERNEL32(000000FA), ref: 00275043
                                                              • IsWindow.USER32 ref: 0027504F
                                                              • EndDialog.USER32(00000000), ref: 00275060
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                              • String ID: @U=u$BUTTON
                                                              • API String ID: 1194449130-2582809321
                                                              • Opcode ID: ad8922f517847bb7b168ccd1889fcb083303e3c325187f494e40fbd044e9c497
                                                              • Instruction ID: 3455a1ee06a0ee3a878fef29feca19fc6801a591067e6cc6ddf4768ea7bc8051
                                                              • Opcode Fuzzy Hash: ad8922f517847bb7b168ccd1889fcb083303e3c325187f494e40fbd044e9c497
                                                              • Instruction Fuzzy Hash: 4821F374A11601AFE7906F30FD8CB263BADEB09345F44502AF509C11B8CBB18D70CA62
                                                              Function 00272D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 00272D50
                                                              • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00272DDD
                                                              • GetMenuItemCount.USER32(002D5890), ref: 00272E66
                                                              • DeleteMenu.USER32(002D5890,00000005,00000000,000000F5,?,?), ref: 00272EF6
                                                              • DeleteMenu.USER32(002D5890,00000004,00000000), ref: 00272EFE
                                                              • DeleteMenu.USER32(002D5890,00000006,00000000), ref: 00272F06
                                                              • DeleteMenu.USER32(002D5890,00000003,00000000), ref: 00272F0E
                                                              • GetMenuItemCount.USER32(002D5890), ref: 00272F16
                                                              • SetMenuItemInfoW.USER32(002D5890,00000004,00000000,00000030), ref: 00272F4C
                                                              • GetCursorPos.USER32(?), ref: 00272F56
                                                              • SetForegroundWindow.USER32(00000000), ref: 00272F5F
                                                              • TrackPopupMenuEx.USER32(002D5890,00000000,?,00000000,00000000,00000000), ref: 00272F72
                                                              • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00272F7E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                              • String ID:
                                                              • API String ID: 3993528054-0
                                                              • Opcode ID: e804fbeea1fed7a299b62ad8fd230984b3ed44fc9a62121ad7b764bc7e494880
                                                              • Instruction ID: a2bf770535ba7998232460e87db5b2bc0a4442b76cc8997f30de454ee621e0c8
                                                              • Opcode Fuzzy Hash: e804fbeea1fed7a299b62ad8fd230984b3ed44fc9a62121ad7b764bc7e494880
                                                              • Instruction Fuzzy Hash: 1E71C371610216FBEB219F54DC49FAABF64FF04314F108216F629A61E1C7B16C78DB91
                                                              Function 002677DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00217BCC: _memmove.LIBCMT ref: 00217C06
                                                              • _memset.LIBCMT ref: 0026786B
                                                              • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 002678A0
                                                              • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 002678BC
                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 002678D8
                                                              • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00267902
                                                              • CLSIDFromString.COMBASE(?,?), ref: 0026792A
                                                              • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00267935
                                                              • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0026793A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                                              • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                              • API String ID: 1411258926-22481851
                                                              • Opcode ID: 3b208776a49a8c394ac01ca570cf5b32fac39c7ee706e429c599ee8f0a642df0
                                                              • Instruction ID: 42327879701f5fff7d3c64cefb65934ec8a095f23e3a049543cab32b2134dbb3
                                                              • Opcode Fuzzy Hash: 3b208776a49a8c394ac01ca570cf5b32fac39c7ee706e429c599ee8f0a642df0
                                                              • Instruction Fuzzy Hash: 3A410672C2422DAADB11EFA4EC85DEDB7B8BF54714F00456AF905A3161EB305E64CF90
                                                              Function 00290E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CharUpperBuffW.USER32(?,?,?,?,?,?,?,0028FDAD,?,?), ref: 00290E31
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: BuffCharUpper
                                                              • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                              • API String ID: 3964851224-909552448
                                                              • Opcode ID: 6b5a9931165c7b9d343bcdbbbc24a328868c3cd96a356ec16b27b79e9e7d4931
                                                              • Instruction ID: afb32cc49141eadc50fc8901ba5d5c5854b1ea86c3259fd94a0cde8267a3ec2b
                                                              • Opcode Fuzzy Hash: 6b5a9931165c7b9d343bcdbbbc24a328868c3cd96a356ec16b27b79e9e7d4931
                                                              • Instruction Fuzzy Hash: 34415E7113024E8FCF24EF10E8A5AEE3764AF61740F540458FC961B691DB309E7ACBA0
                                                              Function 002974BB Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 101windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0029755E
                                                              • CreateCompatibleDC.GDI32(00000000), ref: 00297565
                                                              • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00297578
                                                              • SelectObject.GDI32(00000000,00000000), ref: 00297580
                                                              • GetPixel.GDI32(00000000,00000000,00000000), ref: 0029758B
                                                              • DeleteDC.GDI32(00000000), ref: 00297594
                                                              • GetWindowLongW.USER32(?,000000EC), ref: 0029759E
                                                              • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 002975B2
                                                              • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 002975BE
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                              • String ID: @U=u$static
                                                              • API String ID: 2559357485-3553413495
                                                              • Opcode ID: 01e0a5eaca19d880f6c3a3fe625dbdd72a3914f4d2fcf2eb9c2f72a033288833
                                                              • Instruction ID: c5240f71a44bc0b8ac9745858a8f65cf5cec4af1c43ff6d41763a81457408e82
                                                              • Opcode Fuzzy Hash: 01e0a5eaca19d880f6c3a3fe625dbdd72a3914f4d2fcf2eb9c2f72a033288833
                                                              • Instruction Fuzzy Hash: 88318D72125215BBDF929FA4ED09FDB3B69FF09320F150225FA15E60A0D731D821DBA4
                                                              Function 0026F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0024E2A0,00000010,?,Bad directive syntax error,0029F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 0026F7C2
                                                              • LoadStringW.USER32(00000000,?,0024E2A0,00000010), ref: 0026F7C9
                                                                • Part of subcall function 00217DE1: _memmove.LIBCMT ref: 00217E22
                                                              • _wprintf.LIBCMT ref: 0026F7FC
                                                              • __swprintf.LIBCMT ref: 0026F81E
                                                              • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0026F88D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                                                              • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                              • API String ID: 1506413516-4153970271
                                                              • Opcode ID: 6c54e69b24a394b8fcf37eca7e175baafe001216158e5e246ffd38bf68d94861
                                                              • Instruction ID: cfb5a89be47276050dd1721a0ea31f56b1db14719b51c8abc21d8e9da63cec35
                                                              • Opcode Fuzzy Hash: 6c54e69b24a394b8fcf37eca7e175baafe001216158e5e246ffd38bf68d94861
                                                              • Instruction Fuzzy Hash: 56215E3292421AEBCF11EF90DC4AEEE7779BF24300F04486AB515660A1EA719678DF51
                                                              Function 002752C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00217BCC: _memmove.LIBCMT ref: 00217C06
                                                                • Part of subcall function 00217924: _memmove.LIBCMT ref: 002179AD
                                                              • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00275330
                                                              • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00275346
                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00275357
                                                              • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00275369
                                                              • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0027537A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: SendString$_memmove
                                                              • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                              • API String ID: 2279737902-1007645807
                                                              • Opcode ID: f8a98087f87accafaa0718c1d7bd8106f28e8916abf6f99688bcdd810f9c5d23
                                                              • Instruction ID: db833e446a96fbf77b96942924641aecf1de9fd73cf4919ef5c3e1e53ba44f4d
                                                              • Opcode Fuzzy Hash: f8a98087f87accafaa0718c1d7bd8106f28e8916abf6f99688bcdd810f9c5d23
                                                              • Instruction Fuzzy Hash: 6911983197016A79D720B761CC49EFFFBBCEBE2B44F10495A7415920E1EEB00D65C9A1
                                                              Function 002746B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                              • String ID: 0.0.0.0
                                                              • API String ID: 208665112-3771769585
                                                              • Opcode ID: dcf605b6f96a3c93a04823ebaca9239b375434753235513d03e5452d4c84143c
                                                              • Instruction ID: 17da843d19c8bc9837618821651a0535b1a8e98b525ecbdb2e23638c9feb3f77
                                                              • Opcode Fuzzy Hash: dcf605b6f96a3c93a04823ebaca9239b375434753235513d03e5452d4c84143c
                                                              • Instruction Fuzzy Hash: A6110D71620119AFDB54BB70AC4AEDAB7BCEF02711F0441B6F449D6051FF719DA18A50
                                                              Function 0027D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00219837: __itow.LIBCMT ref: 00219862
                                                                • Part of subcall function 00219837: __swprintf.LIBCMT ref: 002198AC
                                                              • CoInitialize.OLE32(00000000), ref: 0027D5EA
                                                              • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0027D67D
                                                              • SHGetDesktopFolder.SHELL32(?), ref: 0027D691
                                                              • CoCreateInstance.COMBASE(002A2D7C,00000000,00000001,002C8C1C,?), ref: 0027D6DD
                                                              • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0027D74C
                                                              • CoTaskMemFree.COMBASE(?), ref: 0027D7A4
                                                              • _memset.LIBCMT ref: 0027D7E1
                                                              • SHBrowseForFolderW.SHELL32(?), ref: 0027D81D
                                                              • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0027D840
                                                              • CoTaskMemFree.COMBASE(00000000), ref: 0027D847
                                                              • CoTaskMemFree.COMBASE(00000000), ref: 0027D87E
                                                              • CoUninitialize.COMBASE ref: 0027D880
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                              • String ID:
                                                              • API String ID: 1246142700-0
                                                              • Opcode ID: c448e4087adfa45f6462178bb5730d1c9c8e253d4bb905666c646a5c5da49256
                                                              • Instruction ID: 22cac48b1f2324b20ba9f46a2f7389f7a64a1312f94ac04dc15850aa6bdcb081
                                                              • Opcode Fuzzy Hash: c448e4087adfa45f6462178bb5730d1c9c8e253d4bb905666c646a5c5da49256
                                                              • Instruction Fuzzy Hash: 0AB10B75A10109AFDB44DFA4C888DAEBBF9FF48314B048469E909DB251DB30EE51CF50
                                                              Function 0026C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDlgItem.USER32(?,00000001), ref: 0026C283
                                                              • GetWindowRect.USER32(00000000,?), ref: 0026C295
                                                              • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0026C2F3
                                                              • GetDlgItem.USER32(?,00000002), ref: 0026C2FE
                                                              • GetWindowRect.USER32(00000000,?), ref: 0026C310
                                                              • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0026C364
                                                              • GetDlgItem.USER32(?,000003E9), ref: 0026C372
                                                              • GetWindowRect.USER32(00000000,?), ref: 0026C383
                                                              • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0026C3C6
                                                              • GetDlgItem.USER32(?,000003EA), ref: 0026C3D4
                                                              • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0026C3F1
                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 0026C3FE
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Window$ItemMoveRect$Invalidate
                                                              • String ID:
                                                              • API String ID: 3096461208-0
                                                              • Opcode ID: 73c5c19282c75802c96479769b5de5ac7e02f4e48af3a3a7d1bc3d760b293e5a
                                                              • Instruction ID: fff6daa001ed6f980df00a21496f18c2b74f3843a256fdeed7b1cfed3d6bb0fc
                                                              • Opcode Fuzzy Hash: 73c5c19282c75802c96479769b5de5ac7e02f4e48af3a3a7d1bc3d760b293e5a
                                                              • Instruction Fuzzy Hash: E7516E71B10205AFDB18DFA9DD99ABEBBBAEB88310F24812DF915D7290D7709D508B10
                                                              Function 002121A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 002125DB: GetWindowLongW.USER32(?,000000EB), ref: 002125EC
                                                              • GetSysColor.USER32(0000000F), ref: 002121D3
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: ColorLongWindow
                                                              • String ID:
                                                              • API String ID: 259745315-0
                                                              • Opcode ID: d862ce8d6e1e3cd5d076e53590593ede5aae742579f5013e84189ef27ea77976
                                                              • Instruction ID: 55f8829b85f6599a81e1cfb71c4e8383a79f167e4c47a339fb086c8566a45f3b
                                                              • Opcode Fuzzy Hash: d862ce8d6e1e3cd5d076e53590593ede5aae742579f5013e84189ef27ea77976
                                                              • Instruction Fuzzy Hash: 7A41F331110100EBDB655F28EC88BFD3BA5EB16331F284266FE65CA1E1C7718CA6DB61
                                                              Function 0027A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CharLowerBuffW.USER32(?,?,0029F910), ref: 0027A90B
                                                              • GetDriveTypeW.KERNEL32(00000061,002C89A0,00000061), ref: 0027A9D5
                                                              • _wcscpy.LIBCMT ref: 0027A9FF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: BuffCharDriveLowerType_wcscpy
                                                              • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                              • API String ID: 2820617543-1000479233
                                                              • Opcode ID: 27e9c932c0c911fb3b69fa6be25c27bd09e89988bcc78fe5b087b715322ccf46
                                                              • Instruction ID: 7ed0a929d1d7ae5e579e7a53cfb725f83825a6f901c4d22788238deab4b3716f
                                                              • Opcode Fuzzy Hash: 27e9c932c0c911fb3b69fa6be25c27bd09e89988bcc78fe5b087b715322ccf46
                                                              • Instruction Fuzzy Hash: FE51BC311383019BC304EF14C8A2AAFB7E5EFD4710F10882DF59A572A2DB719969CB53
                                                              Function 00298645 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 168COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 002986FF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: InvalidateRect
                                                              • String ID: @U=u
                                                              • API String ID: 634782764-2594219639
                                                              • Opcode ID: 9c4f0d78c89699d14c8e6d1b643a04fa6678ac148fe1060471f77588e46b9afa
                                                              • Instruction ID: 5880c5dd1cc5d48eb019f7e1e549acb2232b0d7891a0f3a4da76a43d423927dd
                                                              • Opcode Fuzzy Hash: 9c4f0d78c89699d14c8e6d1b643a04fa6678ac148fe1060471f77588e46b9afa
                                                              • Instruction Fuzzy Hash: CC51B434520249BEEF209F64DC89FAD7BA9FB06350F684116F915DA1E1CFB1A9B0CB50
                                                              Function 00212B72 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 161windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0024C2F7
                                                              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0024C319
                                                              • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0024C331
                                                              • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0024C34F
                                                              • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0024C370
                                                              • DestroyCursor.USER32(00000000), ref: 0024C37F
                                                              • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0024C39C
                                                              • DestroyCursor.USER32(?), ref: 0024C3AB
                                                                • Part of subcall function 0029A4AF: DeleteObject.GDI32(00000000), ref: 0029A4E8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: CursorDestroyExtractIconImageLoadMessageSend$DeleteObject
                                                              • String ID: @U=u
                                                              • API String ID: 2975913752-2594219639
                                                              • Opcode ID: 71078e65686c99ca4cf9d0679e6c4c4d97b47e62d564c9bd608ec228eeab32a9
                                                              • Instruction ID: 18125e23f87d1c45ac0f4839175e66b11ad642c0f2b654c62e9822f870277de3
                                                              • Opcode Fuzzy Hash: 71078e65686c99ca4cf9d0679e6c4c4d97b47e62d564c9bd608ec228eeab32a9
                                                              • Instruction Fuzzy Hash: 72516A74A20209EFDB64DF68DC45FAA7BE5EB54310F204529F902D7290D7B0ADB0DB50
                                                              Function 00219837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: __i64tow__itow__swprintf
                                                              • String ID: %.15g$0x%p$False$True
                                                              • API String ID: 421087845-2263619337
                                                              • Opcode ID: 8bbc3f94131f52caf99575944650e7e944a6fe10b0cb1fe285c79510b38a1797
                                                              • Instruction ID: a93fd52af61ab9fbc32fe29fe6e024a1edd797ca1746c16b2163ba356edd21e4
                                                              • Opcode Fuzzy Hash: 8bbc3f94131f52caf99575944650e7e944a6fe10b0cb1fe285c79510b38a1797
                                                              • Instruction Fuzzy Hash: EC41E77153020AAFEB28DF34D952EB6B3E8FF46300F60447EE549D7291EA7199A18F50
                                                              Function 00226192 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 141COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              • argument is not a compiled regular expression, xrefs: 00260D87
                                                              • internal error: missing capturing bracket, xrefs: 00260D7F
                                                              • argument not compiled in 16 bit mode, xrefs: 00260D77
                                                              • internal error: opcode not recognized, xrefs: 0022631B
                                                              • ERCP, xrefs: 002261B3
                                                              • 3c", xrefs: 002262AF
                                                              • failed to get memory, xrefs: 00226326
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: _memset$_memmove
                                                              • String ID: 3c"$ERCP$argument is not a compiled regular expression$argument not compiled in 16 bit mode$failed to get memory$internal error: missing capturing bracket$internal error: opcode not recognized
                                                              • API String ID: 2532777613-3550804768
                                                              • Opcode ID: 17dee355b38f7b64f5358e229e3bd7eb8cff26dbd19c81378083062a9d1bc184
                                                              • Instruction ID: bf36417a6a115dd858892f12792bad3582794f51cb970775a221da38561394fe
                                                              • Opcode Fuzzy Hash: 17dee355b38f7b64f5358e229e3bd7eb8cff26dbd19c81378083062a9d1bc184
                                                              • Instruction Fuzzy Hash: 1D51B471920316EFDB24CF95D885BABB7F4EF04704F2046AEE84AD7250E770A9A4CB50
                                                              Function 00297152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 0029716A
                                                              • CreateMenu.USER32 ref: 00297185
                                                              • SetMenu.USER32(?,00000000), ref: 00297194
                                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00297221
                                                              • IsMenu.USER32(?), ref: 00297237
                                                              • CreatePopupMenu.USER32 ref: 00297241
                                                              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0029726E
                                                              • DrawMenuBar.USER32 ref: 00297276
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                              • String ID: 0$F
                                                              • API String ID: 176399719-3044882817
                                                              • Opcode ID: eab53703e8cfc1cf369dcfbcdb9e8187974138f03f9516abd27b9fd9e91f1a58
                                                              • Instruction ID: b69614243339e1b7f1ce2d3fb3c543f95090e48135cd7f91a90316ed9757b096
                                                              • Opcode Fuzzy Hash: eab53703e8cfc1cf369dcfbcdb9e8187974138f03f9516abd27b9fd9e91f1a58
                                                              • Instruction Fuzzy Hash: 50412575A21209EFDB60DFA4E988E9ABBB5FF49310F144029FD05A7361D771AD20CB90
                                                              Function 00268F8F Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 82windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00217DE1: _memmove.LIBCMT ref: 00217E22
                                                                • Part of subcall function 0026AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0026AABC
                                                              • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00269014
                                                              • GetDlgCtrlID.USER32 ref: 0026901F
                                                              • GetParent.USER32 ref: 0026903B
                                                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 0026903E
                                                              • GetDlgCtrlID.USER32(?), ref: 00269047
                                                              • GetParent.USER32(?), ref: 00269063
                                                              • SendMessageW.USER32(00000000,?,?,00000111), ref: 00269066
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                              • String ID: @U=u$ComboBox$ListBox
                                                              • API String ID: 1536045017-2258501812
                                                              • Opcode ID: ddaf2b75df734afb37fb04f1c3903827226f058bc5f2738aef0ed8986da74f21
                                                              • Instruction ID: b9cb53b4ac391d5ec00199827ab8a12533adfb06e7b799308755b776e1b43013
                                                              • Opcode Fuzzy Hash: ddaf2b75df734afb37fb04f1c3903827226f058bc5f2738aef0ed8986da74f21
                                                              • Instruction Fuzzy Hash: 5221D874A10208BFDF04ABA0DC89EFEB7B8EF55310F100156B521972A1DF7558A5DE20
                                                              Function 0026907A Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 81windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00217DE1: _memmove.LIBCMT ref: 00217E22
                                                                • Part of subcall function 0026AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0026AABC
                                                              • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 002690FD
                                                              • GetDlgCtrlID.USER32 ref: 00269108
                                                              • GetParent.USER32 ref: 00269124
                                                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 00269127
                                                              • GetDlgCtrlID.USER32(?), ref: 00269130
                                                              • GetParent.USER32(?), ref: 0026914C
                                                              • SendMessageW.USER32(00000000,?,?,00000111), ref: 0026914F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                              • String ID: @U=u$ComboBox$ListBox
                                                              • API String ID: 1536045017-2258501812
                                                              • Opcode ID: a38ceea3be937bf8f1770772a432709d36a0bf752ae8a35c4fff71f56d170069
                                                              • Instruction ID: 13cbc93a37acc5ac393c6125dc8e2464825f4ca7b6c8070b7f0af81b91a37dce
                                                              • Opcode Fuzzy Hash: a38ceea3be937bf8f1770772a432709d36a0bf752ae8a35c4fff71f56d170069
                                                              • Instruction Fuzzy Hash: 6821F5B4A10209BBDF00ABA0DC89EFEBBBCEF55300F100156B921972A1DB7548A5DF20
                                                              Function 00269163 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 72windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetParent.USER32 ref: 0026916F
                                                              • GetClassNameW.USER32(00000000,?,00000100), ref: 00269184
                                                              • _wcscmp.LIBCMT ref: 00269196
                                                              • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00269211
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: ClassMessageNameParentSend_wcscmp
                                                              • String ID: @U=u$SHELLDLL_DefView$details$largeicons$list$smallicons
                                                              • API String ID: 1704125052-1428604138
                                                              • Opcode ID: 596c011f157d7e201dd81d9556f6de1718443b98d821c8a457c6e711b548a954
                                                              • Instruction ID: 7b0ea89ed4de20cf1c4194e818af35f150b281a20a49162489fbd1cd79ac8031
                                                              • Opcode Fuzzy Hash: 596c011f157d7e201dd81d9556f6de1718443b98d821c8a457c6e711b548a954
                                                              • Instruction Fuzzy Hash: 9D115976278307BAFA102A24EC1BEA7379C9B06720F20012AFE14E00D1FEB168F15D80
                                                              Function 00236E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 00236E3E
                                                                • Part of subcall function 00238B28: __getptd_noexit.LIBCMT ref: 00238B28
                                                              • __gmtime64_s.LIBCMT ref: 00236ED7
                                                              • __gmtime64_s.LIBCMT ref: 00236F0D
                                                              • __gmtime64_s.LIBCMT ref: 00236F2A
                                                              • __allrem.LIBCMT ref: 00236F80
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00236F9C
                                                              • __allrem.LIBCMT ref: 00236FB3
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00236FD1
                                                              • __allrem.LIBCMT ref: 00236FE8
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00237006
                                                              • __invoke_watson.LIBCMT ref: 00237077
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                              • String ID:
                                                              • API String ID: 384356119-0
                                                              • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                              • Instruction ID: f0ec4738d54d8381945aa9f1a01d1848d9e3f6805435f7c5ed0982093aa2b7df
                                                              • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                              • Instruction Fuzzy Hash: 327109F6A20717ABDB28EF68DC45B6AB3B8AF04724F148129F514D7681E770DD248F90
                                                              Function 00272527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 00272542
                                                              • GetMenuItemInfoW.USER32(002D5890,000000FF,00000000,00000030), ref: 002725A3
                                                              • SetMenuItemInfoW.USER32(002D5890,00000004,00000000,00000030), ref: 002725D9
                                                              • Sleep.KERNEL32(000001F4), ref: 002725EB
                                                              • GetMenuItemCount.USER32(?), ref: 0027262F
                                                              • GetMenuItemID.USER32(?,00000000), ref: 0027264B
                                                              • GetMenuItemID.USER32(?,-00000001), ref: 00272675
                                                              • GetMenuItemID.USER32(?,?), ref: 002726BA
                                                              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00272700
                                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00272714
                                                              • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00272735
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                              • String ID:
                                                              • API String ID: 4176008265-0
                                                              • Opcode ID: 852ac54c1adb5bff3d9a5968734651c29502eeb63b5ff524280b235f42e229f6
                                                              • Instruction ID: 10dcdc294a497c1b27e88d3a67be3146a0dc6394d51096c6b39e133518438d68
                                                              • Opcode Fuzzy Hash: 852ac54c1adb5bff3d9a5968734651c29502eeb63b5ff524280b235f42e229f6
                                                              • Instruction Fuzzy Hash: 1661AF7092024AEFDB15CF64DE88DBEBBBCFB05304F54805AE849A3251D771AD29DB20
                                                              Function 00296F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00296FA5
                                                              • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00296FA8
                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00296FCC
                                                              • _memset.LIBCMT ref: 00296FDD
                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00296FEF
                                                              • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00297067
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$LongWindow_memset
                                                              • String ID:
                                                              • API String ID: 830647256-0
                                                              • Opcode ID: a16f7c268c3e3d27f6052b66b84ee21e784a6ee83cfc4bd5c4aa5ca3e0203d31
                                                              • Instruction ID: e9dbe879046096c08dcb29831bed7b723947c94676c8f3dfc60514bba117351d
                                                              • Opcode Fuzzy Hash: a16f7c268c3e3d27f6052b66b84ee21e784a6ee83cfc4bd5c4aa5ca3e0203d31
                                                              • Instruction Fuzzy Hash: CD617971910209AFDB10DFA4CC85EEE77F8AB09710F10419AFA15EB2A1C771AD61DB90
                                                              Function 00266B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00266BBF
                                                              • SafeArrayAllocData.OLEAUT32(?), ref: 00266C18
                                                              • VariantInit.OLEAUT32(?), ref: 00266C2A
                                                              • SafeArrayAccessData.OLEAUT32(?,?), ref: 00266C4A
                                                              • VariantCopy.OLEAUT32(?,?), ref: 00266C9D
                                                              • SafeArrayUnaccessData.OLEAUT32(?), ref: 00266CB1
                                                              • VariantClear.OLEAUT32(?), ref: 00266CC6
                                                              • SafeArrayDestroyData.OLEAUT32(?), ref: 00266CD3
                                                              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00266CDC
                                                              • VariantClear.OLEAUT32(?), ref: 00266CEE
                                                              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00266CF9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                              • String ID:
                                                              • API String ID: 2706829360-0
                                                              • Opcode ID: 3f406381e966804f98dc40670b86e8066212cf9a28aba83a3a1c710758061233
                                                              • Instruction ID: d7fd10bc2c113f6ec5af61c845301de9ccdc1145bf61acbb146c3821833f04cb
                                                              • Opcode Fuzzy Hash: 3f406381e966804f98dc40670b86e8066212cf9a28aba83a3a1c710758061233
                                                              • Instruction Fuzzy Hash: 71415F71A102199FCF00DFA8D94C9EEBBB9FF48354F00806AE955E7261CB30A995CF90
                                                              Function 00289113 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 263COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Variant$ClearInit$_memset
                                                              • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$_NewEnum$get__NewEnum
                                                              • API String ID: 2862541840-1765764032
                                                              • Opcode ID: 2b1683b96e993a355c411cd146b0e4ed3f6a8d5675b9ba76cae6faa185eeda65
                                                              • Instruction ID: a9129f8fac79173791cbfa2c9a820af9d0c26f04ec76a62319cb49d7bfb54f0b
                                                              • Opcode Fuzzy Hash: 2b1683b96e993a355c411cd146b0e4ed3f6a8d5675b9ba76cae6faa185eeda65
                                                              • Instruction Fuzzy Hash: 6B91B375921206ABDF20EF95C848FAEB7B8EF45710F148159F905AB2C0D7709994CFA0
                                                              Function 00212E26 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 186windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetWindowLongW.USER32(?,000000EB), ref: 00212EAE
                                                                • Part of subcall function 00211DB3: GetClientRect.USER32(?,?), ref: 00211DDC
                                                                • Part of subcall function 00211DB3: GetWindowRect.USER32(?,?), ref: 00211E1D
                                                                • Part of subcall function 00211DB3: ScreenToClient.USER32(?,?), ref: 00211E45
                                                              • GetDC.USER32 ref: 0024CD32
                                                              • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0024CD45
                                                              • SelectObject.GDI32(00000000,00000000), ref: 0024CD53
                                                              • SelectObject.GDI32(00000000,00000000), ref: 0024CD68
                                                              • ReleaseDC.USER32(?,00000000), ref: 0024CD70
                                                              • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0024CDFB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                              • String ID: @U=u$U
                                                              • API String ID: 4009187628-4110099822
                                                              • Opcode ID: e8660a4be5f58a518ea9a21c0dcff87216716bf8932ef6717f5e8768c859b38d
                                                              • Instruction ID: f34ab8ea6acb331ec720067aeb88b3e09317f622faf672745e57362d8fd74ce1
                                                              • Opcode Fuzzy Hash: e8660a4be5f58a518ea9a21c0dcff87216716bf8932ef6717f5e8768c859b38d
                                                              • Instruction Fuzzy Hash: F771C131921206DFCF698F68C884AEA7BB5FF58310F24426AED559A2A5C7319CB0DB50
                                                              Function 00285732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WSAStartup.WS2_32(00000101,?), ref: 00285793
                                                              • inet_addr.WS2_32(?), ref: 002857D8
                                                              • gethostbyname.WS2_32(?), ref: 002857E4
                                                              • IcmpCreateFile.IPHLPAPI ref: 002857F2
                                                              • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00285862
                                                              • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00285878
                                                              • IcmpCloseHandle.IPHLPAPI(00000000), ref: 002858ED
                                                              • WSACleanup.WS2_32 ref: 002858F3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                              • String ID: Ping
                                                              • API String ID: 1028309954-2246546115
                                                              • Opcode ID: 39d4a1924f7d5816bb48633a783682fd766025029bbf51734c1e61b9946af193
                                                              • Instruction ID: efc72854a847815331908034d3c0c1e93404c39d4f10065d00bafe33c6e94eb2
                                                              • Opcode Fuzzy Hash: 39d4a1924f7d5816bb48633a783682fd766025029bbf51734c1e61b9946af193
                                                              • Instruction Fuzzy Hash: 8151BC35621611DFDB10AF24DC89B6AB7E4AF48310F04852AF956DB2E1DB70E9A0CF42
                                                              Function 00296D80 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 143windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00296E24
                                                              • SendMessageW.USER32(?,00001036,00000000,?), ref: 00296E38
                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00296E52
                                                              • _wcscat.LIBCMT ref: 00296EAD
                                                              • SendMessageW.USER32(?,00001057,00000000,?), ref: 00296EC4
                                                              • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00296EF2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Window_wcscat
                                                              • String ID: -----$@U=u$SysListView32
                                                              • API String ID: 307300125-3470791606
                                                              • Opcode ID: 16f9bee3700c9ea533b465216302217dd41c52b9945cbc547a3fef8cf8c7ac84
                                                              • Instruction ID: 3ca4f32c07e42ec52f413e4562340118e57b5c1699ff1320ee0de1b8a05d8fd3
                                                              • Opcode Fuzzy Hash: 16f9bee3700c9ea533b465216302217dd41c52b9945cbc547a3fef8cf8c7ac84
                                                              • Instruction Fuzzy Hash: 9041A071A10309ABEF219F64CC89FEEB7E8EF08350F10042AF594E7291D6719DA48B60
                                                              Function 0027B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetErrorMode.KERNEL32(00000001), ref: 0027B4D0
                                                              • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0027B546
                                                              • GetLastError.KERNEL32 ref: 0027B550
                                                              • SetErrorMode.KERNEL32(00000000,READY), ref: 0027B5BD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Error$Mode$DiskFreeLastSpace
                                                              • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                              • API String ID: 4194297153-14809454
                                                              • Opcode ID: 5c869aec0de9fe025e0f5b17cb5be2a01a102995d18dfccf7a5e10f54d27d124
                                                              • Instruction ID: 3f5acc3b6667b9f7e51da7f604d45da3a61f9aab7f651c9f2722ebd041fadb4e
                                                              • Opcode Fuzzy Hash: 5c869aec0de9fe025e0f5b17cb5be2a01a102995d18dfccf7a5e10f54d27d124
                                                              • Instruction Fuzzy Hash: D231A135A20206DFCB01EF68C885FAEBBB4FF59314F50816AE509D7291DB709A61CB91
                                                              Function 002961D3 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DeleteObject.GDI32(00000000), ref: 002961EB
                                                              • GetDC.USER32(00000000), ref: 002961F3
                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 002961FE
                                                              • ReleaseDC.USER32(00000000,00000000), ref: 0029620A
                                                              • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00296246
                                                              • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00296257
                                                              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0029902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00296291
                                                              • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 002962B1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                              • String ID: @U=u
                                                              • API String ID: 3864802216-2594219639
                                                              • Opcode ID: 16bb72331fffc5decf552983dc02fc516b1b5de15684c5c38958ed588b42dc23
                                                              • Instruction ID: 9dae6267ca1e2e0aa6ab59e4a2b53d41fb3c425413ec7198e9ed94c4438e6259
                                                              • Opcode Fuzzy Hash: 16bb72331fffc5decf552983dc02fc516b1b5de15684c5c38958ed588b42dc23
                                                              • Instruction Fuzzy Hash: 6E317C72211210BFEF518F60DD8AFEA3BADEF4A765F044066FE08DA291C6759C51CB60
                                                              Function 002888AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VariantInit.OLEAUT32(?), ref: 002888D7
                                                              • CoInitialize.OLE32(00000000), ref: 00288904
                                                              • CoUninitialize.COMBASE ref: 0028890E
                                                              • GetRunningObjectTable.OLE32(00000000,?), ref: 00288A0E
                                                              • SetErrorMode.KERNEL32(00000001,00000029), ref: 00288B3B
                                                              • CoGetInstanceFromFile.COMBASE(00000000,?,00000000,00000015,00000002,?,00000001,002A2C0C), ref: 00288B6F
                                                              • CoGetObject.OLE32(?,00000000,002A2C0C,?), ref: 00288B92
                                                              • SetErrorMode.KERNEL32(00000000), ref: 00288BA5
                                                              • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00288C25
                                                              • VariantClear.OLEAUT32(?), ref: 00288C35
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                              • String ID:
                                                              • API String ID: 2395222682-0
                                                              • Opcode ID: ab726fe3b3d659101672251b1b15522705613f0716e1712f99b860ddb1acd53a
                                                              • Instruction ID: bc9bf05fc25f53675fcc98a694bfe00ebc15a90ebf857a59d574d5660907d6d7
                                                              • Opcode Fuzzy Hash: ab726fe3b3d659101672251b1b15522705613f0716e1712f99b860ddb1acd53a
                                                              • Instruction Fuzzy Hash: FCC144B5228305AFD700EF24C88492AB7E9BF89348F40495DF88ADB291DB71ED55CB52
                                                              Function 00277990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00277A6C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: ArraySafeVartype
                                                              • String ID:
                                                              • API String ID: 1725837607-0
                                                              • Opcode ID: 2720c0f68b624b22b87d69eb7b30fb98ca442a14ccd5581ecb6614bc01223651
                                                              • Instruction ID: a978580866033cce27592deff70a901c326a2480a910f375f20091ad63f93dd9
                                                              • Opcode Fuzzy Hash: 2720c0f68b624b22b87d69eb7b30fb98ca442a14ccd5581ecb6614bc01223651
                                                              • Instruction Fuzzy Hash: D8B1B27192421A9FDB01DFA4C885BBEB7F4FF09325F20842AE609E7241D774A951CFA1
                                                              Function 002711CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentThreadId.KERNEL32 ref: 002711F0
                                                              • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00270268,?,00000001), ref: 00271204
                                                              • GetWindowThreadProcessId.USER32(00000000), ref: 0027120B
                                                              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00270268,?,00000001), ref: 0027121A
                                                              • GetWindowThreadProcessId.USER32(?,00000000), ref: 0027122C
                                                              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00270268,?,00000001), ref: 00271245
                                                              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00270268,?,00000001), ref: 00271257
                                                              • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00270268,?,00000001), ref: 0027129C
                                                              • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00270268,?,00000001), ref: 002712B1
                                                              • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00270268,?,00000001), ref: 002712BC
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                              • String ID:
                                                              • API String ID: 2156557900-0
                                                              • Opcode ID: 65399291793ed5cef3b96bc8bcb22cbac1008c5f7883ff39de0cd5746c009ed0
                                                              • Instruction ID: e12e32ff55d8d422e93d04d7b4d27938324605f343c9534ced6101229e2ae913
                                                              • Opcode Fuzzy Hash: 65399291793ed5cef3b96bc8bcb22cbac1008c5f7883ff39de0cd5746c009ed0
                                                              • Instruction Fuzzy Hash: A631DD75A11315BFDB209F68FD8CB6937A9AF64311F208126FC09D61A1E7B09D608B60
                                                              Function 0021FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0021FAA6
                                                              • OleUninitialize.OLE32(?,00000000), ref: 0021FB45
                                                              • UnregisterHotKey.USER32(?), ref: 0021FC9C
                                                              • DestroyWindow.USER32(?), ref: 002545D6
                                                              • FreeLibrary.KERNEL32(?), ref: 0025463B
                                                              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00254668
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                              • String ID: close all
                                                              • API String ID: 469580280-3243417748
                                                              • Opcode ID: 06fee09aea8bfbc21824293f945d2d147394d36091d38d7a82f05ba20edbd45f
                                                              • Instruction ID: 2579a0d178da2f4ef12b92cf666abfaeb9aae89963eb94baf3dd18049c7cb332
                                                              • Opcode Fuzzy Hash: 06fee09aea8bfbc21824293f945d2d147394d36091d38d7a82f05ba20edbd45f
                                                              • Instruction Fuzzy Hash: 59A18170721212CFCB58EF14C594B69F3A4BF15705F5042ADE80AAB251DB30ADB6CF94
                                                              Function 0026A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • EnumChildWindows.USER32(?,0026A439), ref: 0026A377
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: ChildEnumWindows
                                                              • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                              • API String ID: 3555792229-1603158881
                                                              • Opcode ID: 39a108c64768209f510f049e689183684acb4117f6802175f1503d4f18a3a6af
                                                              • Instruction ID: cbd1bc88dd2c50df1a095852c7570381380355ee078e58113a92b0b2ad271fa8
                                                              • Opcode Fuzzy Hash: 39a108c64768209f510f049e689183684acb4117f6802175f1503d4f18a3a6af
                                                              • Instruction Fuzzy Hash: F5917271620606AACB08DFA0C492BEDFBB4BF14300F548159E95AB7251DB3169F9CFA1
                                                              Function 0029B351 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 199windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • IsWindow.USER32(015624B0), ref: 0029B3EB
                                                              • IsWindowEnabled.USER32(015624B0), ref: 0029B3F7
                                                              • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0029B4DB
                                                              • SendMessageW.USER32(015624B0,000000B0,?,?), ref: 0029B512
                                                              • IsDlgButtonChecked.USER32(?,?), ref: 0029B54F
                                                              • GetWindowLongW.USER32(015624B0,000000EC), ref: 0029B571
                                                              • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0029B589
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                              • String ID: @U=u
                                                              • API String ID: 4072528602-2594219639
                                                              • Opcode ID: 9c8736dbcbe875e120c3b325ea35136336d6c59b4727d2981f481a4bc7c79537
                                                              • Instruction ID: 04ee49d26fe4d9bc0cbdeb226978b6cd7314c229ff13d5d2835aa48a9e0d6372
                                                              • Opcode Fuzzy Hash: 9c8736dbcbe875e120c3b325ea35136336d6c59b4727d2981f481a4bc7c79537
                                                              • Instruction Fuzzy Hash: E771B134610216EFDF22DF64EAA4FBA77B9EF09300F10405AF94597262C771AC60EB50
                                                              Function 00281A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00281A50
                                                              • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00281A7C
                                                              • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00281ABE
                                                              • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00281AD3
                                                              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00281AE0
                                                              • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00281B10
                                                              • InternetCloseHandle.WININET(00000000), ref: 00281B57
                                                                • Part of subcall function 00282483: GetLastError.KERNEL32(?,?,00281817,00000000,00000000,00000001), ref: 00282498
                                                                • Part of subcall function 00282483: SetEvent.KERNEL32(?,?,00281817,00000000,00000000,00000001), ref: 002824AD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                                              • String ID:
                                                              • API String ID: 2603140658-3916222277
                                                              • Opcode ID: 85215e7f13acba0be0de935fd06ec9aee76a9c23d74a63bbf000ccb99c854abe
                                                              • Instruction ID: eac613d6609b94122689558f7c7e088d53b4842ead8034de4e06a57c71b22468
                                                              • Opcode Fuzzy Hash: 85215e7f13acba0be0de935fd06ec9aee76a9c23d74a63bbf000ccb99c854abe
                                                              • Instruction Fuzzy Hash: AC4171B5512219BFEB11AF50CC89FFA77ACEF08354F008126F9059A1C1E7709E658BA0
                                                              Function 002962CD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 002962EC
                                                              • GetWindowLongW.USER32(015624B0,000000F0), ref: 0029631F
                                                              • GetWindowLongW.USER32(015624B0,000000F0), ref: 00296354
                                                              • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00296386
                                                              • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 002963B0
                                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 002963C1
                                                              • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 002963DB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: LongWindow$MessageSend
                                                              • String ID: @U=u
                                                              • API String ID: 2178440468-2594219639
                                                              • Opcode ID: c08eb88c48f8dbce92b2c2b9cff25915f4bf0ef5172e1d5c0389967dbcf243ae
                                                              • Instruction ID: b304bf2d9380a47810e31b4a949f6e3856c2df129851aec1cb8a161e951d4451
                                                              • Opcode Fuzzy Hash: c08eb88c48f8dbce92b2c2b9cff25915f4bf0ef5172e1d5c0389967dbcf243ae
                                                              • Instruction Fuzzy Hash: 473112306102519FDB208F19EC88F5437E5BB4AB14F1941A5F510CB2B1CB71ACA0AB54
                                                              Function 00288C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0029F910), ref: 00288D28
                                                              • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0029F910), ref: 00288D5C
                                                              • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00288ED6
                                                              • SysFreeString.OLEAUT32(?), ref: 00288F00
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                              • String ID:
                                                              • API String ID: 560350794-0
                                                              • Opcode ID: 471011450a4536eeb58c6430d4176f5d819901b1c9957be00ac6e47c9c0dc102
                                                              • Instruction ID: f8a52c3709cd75a9c58ecb135bc723e97a1945aadcee03e0e000400e77e4a3f3
                                                              • Opcode Fuzzy Hash: 471011450a4536eeb58c6430d4176f5d819901b1c9957be00ac6e47c9c0dc102
                                                              • Instruction Fuzzy Hash: 81F15975A21209EFDF04EF94C888EAEB7B9FF45314F148058F905AB291DB31AE95CB50
                                                              Function 0028F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 0028F6B5
                                                              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0028F848
                                                              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0028F86C
                                                              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0028F8AC
                                                              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0028F8CE
                                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0028FA4A
                                                              • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0028FA7C
                                                              • CloseHandle.KERNEL32(?), ref: 0028FAAB
                                                              • CloseHandle.KERNEL32(?), ref: 0028FB22
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                              • String ID:
                                                              • API String ID: 4090791747-0
                                                              • Opcode ID: f078eb255c395c84716a4a1f9f2c5e72b2e826bd8bbd329392c7c4bc4ce32896
                                                              • Instruction ID: ba83742cd6d76c4887fb07fae248e6704e584eb933cea2f7d67436b7bbf86047
                                                              • Opcode Fuzzy Hash: f078eb255c395c84716a4a1f9f2c5e72b2e826bd8bbd329392c7c4bc4ce32896
                                                              • Instruction Fuzzy Hash: 52E1E1356243019FC754EF24C991B6ABBE1EF89314F14856DF8898B2A2CB30EC65CF52
                                                              Function 0021201B Relevance: 13.7, APIs: 9, Instructions: 170timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00211B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00212036,?,00000000,?,?,?,?,002116CB,00000000,?), ref: 00211B9A
                                                              • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 002120D3
                                                              • KillTimer.USER32(-00000001,?,?,?,?,002116CB,00000000,?,?,00211AE2,?,?), ref: 0021216E
                                                              • DestroyAcceleratorTable.USER32(00000000), ref: 0024BCA6
                                                              • DeleteObject.GDI32(00000000), ref: 0024BD1C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                              • String ID:
                                                              • API String ID: 2402799130-0
                                                              • Opcode ID: 4eb18c7ac25b108873b3130f1d6cfafe238d9ce86f9abc86a2dd61ad92e4e84c
                                                              • Instruction ID: 20285985ffef6a3684e5724285b8f8bed2c92c44211e81cae8f8d84bba2884d0
                                                              • Opcode Fuzzy Hash: 4eb18c7ac25b108873b3130f1d6cfafe238d9ce86f9abc86a2dd61ad92e4e84c
                                                              • Instruction Fuzzy Hash: EE618C30921A11DFDB2A9F14E948B69B7F2FB64312F10452AE5429A960C7B1ACF4DF90
                                                              Function 00274CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0027466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00273697,?), ref: 0027468B
                                                                • Part of subcall function 0027466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00273697,?), ref: 002746A4
                                                                • Part of subcall function 00274A31: GetFileAttributesW.KERNEL32(?,0027370B), ref: 00274A32
                                                              • lstrcmpiW.KERNEL32(?,?), ref: 00274D40
                                                              • _wcscmp.LIBCMT ref: 00274D5A
                                                              • MoveFileW.KERNEL32(?,?), ref: 00274D75
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                              • String ID:
                                                              • API String ID: 793581249-0
                                                              • Opcode ID: 284a9801025cdbe9fa436f686349bb9a8b615e3a0cf7406f19d61d6205e24d29
                                                              • Instruction ID: b46d9d3c21e185d05beb977143d6f919ef2ce5b8e7022c1b957ae9987c152b2d
                                                              • Opcode Fuzzy Hash: 284a9801025cdbe9fa436f686349bb9a8b615e3a0cf7406f19d61d6205e24d29
                                                              • Instruction Fuzzy Hash: 0F5162B21183859BC764EF60D8819DFB3ECAF84310F50492EF689D3151EF70A698CB66
                                                              Function 0026966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0026A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0026A84C
                                                                • Part of subcall function 0026A82C: GetCurrentThreadId.KERNEL32 ref: 0026A853
                                                                • Part of subcall function 0026A82C: AttachThreadInput.USER32(00000000,?,00269683,?,00000001), ref: 0026A85A
                                                              • MapVirtualKeyW.USER32(00000025,00000000), ref: 0026968E
                                                              • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 002696AB
                                                              • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 002696AE
                                                              • MapVirtualKeyW.USER32(00000025,00000000), ref: 002696B7
                                                              • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 002696D5
                                                              • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 002696D8
                                                              • MapVirtualKeyW.USER32(00000025,00000000), ref: 002696E1
                                                              • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 002696F8
                                                              • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 002696FB
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                              • String ID:
                                                              • API String ID: 2014098862-0
                                                              • Opcode ID: c491d8e01761661b4794cb053b28d2cd55cf189f48f7d8ba308d12ed3022c028
                                                              • Instruction ID: 7ea18fe3e76bbafc758257afb00cd099dae6eb7d7a764422c8dbe60b32836010
                                                              • Opcode Fuzzy Hash: c491d8e01761661b4794cb053b28d2cd55cf189f48f7d8ba308d12ed3022c028
                                                              • Instruction Fuzzy Hash: 2911E1B1920218BEF6506F60EC8DF6A3B2DEB4C750F100426F654EB0A0C9F26C90DEE4
                                                              Function 00268921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0026853C,00000B00,?,?), ref: 0026892A
                                                              • RtlAllocateHeap.NTDLL(00000000,?,0026853C), ref: 00268931
                                                              • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0026853C,00000B00,?,?), ref: 00268946
                                                              • GetCurrentProcess.KERNEL32(?,00000000,?,0026853C,00000B00,?,?), ref: 0026894E
                                                              • DuplicateHandle.KERNEL32(00000000,?,0026853C,00000B00,?,?), ref: 00268951
                                                              • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0026853C,00000B00,?,?), ref: 00268961
                                                              • GetCurrentProcess.KERNEL32(0026853C,00000000,?,0026853C,00000B00,?,?), ref: 00268969
                                                              • DuplicateHandle.KERNEL32(00000000,?,0026853C,00000B00,?,?), ref: 0026896C
                                                              • CreateThread.KERNEL32(00000000,00000000,00268992,00000000,00000000,00000000), ref: 00268986
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Process$Current$DuplicateHandleHeap$AllocateCreateThread
                                                              • String ID:
                                                              • API String ID: 1422014791-0
                                                              • Opcode ID: 7cae6aea11d5ec292410611d767a138ca6bc0512998a1450936660087b8fcf47
                                                              • Instruction ID: 7a94b8213037f754f1deb78d86138fe50193f15e403c0b40242c08b4f5dfc90e
                                                              • Opcode Fuzzy Hash: 7cae6aea11d5ec292410611d767a138ca6bc0512998a1450936660087b8fcf47
                                                              • Instruction Fuzzy Hash: E101BF75640304FFE790ABA5ED4DF6B3B6CEB89711F504422FA09DB1A1CA709C10CB64
                                                              Function 0028975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0026710A: CLSIDFromProgID.COMBASE ref: 00267127
                                                                • Part of subcall function 0026710A: ProgIDFromCLSID.COMBASE(?,00000000), ref: 00267142
                                                                • Part of subcall function 0026710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00267044,80070057,?,?), ref: 00267150
                                                                • Part of subcall function 0026710A: CoTaskMemFree.COMBASE(00000000), ref: 00267160
                                                              • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 00289806
                                                              • _memset.LIBCMT ref: 00289813
                                                              • _memset.LIBCMT ref: 00289956
                                                              • CoCreateInstanceEx.COMBASE(?,00000000,00000015,?,00000001,00000000), ref: 00289982
                                                              • CoTaskMemFree.COMBASE(?), ref: 0028998D
                                                              Strings
                                                              • NULL Pointer assignment, xrefs: 002899DB
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                              • String ID: NULL Pointer assignment
                                                              • API String ID: 1300414916-2785691316
                                                              • Opcode ID: 922f9099b5fa726b7d78355016869cee09f903a18a051170d65599cfd3724b45
                                                              • Instruction ID: 8e1b8bb769c7150e960284179dd9990f65778ea7bbd9accb6301e650f66e5ace
                                                              • Opcode Fuzzy Hash: 922f9099b5fa726b7d78355016869cee09f903a18a051170d65599cfd3724b45
                                                              • Instruction Fuzzy Hash: 8B914A71D11229EBDB10EFA4DC84EEEBBB9BF08310F10415AF419A7281DB715A94CFA0
                                                              Function 0028E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00273C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00273C7A
                                                                • Part of subcall function 00273C55: Process32FirstW.KERNEL32(00000000,?), ref: 00273C88
                                                                • Part of subcall function 00273C55: CloseHandle.KERNEL32(00000000), ref: 00273D52
                                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0028E9A4
                                                              • GetLastError.KERNEL32 ref: 0028E9B7
                                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0028E9E6
                                                              • TerminateProcess.KERNEL32(00000000,00000000), ref: 0028EA63
                                                              • GetLastError.KERNEL32(00000000), ref: 0028EA6E
                                                              • CloseHandle.KERNEL32(00000000), ref: 0028EAA3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                              • String ID: SeDebugPrivilege
                                                              • API String ID: 2533919879-2896544425
                                                              • Opcode ID: d154baeeb98668310744ebd9b7347bc05d8d12bc17805b9e5ebd24952378f23e
                                                              • Instruction ID: 615bf00b5f748000cb87a47ebb7d6e1403bd0fe383f8e3d0fedf3689d0b40293
                                                              • Opcode Fuzzy Hash: d154baeeb98668310744ebd9b7347bc05d8d12bc17805b9e5ebd24952378f23e
                                                              • Instruction Fuzzy Hash: 5941EF312202019FDB14EF24DCA9FAEB7E5AF41710F158459F9069B2C2CBB4E8A4CF85
                                                              Function 0029B69E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ShowWindow.USER32(002D57B0,00000000,015624B0,?,?,002D57B0,?,0029B5A8,?,?), ref: 0029B712
                                                              • EnableWindow.USER32(00000000,00000000), ref: 0029B736
                                                              • ShowWindow.USER32(002D57B0,00000000,015624B0,?,?,002D57B0,?,0029B5A8,?,?), ref: 0029B796
                                                              • ShowWindow.USER32(00000000,00000004,?,0029B5A8,?,?), ref: 0029B7A8
                                                              • EnableWindow.USER32(00000000,00000001), ref: 0029B7CC
                                                              • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0029B7EF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Window$Show$Enable$MessageSend
                                                              • String ID: @U=u
                                                              • API String ID: 642888154-2594219639
                                                              • Opcode ID: 49ff899d3c61dd19d8f4537c05b07e35f086283e874dc583708eb67f424f4e30
                                                              • Instruction ID: 18fdf1e21b854efc88307ea13729ae9f27d19363a1ed4efaec6e529f7cad00ee
                                                              • Opcode Fuzzy Hash: 49ff899d3c61dd19d8f4537c05b07e35f086283e874dc583708eb67f424f4e30
                                                              • Instruction Fuzzy Hash: 51417735600241AFDF22CFA4E699BD4BBE1FF45310F1842B9E9488F5A2C731A865CB51
                                                              Function 00272F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadIconW.USER32(00000000,00007F03), ref: 00273033
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: IconLoad
                                                              • String ID: blank$info$question$stop$warning
                                                              • API String ID: 2457776203-404129466
                                                              • Opcode ID: 3bb149672087061a87249793c5071a40db424503eb2c850fd9521ce4c5824f01
                                                              • Instruction ID: a1c940609566e74d6b8ee5cd6d60b29a2fd4831ccdb905013ceea5b5d0eae8b6
                                                              • Opcode Fuzzy Hash: 3bb149672087061a87249793c5071a40db424503eb2c850fd9521ce4c5824f01
                                                              • Instruction Fuzzy Hash: 9D110532268347BAE714DE54DC42DAB679C9F16360F20802EF908A6181DAB06F646AA1
                                                              Function 002742F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00274312
                                                              • LoadStringW.USER32(00000000), ref: 00274319
                                                              • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0027432F
                                                              • LoadStringW.USER32(00000000), ref: 00274336
                                                              • _wprintf.LIBCMT ref: 0027435C
                                                              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0027437A
                                                              Strings
                                                              • %s (%d) : ==> %s: %s %s, xrefs: 00274357
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: HandleLoadModuleString$Message_wprintf
                                                              • String ID: %s (%d) : ==> %s: %s %s
                                                              • API String ID: 3648134473-3128320259
                                                              • Opcode ID: 80d6a61090e1322dadd83177016187823a1a69aaf1c9d5b03cb106562ba6c00e
                                                              • Instruction ID: c4b27cfe5d2c99d9f848e327d4f0c3ee5a258248e3a247b78907300f6c0451c1
                                                              • Opcode Fuzzy Hash: 80d6a61090e1322dadd83177016187823a1a69aaf1c9d5b03cb106562ba6c00e
                                                              • Instruction Fuzzy Hash: 3001A2F3900208BFE790ABA4EE8DFF6736CDB08301F0005A6BB09E2011EA705E944B71
                                                              Function 00212A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0024C1C7,00000004,00000000,00000000,00000000), ref: 00212ACF
                                                              • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0024C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00212B17
                                                              • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0024C1C7,00000004,00000000,00000000,00000000), ref: 0024C21A
                                                              • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0024C1C7,00000004,00000000,00000000,00000000), ref: 0024C286
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: ShowWindow
                                                              • String ID:
                                                              • API String ID: 1268545403-0
                                                              • Opcode ID: 3111bd962c2f97734186b81a984f2f3c6e95a7fecaf8d52cb5def93f3b64f3c6
                                                              • Instruction ID: c1d46a678c2794a9fb54d4a2e5870d45d600c3a0523308cb0dfbe0505c333bd0
                                                              • Opcode Fuzzy Hash: 3111bd962c2f97734186b81a984f2f3c6e95a7fecaf8d52cb5def93f3b64f3c6
                                                              • Instruction Fuzzy Hash: E4413B31639781DAC7B99F289C8CBEA7BD5AF65300F34841AF08782560C6F198F9D720
                                                              Function 002770C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InterlockedExchange.KERNEL32(?,000001F5), ref: 002770DD
                                                                • Part of subcall function 00230DB6: std::exception::exception.LIBCMT ref: 00230DEC
                                                                • Part of subcall function 00230DB6: __CxxThrowException@8.LIBCMT ref: 00230E01
                                                              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00277114
                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 00277130
                                                              • _memmove.LIBCMT ref: 0027717E
                                                              • _memmove.LIBCMT ref: 0027719B
                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 002771AA
                                                              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 002771BF
                                                              • InterlockedExchange.KERNEL32(?,000001F6), ref: 002771DE
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                              • String ID:
                                                              • API String ID: 256516436-0
                                                              • Opcode ID: 6e3d85daff4a46721ead08098334dbd0c907177dbfbf3213cf69e3a8d36b2ca4
                                                              • Instruction ID: 98f2ff9621bd4b2ade1747ccaa96e078bbf5a5d34dad144fab6fe95eabc7be8d
                                                              • Opcode Fuzzy Hash: 6e3d85daff4a46721ead08098334dbd0c907177dbfbf3213cf69e3a8d36b2ca4
                                                              • Instruction Fuzzy Hash: 3C317271A10205EBCF40DFA4DD89AAE77B8EF45310F1441A6E908DB256D7709E20CBA0
                                                              Function 00211424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d4dca3f5120985c3c25ce2c1351e4a96c3ae30c656f5685d441d0f099ea517f7
                                                              • Instruction ID: c927dc345d9ddae9d600d3838b5d38d1dd6c58b67dfbe6e6f6c34ad05b6189a2
                                                              • Opcode Fuzzy Hash: d4dca3f5120985c3c25ce2c1351e4a96c3ae30c656f5685d441d0f099ea517f7
                                                              • Instruction Fuzzy Hash: FC718F3191010AEFCB15DF58CC49AFEBBB9FF95310F148159FA15AA251C730AAA1CFA4
                                                              Function 0028F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 0028F448
                                                              • _memset.LIBCMT ref: 0028F511
                                                              • ShellExecuteExW.SHELL32(?), ref: 0028F556
                                                                • Part of subcall function 00219837: __itow.LIBCMT ref: 00219862
                                                                • Part of subcall function 00219837: __swprintf.LIBCMT ref: 002198AC
                                                                • Part of subcall function 0022FC86: _wcscpy.LIBCMT ref: 0022FCA9
                                                              • GetProcessId.KERNEL32(00000000), ref: 0028F5CD
                                                              • CloseHandle.KERNEL32(00000000), ref: 0028F5FC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                              • String ID: @
                                                              • API String ID: 3522835683-2766056989
                                                              • Opcode ID: eec07a69242c6532ad727b2d3e97df4688694a6ac9e92415cdcb1b25adc3f2e1
                                                              • Instruction ID: 6d0983ebb7c8e931e0ddb33998ce9b2477e7c98b94b2e500ad744495d766b31b
                                                              • Opcode Fuzzy Hash: eec07a69242c6532ad727b2d3e97df4688694a6ac9e92415cdcb1b25adc3f2e1
                                                              • Instruction Fuzzy Hash: 5A61BF75A10619DFCB04EFA4C5959AEBBF4FF49310F158069E815AB391CB30AEA1CF90
                                                              Function 00270F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetParent.USER32(?), ref: 00270F8C
                                                              • GetKeyboardState.USER32(?), ref: 00270FA1
                                                              • SetKeyboardState.USER32(?), ref: 00271002
                                                              • PostMessageW.USER32(?,00000101,00000010,?), ref: 00271030
                                                              • PostMessageW.USER32(?,00000101,00000011,?), ref: 0027104F
                                                              • PostMessageW.USER32(?,00000101,00000012,?), ref: 00271095
                                                              • PostMessageW.USER32(?,00000101,0000005B,?), ref: 002710B8
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: MessagePost$KeyboardState$Parent
                                                              • String ID:
                                                              • API String ID: 87235514-0
                                                              • Opcode ID: 6f9f8e9334fe07f01586c9c45445d6967b72710a22da224a8281ce4400158da5
                                                              • Instruction ID: e21656336a8f3496278638064bbedb663f6d31785802eb492e9403cc36f9a0a2
                                                              • Opcode Fuzzy Hash: 6f9f8e9334fe07f01586c9c45445d6967b72710a22da224a8281ce4400158da5
                                                              • Instruction Fuzzy Hash: 4851F3605247D679FB364A388C45BB6BEA95F06304F08C589E5DC858C3C6B4ACF8D751
                                                              Function 00270D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetParent.USER32(00000000), ref: 00270DA5
                                                              • GetKeyboardState.USER32(?), ref: 00270DBA
                                                              • SetKeyboardState.USER32(?), ref: 00270E1B
                                                              • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00270E47
                                                              • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00270E64
                                                              • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00270EA8
                                                              • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00270EC9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: MessagePost$KeyboardState$Parent
                                                              • String ID:
                                                              • API String ID: 87235514-0
                                                              • Opcode ID: 315f3beccb90bf45e4177a8ef82dd02c17acace0efb06ce6c7b39db58d809610
                                                              • Instruction ID: f251bf3f92b59cc2c24ff441f16783625ec1618fdbd3e6784a34c35a1fa631c1
                                                              • Opcode Fuzzy Hash: 315f3beccb90bf45e4177a8ef82dd02c17acace0efb06ce6c7b39db58d809610
                                                              • Instruction Fuzzy Hash: 3951EAA05247D6BEF7328B648C85B767E999B06300F08C889E1DC468C2D7A5ACACD751
                                                              Function 002755FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: _wcsncpy$LocalTime
                                                              • String ID:
                                                              • API String ID: 2945705084-0
                                                              • Opcode ID: 7f473a158f61cea35bb8ee7ae25348b9bcac1e758493622205419c3783cdb3be
                                                              • Instruction ID: 93a792af3b3cc3a3d8055de3427b4e6ad96493695e985323062881707c131c03
                                                              • Opcode Fuzzy Hash: 7f473a158f61cea35bb8ee7ae25348b9bcac1e758493622205419c3783cdb3be
                                                              • Instruction Fuzzy Hash: 094182B5D20614B6CB15EBB48C46ACFF3BC9F04310F508956E518E3221FA34E365CBA6
                                                              Function 0029A056 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @U=u
                                                              • API String ID: 0-2594219639
                                                              • Opcode ID: 7fc4d4133a09ac5e43fb10286fe0383b2930839bbdd503103c4d806a7374eadb
                                                              • Instruction ID: dc08bbfe7c93987e429ec210d8b50180d2e838d60847bc73f77c5176798c05bb
                                                              • Opcode Fuzzy Hash: 7fc4d4133a09ac5e43fb10286fe0383b2930839bbdd503103c4d806a7374eadb
                                                              • Instruction Fuzzy Hash: F341E435925315AFDF20DF28DC49FA9BBA8EB09310F150166F81AE72E0C770AD61DAD1
                                                              Function 00273671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0027466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00273697,?), ref: 0027468B
                                                                • Part of subcall function 0027466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00273697,?), ref: 002746A4
                                                              • lstrcmpiW.KERNEL32(?,?), ref: 002736B7
                                                              • _wcscmp.LIBCMT ref: 002736D3
                                                              • MoveFileW.KERNEL32(?,?), ref: 002736EB
                                                              • _wcscat.LIBCMT ref: 00273733
                                                              • SHFileOperationW.SHELL32(?), ref: 0027379F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                              • String ID: \*.*
                                                              • API String ID: 1377345388-1173974218
                                                              • Opcode ID: cb0b3e52fd9fa4df7adbe85d9dfc8140057cbb1fccfad7bce72d617ba5eb678b
                                                              • Instruction ID: 495a4c1286bbbffc7d839d65c437b7d827226bc44c93a71281ec558bc4918670
                                                              • Opcode Fuzzy Hash: cb0b3e52fd9fa4df7adbe85d9dfc8140057cbb1fccfad7bce72d617ba5eb678b
                                                              • Instruction Fuzzy Hash: 4941CFB1118345AEC755EF64D442ADFB7ECAF89380F00482EF48AC3251EB34D299CB56
                                                              Function 00297291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 002972AA
                                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00297351
                                                              • IsMenu.USER32(?), ref: 00297369
                                                              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 002973B1
                                                              • DrawMenuBar.USER32 ref: 002973C4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Menu$Item$DrawInfoInsert_memset
                                                              • String ID: 0
                                                              • API String ID: 3866635326-4108050209
                                                              • Opcode ID: eace20d5f2e2d02fdb385d64c05306038346ce84b86bd23539292f5b93c9c20b
                                                              • Instruction ID: fac2f7fd8ce0081f1458d2d934f340bac1d6f27d8e38daed34d4328aaf0da9ee
                                                              • Opcode Fuzzy Hash: eace20d5f2e2d02fdb385d64c05306038346ce84b86bd23539292f5b93c9c20b
                                                              • Instruction Fuzzy Hash: 9C411575A24209EFDF20DF50E884A9ABBF8FB09310F14856AFD15A7250D770ADA0EF54
                                                              Function 00290FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00290FD4
                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00290FFE
                                                              • FreeLibrary.KERNEL32(00000000), ref: 002910B5
                                                                • Part of subcall function 00290FA5: RegCloseKey.ADVAPI32(?), ref: 0029101B
                                                                • Part of subcall function 00290FA5: FreeLibrary.KERNEL32(?), ref: 0029106D
                                                                • Part of subcall function 00290FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00291090
                                                              • RegDeleteKeyW.ADVAPI32(?,?), ref: 00291058
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                              • String ID:
                                                              • API String ID: 395352322-0
                                                              • Opcode ID: d84c650c6eccc8a4f3f2dd795f8d9a85566e5849e12d65d596feb32d69e612ea
                                                              • Instruction ID: 9e4b0e9290c8cfdb4f647d420569cd2e0d39ec43b7b2998cf20dac27bbe2e7ce
                                                              • Opcode Fuzzy Hash: d84c650c6eccc8a4f3f2dd795f8d9a85566e5849e12d65d596feb32d69e612ea
                                                              • Instruction Fuzzy Hash: 77312B7191110ABFDF55DF91EC89EFFB7BCEF08300F00016AE905E2151EA759EA59AA0
                                                              Function 00286173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00287D8B: inet_addr.WS2_32(00000000), ref: 00287DB6
                                                              • socket.WS2_32(00000002,00000001,00000006), ref: 002861C6
                                                              • WSAGetLastError.WS2_32(00000000), ref: 002861D5
                                                              • ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 0028620E
                                                              • connect.WSOCK32(00000000,?,00000010), ref: 00286217
                                                              • WSAGetLastError.WS2_32 ref: 00286221
                                                              • closesocket.WS2_32(00000000), ref: 0028624A
                                                              • ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 00286263
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                              • String ID:
                                                              • API String ID: 910771015-0
                                                              • Opcode ID: 174180514e8e98a6d6f3c81f89f1fd032e66f1ce24a517be6b85644bb8bea3a0
                                                              • Instruction ID: 2ace9f04c0a48e89ff54749bc55d09c9d4e19fe425c76aca544c2eefe0aede21
                                                              • Opcode Fuzzy Hash: 174180514e8e98a6d6f3c81f89f1fd032e66f1ce24a517be6b85644bb8bea3a0
                                                              • Instruction Fuzzy Hash: 4731BE35620108ABEF50AF64DC8DBBE7BA8EF45720F044069FD05E72D1CB70AD648BA1
                                                              Function 00268E90 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 94windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00217DE1: _memmove.LIBCMT ref: 00217E22
                                                                • Part of subcall function 0026AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0026AABC
                                                              • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00268F14
                                                              • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00268F27
                                                              • SendMessageW.USER32(?,00000189,?,00000000), ref: 00268F57
                                                                • Part of subcall function 00217BCC: _memmove.LIBCMT ref: 00217C06
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$_memmove$ClassName
                                                              • String ID: @U=u$ComboBox$ListBox
                                                              • API String ID: 365058703-2258501812
                                                              • Opcode ID: 0aae1f30bca1efcd3c3126248fca2cb3b681a0cba55f6ade8beeb4cdfdbfa3b1
                                                              • Instruction ID: caa3415a5bdd1593b5f5b9dcfa03a057726bc6780d9c48ce176ae91265773e78
                                                              • Opcode Fuzzy Hash: 0aae1f30bca1efcd3c3126248fca2cb3b681a0cba55f6ade8beeb4cdfdbfa3b1
                                                              • Instruction Fuzzy Hash: 2821F271A24108BEDB14ABB09C89DFEB7BDDF55320B10421AF421A71E0DF3509A99A20
                                                              Function 0026F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: __wcsnicmp
                                                              • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                              • API String ID: 1038674560-2734436370
                                                              • Opcode ID: f70d5fa2c3c8362316dac28798e631ffe53c9e7fc02365d7a26cf6066b5700ad
                                                              • Instruction ID: db8b5ab0892d0a03d656736b27b417110fb3720f4ca5cebd8f4081fdcc3bcdab
                                                              • Opcode Fuzzy Hash: f70d5fa2c3c8362316dac28798e631ffe53c9e7fc02365d7a26cf6066b5700ad
                                                              • Instruction Fuzzy Hash: 85214FB223411266DA21EE34FD03EA7B3DCDF56340F104035F85686051EB915DF5C6A5
                                                              Function 0026B1EC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • IsWindowVisible.USER32(?), ref: 0026B204
                                                              • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0026B221
                                                              • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0026B259
                                                              • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0026B27F
                                                              • _wcsstr.LIBCMT ref: 0026B289
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                              • String ID: @U=u
                                                              • API String ID: 3902887630-2594219639
                                                              • Opcode ID: df3bfd0042a36705f09ce0d2c09be69dab62a67cd83e291d3bff82819181474a
                                                              • Instruction ID: 11535c3b2023a9cdb9973e548ed8ca1ccfe156ae82b849d70e2099d045c87845
                                                              • Opcode Fuzzy Hash: df3bfd0042a36705f09ce0d2c09be69dab62a67cd83e291d3bff82819181474a
                                                              • Instruction Fuzzy Hash: C321F571224201BBEB169F759C59E7F7BDCDF49710F00413AFC05DA161EB619CE09660
                                                              Function 00269307 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 84windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00269320
                                                                • Part of subcall function 00217BCC: _memmove.LIBCMT ref: 00217C06
                                                              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00269352
                                                              • __itow.LIBCMT ref: 0026936A
                                                              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00269392
                                                              • __itow.LIBCMT ref: 002693A3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$__itow$_memmove
                                                              • String ID: @U=u
                                                              • API String ID: 2983881199-2594219639
                                                              • Opcode ID: 89622ad03bab9b857636ae5203ff1fcc70f0860f3b1ad58a22008a83a86250f1
                                                              • Instruction ID: c63479af716ccc7eb073bcb92aa86862e32530fbe7dd90460a9659a88176ecb9
                                                              • Opcode Fuzzy Hash: 89622ad03bab9b857636ae5203ff1fcc70f0860f3b1ad58a22008a83a86250f1
                                                              • Instruction Fuzzy Hash: 2A210731720208BBDB109F649D89EEE3BACEB99710F044065F905DB2C0DAB08DF58B91
                                                              Function 002975CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00211D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00211D73
                                                                • Part of subcall function 00211D35: GetStockObject.GDI32(00000011), ref: 00211D87
                                                                • Part of subcall function 00211D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00211D91
                                                              • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00297632
                                                              • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0029763F
                                                              • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0029764A
                                                              • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00297659
                                                              • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00297665
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$CreateObjectStockWindow
                                                              • String ID: Msctls_Progress32
                                                              • API String ID: 1025951953-3636473452
                                                              • Opcode ID: 21f894bdbcb84c4e9ff0821558c2ea058b99ce38b4336622e0c57def566d5d77
                                                              • Instruction ID: 1a21407f0779f61e0461ab30c5b860f5c899edbbbf6417440d44a861bfc965a6
                                                              • Opcode Fuzzy Hash: 21f894bdbcb84c4e9ff0821558c2ea058b99ce38b4336622e0c57def566d5d77
                                                              • Instruction Fuzzy Hash: 0D11B2B2120219BFEF118F64DC85EE7BF6DEF08798F114115BA04A20A0CA729C31DBA4
                                                              Function 0023406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00233F85), ref: 00234085
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0023408C
                                                              • RtlEncodePointer.NTDLL(00000000), ref: 00234097
                                                              • RtlDecodePointer.NTDLL(00233F85), ref: 002340B2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                              • String ID: RoUninitialize$combase.dll
                                                              • API String ID: 3489934621-2819208100
                                                              • Opcode ID: 311ccf8bb22ac0acbba72bc0bf9abaaba90ede8dcbf221f4c0d8cc073e88bced
                                                              • Instruction ID: 3bc6b7139b35604d2e989cd13956b3da2eb728317bd6bdbd132f6bb3ff36d771
                                                              • Opcode Fuzzy Hash: 311ccf8bb22ac0acbba72bc0bf9abaaba90ede8dcbf221f4c0d8cc073e88bced
                                                              • Instruction Fuzzy Hash: 1AE092B0A92302EBEB94EF65FE0DB053BE4B705742F104067F509F10A0CBB69A148A16
                                                              Function 00286B03 Relevance: 9.2, APIs: 6, Instructions: 250networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __WSAFDIsSet.WS2_32(00000000,?), ref: 00286C00
                                                              • WSAGetLastError.WS2_32(00000000), ref: 00286C34
                                                              • htons.WS2_32(?), ref: 00286CEA
                                                              • inet_ntoa.WS2_32(?), ref: 00286CA7
                                                                • Part of subcall function 0026A7E9: _strlen.LIBCMT ref: 0026A7F3
                                                                • Part of subcall function 0026A7E9: _memmove.LIBCMT ref: 0026A815
                                                              • _strlen.LIBCMT ref: 00286D44
                                                              • _memmove.LIBCMT ref: 00286DAD
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                                              • String ID:
                                                              • API String ID: 3619996494-0
                                                              • Opcode ID: 03aec62c4c666614d1235be2f475ac34e6479d26263ebda6d98e8b270fa3b3d5
                                                              • Instruction ID: 38ee3dcd25d16bf911f2079940455f4c26665126adbd9dab5acaf81c487080da
                                                              • Opcode Fuzzy Hash: 03aec62c4c666614d1235be2f475ac34e6479d26263ebda6d98e8b270fa3b3d5
                                                              • Instruction Fuzzy Hash: AE810475224300ABC710FF24CC9AEABB7E8AF94318F14491CF9459B2D2DA70ED60CB91
                                                              Function 002764B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: _memmove$__itow__swprintf
                                                              • String ID:
                                                              • API String ID: 3253778849-0
                                                              • Opcode ID: 27f9db4f79dfff8c2ee630f9c3fdac0eee82f3e2999ffcac15e03d0dfa16b2f6
                                                              • Instruction ID: a46ebe179c6d9d79bb3dad2cc28c3c49c2746663c9efbb5b29d27f2247c10bd7
                                                              • Opcode Fuzzy Hash: 27f9db4f79dfff8c2ee630f9c3fdac0eee82f3e2999ffcac15e03d0dfa16b2f6
                                                              • Instruction Fuzzy Hash: 6F61CE7062065A9BCF01EF60CC95EFE37A9AF15308F448528F8195B192DB78EDA5CF50
                                                              Function 002901E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00217DE1: _memmove.LIBCMT ref: 00217E22
                                                                • Part of subcall function 00290E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0028FDAD,?,?), ref: 00290E31
                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002902BD
                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 002902FD
                                                              • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00290320
                                                              • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00290349
                                                              • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0029038C
                                                              • RegCloseKey.ADVAPI32(00000000), ref: 00290399
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                              • String ID:
                                                              • API String ID: 4046560759-0
                                                              • Opcode ID: 87ff617c4a8fa6b776772a103dcd766e423e88ee4a0c6b6d0d009688e6a7f687
                                                              • Instruction ID: c99c4ea9e174033da0ab41ce78d7e4e352ef2c1a5fc1e9217391a9d535257609
                                                              • Opcode Fuzzy Hash: 87ff617c4a8fa6b776772a103dcd766e423e88ee4a0c6b6d0d009688e6a7f687
                                                              • Instruction Fuzzy Hash: FD515931628205AFCB04EF64C885EAEBBE9FF84314F04495DF855872A2DB31E965CF52
                                                              Function 00295799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetMenu.USER32(?), ref: 002957FB
                                                              • GetMenuItemCount.USER32(00000000), ref: 00295832
                                                              • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0029585A
                                                              • GetMenuItemID.USER32(?,?), ref: 002958C9
                                                              • GetSubMenu.USER32(?,?), ref: 002958D7
                                                              • PostMessageW.USER32(?,00000111,?,00000000), ref: 00295928
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Menu$Item$CountMessagePostString
                                                              • String ID:
                                                              • API String ID: 650687236-0
                                                              • Opcode ID: 6e0f3bf72d8cd26135c1cc34cd4bb77ffa44a13912e0433396ff6313c0f46988
                                                              • Instruction ID: 143f88cf8ad669d95856d21ae9535d46875ed8e8cde624a1e5ab543273fe5c81
                                                              • Opcode Fuzzy Hash: 6e0f3bf72d8cd26135c1cc34cd4bb77ffa44a13912e0433396ff6313c0f46988
                                                              • Instruction Fuzzy Hash: 75513C71E10625EFDF11EF64C855AAEBBB5FF48320F114069E815AB351CB70AE918F90
                                                              Function 0026EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VariantInit.OLEAUT32(?), ref: 0026EF06
                                                              • VariantClear.OLEAUT32(00000013), ref: 0026EF78
                                                              • VariantClear.OLEAUT32(00000000), ref: 0026EFD3
                                                              • _memmove.LIBCMT ref: 0026EFFD
                                                              • VariantClear.OLEAUT32(?), ref: 0026F04A
                                                              • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0026F078
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Variant$Clear$ChangeInitType_memmove
                                                              • String ID:
                                                              • API String ID: 1101466143-0
                                                              • Opcode ID: d88778563e228a9454171ce19422f62d4f47c2cdd65f8706b9bee11b9f14ae06
                                                              • Instruction ID: 959adf55d57f75c2df92acb7d400e9e6375cc36477471470a659a8ec8213a567
                                                              • Opcode Fuzzy Hash: d88778563e228a9454171ce19422f62d4f47c2cdd65f8706b9bee11b9f14ae06
                                                              • Instruction Fuzzy Hash: 5D5179B5A10209EFDB10CF58D884AAAB7B8FF4C314B15856AE959DB305E330E951CFA0
                                                              Function 0027220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 00272258
                                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002722A3
                                                              • IsMenu.USER32(00000000), ref: 002722C3
                                                              • CreatePopupMenu.USER32 ref: 002722F7
                                                              • GetMenuItemCount.USER32(000000FF), ref: 00272355
                                                              • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00272386
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                              • String ID:
                                                              • API String ID: 3311875123-0
                                                              • Opcode ID: b6ab543382a7c17ae835d79445eb64a4382f81d941b6163a624c317ba0f95671
                                                              • Instruction ID: 3b3dc31e7bb07e119646341ea52d5ab14e091bd31b1286428f1f514c421a5ae4
                                                              • Opcode Fuzzy Hash: b6ab543382a7c17ae835d79445eb64a4382f81d941b6163a624c317ba0f95671
                                                              • Instruction Fuzzy Hash: 0551D27061024ADFDF21CF64D988BADBBF5FF45314F1082AAE859A7291D3748928CB51
                                                              Function 00211765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00212612: GetWindowLongW.USER32(?,000000EB), ref: 00212623
                                                              • BeginPaint.USER32(?,?,?,?,?,?), ref: 0021179A
                                                              • GetWindowRect.USER32(?,?), ref: 002117FE
                                                              • ScreenToClient.USER32(?,?), ref: 0021181B
                                                              • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0021182C
                                                              • EndPaint.USER32(?,?), ref: 00211876
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                              • String ID:
                                                              • API String ID: 1827037458-0
                                                              • Opcode ID: 9eaf2588808fbfcb44d46755f51cdb36c3fc5ac4746a08bd96e3a3256bd23677
                                                              • Instruction ID: d0eeea871227ae0d7e34202f3fdd69c929ae4656cfc73de709744f9e2259ca49
                                                              • Opcode Fuzzy Hash: 9eaf2588808fbfcb44d46755f51cdb36c3fc5ac4746a08bd96e3a3256bd23677
                                                              • Instruction Fuzzy Hash: E941D030510711AFD711DF24DC88FBA7BE8EB55720F14422AFAA4C72A1C7709CA5DB62
                                                              Function 0028709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetForegroundWindow.USER32(?,?,?,?,?,?,00284E41,?,?,00000000,00000001), ref: 002870AC
                                                                • Part of subcall function 002839A0: GetWindowRect.USER32(?,?), ref: 002839B3
                                                              • GetDesktopWindow.USER32 ref: 002870D6
                                                              • GetWindowRect.USER32(00000000), ref: 002870DD
                                                              • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 0028710F
                                                                • Part of subcall function 00275244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 002752BC
                                                              • GetCursorPos.USER32(?), ref: 0028713B
                                                              • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00287199
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                              • String ID:
                                                              • API String ID: 4137160315-0
                                                              • Opcode ID: e2efaed67b363c0ff97fcb3638ad0f9e3724f522d2878fa3a3df713b1607e185
                                                              • Instruction ID: 41f24bda17505540870aa9ee003a09d2e830e89a769eeb632e7905de9ff3814f
                                                              • Opcode Fuzzy Hash: e2efaed67b363c0ff97fcb3638ad0f9e3724f522d2878fa3a3df713b1607e185
                                                              • Instruction Fuzzy Hash: 28310472519306ABC720EF14D849F9BB7E9FF88304F10091AF888D7191C770EA18CB92
                                                              Function 0027EB23 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 323COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00219837: __itow.LIBCMT ref: 00219862
                                                                • Part of subcall function 00219837: __swprintf.LIBCMT ref: 002198AC
                                                                • Part of subcall function 0022FC86: _wcscpy.LIBCMT ref: 0022FCA9
                                                              • _wcstok.LIBCMT ref: 0027EC94
                                                              • _wcscpy.LIBCMT ref: 0027ED23
                                                              • _memset.LIBCMT ref: 0027ED56
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                              • String ID: X
                                                              • API String ID: 774024439-3081909835
                                                              • Opcode ID: ac870a20328a92af58aceb88e6dde2aed66e6972fb047e841fe1adf397691385
                                                              • Instruction ID: db36809f331c18a61a49d16407ae62f8ec55e2daf23b8d42bb3d5af7e4e8b327
                                                              • Opcode Fuzzy Hash: ac870a20328a92af58aceb88e6dde2aed66e6972fb047e841fe1adf397691385
                                                              • Instruction Fuzzy Hash: 5FC1A1715283019FCB54EF24C491A9AB7E4FF99310F01896DF899872A1DB30EDA5CF92
                                                              Function 00268879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 002680A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 002680C0
                                                                • Part of subcall function 002680A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 002680CA
                                                                • Part of subcall function 002680A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 002680D9
                                                                • Part of subcall function 002680A9: RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 002680E0
                                                                • Part of subcall function 002680A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 002680F6
                                                              • GetLengthSid.ADVAPI32(?,00000000,0026842F), ref: 002688CA
                                                              • GetProcessHeap.KERNEL32(00000008,00000000), ref: 002688D6
                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 002688DD
                                                              • CopySid.ADVAPI32(00000000,00000000,?), ref: 002688F6
                                                              • GetProcessHeap.KERNEL32(00000000,00000000,0026842F), ref: 0026890A
                                                              • HeapFree.KERNEL32(00000000), ref: 00268911
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Heap$Process$AllocateInformationToken$CopyErrorFreeLastLength
                                                              • String ID:
                                                              • API String ID: 169236558-0
                                                              • Opcode ID: 0ab76882fe5d30281cf9d44db2fde677ca4507be6aeabceaddd668929b9fd77f
                                                              • Instruction ID: dd763d3c29484fa184b2c17e4a69252b91f6c03c3761fc9da8ed50bd742ceb6b
                                                              • Opcode Fuzzy Hash: 0ab76882fe5d30281cf9d44db2fde677ca4507be6aeabceaddd668929b9fd77f
                                                              • Instruction Fuzzy Hash: 9F11B131522209FFDB509FA4DD09BBE7768EB45311F10422DE889D7210CB329DA0DB60
                                                              Function 0026B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDC.USER32(00000000), ref: 0026B7B5
                                                              • GetDeviceCaps.GDI32(00000000,00000058), ref: 0026B7C6
                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0026B7CD
                                                              • ReleaseDC.USER32(00000000,00000000), ref: 0026B7D5
                                                              • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0026B7EC
                                                              • MulDiv.KERNEL32(000009EC,?,?), ref: 0026B7FE
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: CapsDevice$Release
                                                              • String ID:
                                                              • API String ID: 1035833867-0
                                                              • Opcode ID: 0e31d5d58ddc98ccf5a96b1b678416d289c709aaea712ec885a877ae589f33fe
                                                              • Instruction ID: cdd90977c5bda500ac53894955cc407cbea56afe251cdffe0be8ff1544003ced
                                                              • Opcode Fuzzy Hash: 0e31d5d58ddc98ccf5a96b1b678416d289c709aaea712ec885a877ae589f33fe
                                                              • Instruction Fuzzy Hash: 74018875E00305BBEB505FA69D49A5EBFB8EB48311F004076FA04E7291D6309C10CF90
                                                              Function 00230162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00230193
                                                              • MapVirtualKeyW.USER32(00000010,00000000), ref: 0023019B
                                                              • MapVirtualKeyW.USER32(000000A0,00000000), ref: 002301A6
                                                              • MapVirtualKeyW.USER32(000000A1,00000000), ref: 002301B1
                                                              • MapVirtualKeyW.USER32(00000011,00000000), ref: 002301B9
                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 002301C1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Virtual
                                                              • String ID:
                                                              • API String ID: 4278518827-0
                                                              • Opcode ID: 2c3300b2bd3af79f6df75caba4f8eb84766b3463cde1ee846afb7bbeb4ccbf5a
                                                              • Instruction ID: 4e5677484d888f09712b002afdd6edd83013271a8cd314beeea1f5a2d4274905
                                                              • Opcode Fuzzy Hash: 2c3300b2bd3af79f6df75caba4f8eb84766b3463cde1ee846afb7bbeb4ccbf5a
                                                              • Instruction Fuzzy Hash: 480148B09017597DE3008F5A8C85A52FEA8FF19354F00411BA15887941C7B5A864CBE5
                                                              Function 002753E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 002753F9
                                                              • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0027540F
                                                              • GetWindowThreadProcessId.USER32(?,?), ref: 0027541E
                                                              • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0027542D
                                                              • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00275437
                                                              • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0027543E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                              • String ID:
                                                              • API String ID: 839392675-0
                                                              • Opcode ID: f7cb0c086f84add2043bebb2af07019b98a96a6ebca2c60d9fa7a76aa11ec8d6
                                                              • Instruction ID: 3f02863c432d82c8ebdfedf0ea2d5bccd7223659e66ed94d5167563d2349bbda
                                                              • Opcode Fuzzy Hash: f7cb0c086f84add2043bebb2af07019b98a96a6ebca2c60d9fa7a76aa11ec8d6
                                                              • Instruction Fuzzy Hash: 84F09032240258BBE3A05BA2ED0DEEF7B7CEFC6B11F00016AFA18D1050D7A01A0186B5
                                                              Function 00277230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • InterlockedExchange.KERNEL32(?,?), ref: 00277243
                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 00277254
                                                              • TerminateThread.KERNEL32(00000000,000001F6,?,00220EE4,?,?), ref: 00277261
                                                              • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00220EE4,?,?), ref: 0027726E
                                                                • Part of subcall function 00276C35: CloseHandle.KERNEL32(00000000,?,0027727B,?,00220EE4,?,?), ref: 00276C3F
                                                              • InterlockedExchange.KERNEL32(?,000001F6), ref: 00277281
                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 00277288
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                              • String ID:
                                                              • API String ID: 3495660284-0
                                                              • Opcode ID: dd18d6942db65eac42af3a734baeb46c9b5276324a742401d43563630a331f0a
                                                              • Instruction ID: d1f33dd19820b7892b0e1faf2691a3e7ed9d25d380e47b3f3128cb92e596d176
                                                              • Opcode Fuzzy Hash: dd18d6942db65eac42af3a734baeb46c9b5276324a742401d43563630a331f0a
                                                              • Instruction Fuzzy Hash: 88F05E36940612EBD7D21F64FE4DADA7729EF45702B100533FA03D10A1CB766821CB50
                                                              Function 002885ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VariantInit.OLEAUT32(?), ref: 00288613
                                                              • CharUpperBuffW.USER32(?,?), ref: 00288722
                                                              • VariantClear.OLEAUT32(?), ref: 0028889A
                                                                • Part of subcall function 00277562: VariantInit.OLEAUT32(00000000), ref: 002775A2
                                                                • Part of subcall function 00277562: VariantCopy.OLEAUT32(00000000,?), ref: 002775AB
                                                                • Part of subcall function 00277562: VariantClear.OLEAUT32(00000000), ref: 002775B7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                              • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                              • API String ID: 4237274167-1221869570
                                                              • Opcode ID: ae6345d06b3880c441c66421c37fde83f22a9fe37b0e74f7079a93ca5d7decff
                                                              • Instruction ID: 4d8a29544651df819f8ce2433c0fda09d62ebe826966299bdae9ca38b4d92101
                                                              • Opcode Fuzzy Hash: ae6345d06b3880c441c66421c37fde83f22a9fe37b0e74f7079a93ca5d7decff
                                                              • Instruction Fuzzy Hash: 5D918B746243019FC710EF24C48496AB7E8EF89714F54896EF88A8B3A1DB31E955CF92
                                                              Function 00272A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0022FC86: _wcscpy.LIBCMT ref: 0022FCA9
                                                              • _memset.LIBCMT ref: 00272B87
                                                              • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00272BB6
                                                              • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00272C69
                                                              • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00272C97
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                              • String ID: 0
                                                              • API String ID: 4152858687-4108050209
                                                              • Opcode ID: dab18f92b6988bb921db8cc8c06c4a751fac7a52ce735b597dab0b5cbda020d3
                                                              • Instruction ID: 370dfbcdff9050998113aa4ad7d023dfee509f7d80ed28da73f673843afe4d9a
                                                              • Opcode Fuzzy Hash: dab18f92b6988bb921db8cc8c06c4a751fac7a52ce735b597dab0b5cbda020d3
                                                              • Instruction Fuzzy Hash: 5251E171628312DBD7269E28D84566F77E8EF69310F05892EF888D2190DB70CD688B52
                                                              Function 00223137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: _memmove$_free
                                                              • String ID: 3c"$_"
                                                              • API String ID: 2620147621-2711503754
                                                              • Opcode ID: 0f7780cbb34585432d5b50619b59b06ef11df1870730143b78149c2879af2690
                                                              • Instruction ID: dad1c48214b0443bc8bf34cfcc77b779a981491ca5e9f55124aba9e1e2bd164e
                                                              • Opcode Fuzzy Hash: 0f7780cbb34585432d5b50619b59b06ef11df1870730143b78149c2879af2690
                                                              • Instruction Fuzzy Hash: 3951BB71A243129FCB24CF68D481B6ABBE1FF85310F44486DE88987350DB35E921CF82
                                                              Function 002997F4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 140COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetWindowRect.USER32(0156DCD0,?), ref: 00299863
                                                              • ScreenToClient.USER32(00000002,00000002), ref: 00299896
                                                              • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00299903
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Window$ClientMoveRectScreen
                                                              • String ID: @U=u
                                                              • API String ID: 3880355969-2594219639
                                                              • Opcode ID: 7f67df958028edc3c61c73798a651e2867dc620ba619d210c6a34bdeb92b4bdf
                                                              • Instruction ID: f5e36f2b658b41c5df87acbc4d1447f9bd4a4a26cf2140407185120605a9c655
                                                              • Opcode Fuzzy Hash: 7f67df958028edc3c61c73798a651e2867dc620ba619d210c6a34bdeb92b4bdf
                                                              • Instruction Fuzzy Hash: A6514E34A10209AFDF10CF58D984AAE7BB5FF45360F14856DF865DB2A0D731AD91CB90
                                                              Function 002697F5 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 122windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 002714BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00269296,?,?,00000034,00000800,?,00000034), ref: 002714E6
                                                              • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0026983F
                                                                • Part of subcall function 00271487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002692C5,?,?,00000800,?,00001073,00000000,?,?), ref: 002714B1
                                                                • Part of subcall function 002713DE: GetWindowThreadProcessId.USER32(?,?), ref: 00271409
                                                                • Part of subcall function 002713DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0026925A,00000034,?,?,00001004,00000000,00000000), ref: 00271419
                                                                • Part of subcall function 002713DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0026925A,00000034,?,?,00001004,00000000,00000000), ref: 0027142F
                                                              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 002698AC
                                                              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 002698F9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                              • String ID: @$@U=u
                                                              • API String ID: 4150878124-826235744
                                                              • Opcode ID: 330a31955b9cb45ba1b0407bc4f36614f9a1c2fac76a5aadb636a456c965a8b2
                                                              • Instruction ID: 8f6dacdee8cb8c3fa422348d7ca807fc156d997dac42a7860fcb048f147f526c
                                                              • Opcode Fuzzy Hash: 330a31955b9cb45ba1b0407bc4f36614f9a1c2fac76a5aadb636a456c965a8b2
                                                              • Instruction Fuzzy Hash: CD415176901218BFDB20DFA4CD45ADEBBB8EF05300F004199F959B7181DA706E95CFA0
                                                              Function 0026D56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 0026D5D4
                                                              • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0026D60A
                                                              • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0026D61B
                                                              • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0026D69D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: ErrorMode$AddressCreateInstanceProc
                                                              • String ID: DllGetClassObject
                                                              • API String ID: 753597075-1075368562
                                                              • Opcode ID: 7c848bf7395b17b4be30226f16f3d7b8bde58f47d8b29385333715d4e1fb3402
                                                              • Instruction ID: b6240a555ab7493aafff9bc8bccd70e03e27d3ad428d49ee9b44e0db138a2e2a
                                                              • Opcode Fuzzy Hash: 7c848bf7395b17b4be30226f16f3d7b8bde58f47d8b29385333715d4e1fb3402
                                                              • Instruction Fuzzy Hash: 07417FB1A10209EFDB05DF54D884A9ABBA9EF44310F1581A9ED09DF205D7B1D994CBA0
                                                              Function 00272753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 002727C0
                                                              • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 002727DC
                                                              • DeleteMenu.USER32(?,00000007,00000000), ref: 00272822
                                                              • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,002D5890,00000000), ref: 0027286B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Menu$Delete$InfoItem_memset
                                                              • String ID: 0
                                                              • API String ID: 1173514356-4108050209
                                                              • Opcode ID: 3a83cd5c056350a3b228aeec638fbd6b784148798b5676e746427ee58bb51ec7
                                                              • Instruction ID: cdd4f6fcbb588ab4c948271a91edf623af17adb8ac18129b21dd2071cceb0abd
                                                              • Opcode Fuzzy Hash: 3a83cd5c056350a3b228aeec638fbd6b784148798b5676e746427ee58bb51ec7
                                                              • Instruction Fuzzy Hash: 3741C070214342DFD720DF24D844B1ABBE8EF84314F04892EF8A997291D731A818CB63
                                                              Function 00298851 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 109COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002988DE
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: InvalidateRect
                                                              • String ID: @U=u
                                                              • API String ID: 634782764-2594219639
                                                              • Opcode ID: 644b53f2d07cc6798582ec8d586502c68a2496940e2a30b20198307345afa35e
                                                              • Instruction ID: b223a635dd65118e4deff954094f32785ae8d74715a9f8d5e49a5f928b5012e8
                                                              • Opcode Fuzzy Hash: 644b53f2d07cc6798582ec8d586502c68a2496940e2a30b20198307345afa35e
                                                              • Instruction Fuzzy Hash: F731A134620109AFFF209F68DC49FB877A5FB07310F984116FA15E62A1CA70DD609B52
                                                              Function 0028D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0028D7C5
                                                                • Part of subcall function 0021784B: _memmove.LIBCMT ref: 00217899
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: BuffCharLower_memmove
                                                              • String ID: cdecl$none$stdcall$winapi
                                                              • API String ID: 3425801089-567219261
                                                              • Opcode ID: 9ad5161d7faf8524239400c26e287d79d21e562e35030de3b16a9f88d669cdf7
                                                              • Instruction ID: 59ef35b033a591deb771c71b38bc014c09db4e077f30cf1acab934c46c24d9ee
                                                              • Opcode Fuzzy Hash: 9ad5161d7faf8524239400c26e287d79d21e562e35030de3b16a9f88d669cdf7
                                                              • Instruction Fuzzy Hash: 3231F27592421AABCF00EF54C8959EEB3F4FF10320F108669E865972C1DB31A96ACF80
                                                              Function 0028182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0028184C
                                                              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00281872
                                                              • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 002818A2
                                                              • InternetCloseHandle.WININET(00000000), ref: 002818E9
                                                                • Part of subcall function 00282483: GetLastError.KERNEL32(?,?,00281817,00000000,00000000,00000001), ref: 00282498
                                                                • Part of subcall function 00282483: SetEvent.KERNEL32(?,?,00281817,00000000,00000000,00000001), ref: 002824AD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                              • String ID:
                                                              • API String ID: 3113390036-3916222277
                                                              • Opcode ID: 32955a421cb6e0a5f7d6a3cba458b1a4623d2a8b1be1fdf805930c9fe9257999
                                                              • Instruction ID: 2c19cbba6410f9e896fc4d20af79efb569dab0ccebe386a8253c6db0a52dad55
                                                              • Opcode Fuzzy Hash: 32955a421cb6e0a5f7d6a3cba458b1a4623d2a8b1be1fdf805930c9fe9257999
                                                              • Instruction Fuzzy Hash: 7F21AFB9521208BFFB11AF60DC86EBB76ADEB48744F10412AF805D31C0DA609D265BA0
                                                              Function 002963E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00211D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00211D73
                                                                • Part of subcall function 00211D35: GetStockObject.GDI32(00000011), ref: 00211D87
                                                                • Part of subcall function 00211D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00211D91
                                                              • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00296461
                                                              • LoadLibraryW.KERNEL32(?), ref: 00296468
                                                              • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 0029647D
                                                              • DestroyWindow.USER32(?), ref: 00296485
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                              • String ID: SysAnimate32
                                                              • API String ID: 4146253029-1011021900
                                                              • Opcode ID: 7333c8fc60059a42be8198cc2e9efdbd3f221d1142d72fa0380ce530c784559e
                                                              • Instruction ID: 6fe350e84d411ca79a3d2afe138af2fe7aa5bed76dc40e5d9d34ac408ca06c42
                                                              • Opcode Fuzzy Hash: 7333c8fc60059a42be8198cc2e9efdbd3f221d1142d72fa0380ce530c784559e
                                                              • Instruction Fuzzy Hash: 9B216F71120206BFEF204FA4EC48EBB77EDEF59764F105629FA1092190D771DC619B60
                                                              Function 00276D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetStdHandle.KERNEL32(0000000C), ref: 00276DBC
                                                              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00276DEF
                                                              • GetStdHandle.KERNEL32(0000000C), ref: 00276E01
                                                              • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00276E3B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: CreateHandle$FilePipe
                                                              • String ID: nul
                                                              • API String ID: 4209266947-2873401336
                                                              • Opcode ID: 7286f8ae8c666d9bc8e0c6d65b286779bf16937fa626195fd3ca15d70d81ecaa
                                                              • Instruction ID: 15a73b2337bf7b6abde8807635b11f1464f6f7d10d67d4aba77199948c705480
                                                              • Opcode Fuzzy Hash: 7286f8ae8c666d9bc8e0c6d65b286779bf16937fa626195fd3ca15d70d81ecaa
                                                              • Instruction Fuzzy Hash: 3321957562060AAFDB309F29DC0CB9A7BF4EF45720F20861AFDA4D72D0D77199608B54
                                                              Function 00276E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetStdHandle.KERNEL32(000000F6), ref: 00276E89
                                                              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00276EBB
                                                              • GetStdHandle.KERNEL32(000000F6), ref: 00276ECC
                                                              • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00276F06
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: CreateHandle$FilePipe
                                                              • String ID: nul
                                                              • API String ID: 4209266947-2873401336
                                                              • Opcode ID: 11687523def8cd1eef85c470484eab82e4e3870765720b424553691eb3ad123f
                                                              • Instruction ID: 090d52c40ec7e6fc8e4b1ea1b0eda9b89016c296974124f8d2ddb6437f63648f
                                                              • Opcode Fuzzy Hash: 11687523def8cd1eef85c470484eab82e4e3870765720b424553691eb3ad123f
                                                              • Instruction Fuzzy Hash: E721B8759107069BDB209F69DC0CF5A77E8EF45720F208A1AFCA5D72D0D7719860CB61
                                                              Function 0027AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetErrorMode.KERNEL32(00000001), ref: 0027AC54
                                                              • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0027ACA8
                                                              • __swprintf.LIBCMT ref: 0027ACC1
                                                              • SetErrorMode.KERNEL32(00000000,00000001,00000000,0029F910), ref: 0027ACFF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: ErrorMode$InformationVolume__swprintf
                                                              • String ID: %lu
                                                              • API String ID: 3164766367-685833217
                                                              • Opcode ID: 44ae595dbb4d580365193988cc1c0361600b9b825965b1d4cf428976d60d60d1
                                                              • Instruction ID: 7dd56223506dc254936c6d7ee7776582e3e11eb5b5a4e53b5e67783d14909dce
                                                              • Opcode Fuzzy Hash: 44ae595dbb4d580365193988cc1c0361600b9b825965b1d4cf428976d60d60d1
                                                              • Instruction Fuzzy Hash: 99217130A10109EFCB50DF65D945DEE7BB8EF89314B1040A9F909DB251DA31EA51CF61
                                                              Function 00271142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0026FCED,?,00270D40,?,00008000), ref: 0027115F
                                                              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,0026FCED,?,00270D40,?,00008000), ref: 00271184
                                                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0026FCED,?,00270D40,?,00008000), ref: 0027118E
                                                              • Sleep.KERNEL32(?,?,?,?,?,?,?,0026FCED,?,00270D40,?,00008000), ref: 002711C1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: CounterPerformanceQuerySleep
                                                              • String ID: @'
                                                              • API String ID: 2875609808-2675941364
                                                              • Opcode ID: 16d110833a3169511111aafd5466236e820fcc2a13c882269d6e194b010987f6
                                                              • Instruction ID: dfa09a1c5b051fe918e116cb849221832c4ec9bffb8ca15c6822c37ef09972d0
                                                              • Opcode Fuzzy Hash: 16d110833a3169511111aafd5466236e820fcc2a13c882269d6e194b010987f6
                                                              • Instruction Fuzzy Hash: F5114C31C11519D7CF009FA8E948AEEBB78FF09711F408056DA48B6240CA7055709BD1
                                                              Function 0028EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0028EC07
                                                              • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0028EC37
                                                              • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0028ED6A
                                                              • CloseHandle.KERNEL32(?), ref: 0028EDEB
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                              • String ID:
                                                              • API String ID: 2364364464-0
                                                              • Opcode ID: e39d47858119589a9295ae6a66041f11a791aa555b560935f1c8ad016c2a4b6f
                                                              • Instruction ID: 7ec1ffb8828a93de4ed80d36f693b0ba2dc8f271f3f2ec9b80f555654ef297f7
                                                              • Opcode Fuzzy Hash: e39d47858119589a9295ae6a66041f11a791aa555b560935f1c8ad016c2a4b6f
                                                              • Instruction Fuzzy Hash: 4381B0716103019FDB60EF28D896F6AB7E5AF54710F05881DF999DB2D2D6B0AC90CF82
                                                              Function 00290037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00217DE1: _memmove.LIBCMT ref: 00217E22
                                                                • Part of subcall function 00290E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0028FDAD,?,?), ref: 00290E31
                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002900FD
                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0029013C
                                                              • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00290183
                                                              • RegCloseKey.ADVAPI32(?,?), ref: 002901AF
                                                              • RegCloseKey.ADVAPI32(00000000), ref: 002901BC
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                              • String ID:
                                                              • API String ID: 3440857362-0
                                                              • Opcode ID: c2b61f034df3ad156cf273e6c4a7e1f959fa61277f675a143751d54b29d35b0b
                                                              • Instruction ID: a9a17e77a0bc6d29ca47d661d3b89af075b9b337b9f528e39993ca5828c7b5a9
                                                              • Opcode Fuzzy Hash: c2b61f034df3ad156cf273e6c4a7e1f959fa61277f675a143751d54b29d35b0b
                                                              • Instruction Fuzzy Hash: 3A516E31228205AFDB04EF58C885EAEB7E9FF84314F40491DF59987291DB31E964CF52
                                                              Function 0028D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00219837: __itow.LIBCMT ref: 00219862
                                                                • Part of subcall function 00219837: __swprintf.LIBCMT ref: 002198AC
                                                              • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0028D927
                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 0028D9AA
                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 0028D9C6
                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 0028DA07
                                                              • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0028DA21
                                                                • Part of subcall function 00215A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00277896,?,?,00000000), ref: 00215A2C
                                                                • Part of subcall function 00215A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00277896,?,?,00000000,?,?), ref: 00215A50
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                              • String ID:
                                                              • API String ID: 327935632-0
                                                              • Opcode ID: 5e49add12a4eb2238159152b8e0001030c82632f135befa8c08ef60774370e38
                                                              • Instruction ID: 9f22c128711a3bc66f7b0678f15095f950f15c616a0f82c7d7aa0fd5196d2873
                                                              • Opcode Fuzzy Hash: 5e49add12a4eb2238159152b8e0001030c82632f135befa8c08ef60774370e38
                                                              • Instruction Fuzzy Hash: 1F514939A15205DFCB04EFA8C4849ADB7F4FF58310B1480A5E859AB392D730EEA5CF91
                                                              Function 0027E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0027E61F
                                                              • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0027E648
                                                              • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0027E687
                                                                • Part of subcall function 00219837: __itow.LIBCMT ref: 00219862
                                                                • Part of subcall function 00219837: __swprintf.LIBCMT ref: 002198AC
                                                              • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0027E6AC
                                                              • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0027E6B4
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                              • String ID:
                                                              • API String ID: 1389676194-0
                                                              • Opcode ID: c21f731950e395539b842a00752978d0a4c54d7efda8c4b93d8abf1b2760f12e
                                                              • Instruction ID: 1095ae32b40b7719745cdedf094e5945770172be93c6bf9343a1168aa088b6ed
                                                              • Opcode Fuzzy Hash: c21f731950e395539b842a00752978d0a4c54d7efda8c4b93d8abf1b2760f12e
                                                              • Instruction Fuzzy Hash: 67511A75A10105DFCF01EF64C995AAEBBF5EF19314B1580A5E809AB361CB31EDA1CF60
                                                              Function 00212344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCursorPos.USER32(?), ref: 00212357
                                                              • ScreenToClient.USER32(002D57B0,?), ref: 00212374
                                                              • GetAsyncKeyState.USER32(00000001), ref: 00212399
                                                              • GetAsyncKeyState.USER32(00000002), ref: 002123A7
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: AsyncState$ClientCursorScreen
                                                              • String ID:
                                                              • API String ID: 4210589936-0
                                                              • Opcode ID: 733298e246ff0e52a2d369ebb4db66d72efc7b9a83f64e0328f43c0d9cc5fd18
                                                              • Instruction ID: 8ae408f4a6620305345ed1d49e088d4a3dc6b05d419fa4b59d593da6df07db21
                                                              • Opcode Fuzzy Hash: 733298e246ff0e52a2d369ebb4db66d72efc7b9a83f64e0328f43c0d9cc5fd18
                                                              • Instruction Fuzzy Hash: AA418335514106FBCF599F68C848AEDBBB4FB15360F204356F839922A0C77499B4DF90
                                                              Function 002663AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002663E7
                                                              • TranslateAcceleratorW.USER32(?,?,?), ref: 00266433
                                                              • TranslateMessage.USER32(?), ref: 0026645C
                                                              • DispatchMessageW.USER32(?), ref: 00266466
                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00266475
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Message$PeekTranslate$AcceleratorDispatch
                                                              • String ID:
                                                              • API String ID: 2108273632-0
                                                              • Opcode ID: db4689c70ddd5ae409281dd04c7e7adc846039fa25ab7568528e68440d8c86c2
                                                              • Instruction ID: 7288a760341b7199838b4df385841456c0739667b415947b3c77f2b92b2d7dfa
                                                              • Opcode Fuzzy Hash: db4689c70ddd5ae409281dd04c7e7adc846039fa25ab7568528e68440d8c86c2
                                                              • Instruction Fuzzy Hash: E231A531921657EFDB74CF70EC4CBB6BBACAB01300F140166E425C21A1EBA598E9DB60
                                                              Function 00268A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetWindowRect.USER32(?,?), ref: 00268A30
                                                              • PostMessageW.USER32(?,00000201,00000001), ref: 00268ADA
                                                              • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00268AE2
                                                              • PostMessageW.USER32(?,00000202,00000000), ref: 00268AF0
                                                              • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00268AF8
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: MessagePostSleep$RectWindow
                                                              • String ID:
                                                              • API String ID: 3382505437-0
                                                              • Opcode ID: e7ca852e270122259cf6f9b6cfc15ca0c1143a9afff64ec94487082c1786f980
                                                              • Instruction ID: 71a08f0c45675a53e51b0b8dbf72a5cb788f4e0bcd4c13f362624e7ba94ca008
                                                              • Opcode Fuzzy Hash: e7ca852e270122259cf6f9b6cfc15ca0c1143a9afff64ec94487082c1786f980
                                                              • Instruction Fuzzy Hash: B531BF7150021AEBDF14CFA8D94CA9E3BB5EB04315F10822AFD25E61D0CBB09DA4DB90
                                                              Function 0029B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00212612: GetWindowLongW.USER32(?,000000EB), ref: 00212623
                                                              • GetWindowLongW.USER32(?,000000F0), ref: 0029B192
                                                              • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0029B1B7
                                                              • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0029B1CF
                                                              • GetSystemMetrics.USER32(00000004), ref: 0029B1F8
                                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00280E90,00000000), ref: 0029B216
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Window$Long$MetricsSystem
                                                              • String ID:
                                                              • API String ID: 2294984445-0
                                                              • Opcode ID: c0769648b4d2847dcec7c77448016d2e8242782cb80c48ea4680420fa25a75c6
                                                              • Instruction ID: 232b89e99d5cb680390c32f3d17b6c923abe710d4991b06ff53e36b6f820f3df
                                                              • Opcode Fuzzy Hash: c0769648b4d2847dcec7c77448016d2e8242782cb80c48ea4680420fa25a75c6
                                                              • Instruction Fuzzy Hash: C4218D71A20666AFCF519F38AD48A6A3BA4EB05321F114729FD36D71E0E73098709B90
                                                              Function 00285A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • IsWindow.USER32(00000000), ref: 00285A6E
                                                              • GetForegroundWindow.USER32 ref: 00285A85
                                                              • GetDC.USER32(00000000), ref: 00285AC1
                                                              • GetPixel.GDI32(00000000,?,00000003), ref: 00285ACD
                                                              • ReleaseDC.USER32(00000000,00000003), ref: 00285B08
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Window$ForegroundPixelRelease
                                                              • String ID:
                                                              • API String ID: 4156661090-0
                                                              • Opcode ID: d4bb767fc5040baac576d82abe7a021dae0c058c90ab162da446f2f4aadc8fd4
                                                              • Instruction ID: 208e1a66de233cc5a72fc160d98dcb038a15a358d755eda432277af814acaccb
                                                              • Opcode Fuzzy Hash: d4bb767fc5040baac576d82abe7a021dae0c058c90ab162da446f2f4aadc8fd4
                                                              • Instruction Fuzzy Hash: DD21C635A11204AFD744EF65DD88A9AB7E9EF48310F14C079F809D7351CA70AD50CF90
                                                              Function 002112F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0021134D
                                                              • SelectObject.GDI32(?,00000000), ref: 0021135C
                                                              • BeginPath.GDI32(?), ref: 00211373
                                                              • SelectObject.GDI32(?,00000000), ref: 0021139C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: ObjectSelect$BeginCreatePath
                                                              • String ID:
                                                              • API String ID: 3225163088-0
                                                              • Opcode ID: 04b7dc4e84e6334309e1deff5c40cd3b4dc4b087905db7e1439f5c474fd6a4a8
                                                              • Instruction ID: 2e13314ccbcf86c485873d2a97ee04068de64dd945e9e4ad67560460035257d9
                                                              • Opcode Fuzzy Hash: 04b7dc4e84e6334309e1deff5c40cd3b4dc4b087905db7e1439f5c474fd6a4a8
                                                              • Instruction Fuzzy Hash: 24214830C21619EBDB119F25FD087A97BE8EB20322F144267E920D61A4D3B19CF1EF90
                                                              Function 00274A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentThreadId.KERNEL32 ref: 00274ABA
                                                              • __beginthreadex.LIBCMT ref: 00274AD8
                                                              • MessageBoxW.USER32(?,?,?,?), ref: 00274AED
                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00274B03
                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00274B0A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                              • String ID:
                                                              • API String ID: 3824534824-0
                                                              • Opcode ID: 25b186d483ccac7c398267ebf6ab912bff2ecf6aa44aaecf94b1c0b9ed30ef44
                                                              • Instruction ID: 14db4dd9f4d7f622dd026a5f62b2d78740023e49d327102d0787f06525570371
                                                              • Opcode Fuzzy Hash: 25b186d483ccac7c398267ebf6ab912bff2ecf6aa44aaecf94b1c0b9ed30ef44
                                                              • Instruction Fuzzy Hash: 6511E576D15615BBC7419FB8AC0CA9B7BACAB45320F14826AF818D3250D7B18D1487A1
                                                              Function 00268202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0026821E
                                                              • GetLastError.KERNEL32(?,00267CE2,?,?,?), ref: 00268228
                                                              • GetProcessHeap.KERNEL32(00000008,?,?,00267CE2,?,?,?), ref: 00268237
                                                              • RtlAllocateHeap.NTDLL(00000000,?,00267CE2), ref: 0026823E
                                                              • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00268255
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: HeapObjectSecurityUser$AllocateErrorLastProcess
                                                              • String ID:
                                                              • API String ID: 883493501-0
                                                              • Opcode ID: 00888078dde38cc9cdf715f4a87b53f2a7bb868eda09c5e677d5af631729c1cf
                                                              • Instruction ID: b5eab73b20cf1c77f0fde2f6c8e3acd5fd0944cb771da04b01841e0aefa340e2
                                                              • Opcode Fuzzy Hash: 00888078dde38cc9cdf715f4a87b53f2a7bb868eda09c5e677d5af631729c1cf
                                                              • Instruction Fuzzy Hash: 6D016DB1214245BFDB604FA5ED5CD6B7BACEF8A755B60056AFC09C2220DA318C50CA60
                                                              Function 0026710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CLSIDFromProgID.COMBASE ref: 00267127
                                                              • ProgIDFromCLSID.COMBASE(?,00000000), ref: 00267142
                                                              • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00267044,80070057,?,?), ref: 00267150
                                                              • CoTaskMemFree.COMBASE(00000000), ref: 00267160
                                                              • CLSIDFromString.COMBASE(?,?), ref: 0026716C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: From$Prog$FreeStringTasklstrcmpi
                                                              • String ID:
                                                              • API String ID: 3897988419-0
                                                              • Opcode ID: bb6261a7d6716004e6744ed12344c8a68d1f0079ad677c5b609ef3894354c5aa
                                                              • Instruction ID: bfddd71ff4ad1fe93c65ec5bd3b1326247d5dafc6eaf89b032b8072fdb095264
                                                              • Opcode Fuzzy Hash: bb6261a7d6716004e6744ed12344c8a68d1f0079ad677c5b609ef3894354c5aa
                                                              • Instruction Fuzzy Hash: 4E01DFB2620204BBDB904F24FD48BAA7BACEF45795F2000A6FD08D2220D771DD908BA0
                                                              Function 00275244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00275260
                                                              • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0027526E
                                                              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00275276
                                                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00275280
                                                              • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 002752BC
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: PerformanceQuery$CounterSleep$Frequency
                                                              • String ID:
                                                              • API String ID: 2833360925-0
                                                              • Opcode ID: 30897b6e8be5194d5130e9815dd9c0fe9851cac1befab7626578668a3e45ce66
                                                              • Instruction ID: bf58c0880dc12f8d63a3ac3e7392cc3bc7f342cfeb1ee0af2eb4356224b99713
                                                              • Opcode Fuzzy Hash: 30897b6e8be5194d5130e9815dd9c0fe9851cac1befab7626578668a3e45ce66
                                                              • Instruction Fuzzy Hash: 0A015B31D11A29DBCF40EFE4ED4C6EDFB78BB08711F404156E949F2142DBB0556087A5
                                                              Function 0026810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00268121
                                                              • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0026812B
                                                              • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0026813A
                                                              • RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00268141
                                                              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00268157
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: HeapInformationToken$AllocateErrorLastProcess
                                                              • String ID:
                                                              • API String ID: 47921759-0
                                                              • Opcode ID: 5499208740c135cb961a6c177a5c687d361afc6daaa64ae973c09ec271047a0f
                                                              • Instruction ID: 04e4e2b3e3489e3cfb9ca246bfab18d01e63845640cacc219c38864e3b829b44
                                                              • Opcode Fuzzy Hash: 5499208740c135cb961a6c177a5c687d361afc6daaa64ae973c09ec271047a0f
                                                              • Instruction Fuzzy Hash: 2DF0C270210305BFEBA10FA4EC8CE6B3BACFF4A758B100166F94DC2160CB609C91DA60
                                                              Function 0026C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDlgItem.USER32(?,000003E9), ref: 0026C1F7
                                                              • GetWindowTextW.USER32(00000000,?,00000100), ref: 0026C20E
                                                              • MessageBeep.USER32(00000000), ref: 0026C226
                                                              • KillTimer.USER32(?,0000040A), ref: 0026C242
                                                              • EndDialog.USER32(?,00000001), ref: 0026C25C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                              • String ID:
                                                              • API String ID: 3741023627-0
                                                              • Opcode ID: 1c2f0cc8d9ebaa08f675a5e87948e1f742e2688efe2a1d6fdbbdee4df8518e21
                                                              • Instruction ID: 21eaea5b39b0043ed915381245e5e5a601c74ff28c6b86332b5f01e16d6886f4
                                                              • Opcode Fuzzy Hash: 1c2f0cc8d9ebaa08f675a5e87948e1f742e2688efe2a1d6fdbbdee4df8518e21
                                                              • Instruction Fuzzy Hash: D301A73051430497EB606F60ED5EBA677BCBB00705F14026AAD92D14E0D7F469A48B90
                                                              Function 002113B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • EndPath.GDI32(?), ref: 002113BF
                                                              • StrokeAndFillPath.GDI32(?,?,0024B888,00000000,?), ref: 002113DB
                                                              • SelectObject.GDI32(?,00000000), ref: 002113EE
                                                              • DeleteObject.GDI32 ref: 00211401
                                                              • StrokePath.GDI32(?), ref: 0021141C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Path$ObjectStroke$DeleteFillSelect
                                                              • String ID:
                                                              • API String ID: 2625713937-0
                                                              • Opcode ID: 1361dad67eeff1c792316f63af3db4885c2dab0ff325bc2af1d5cc58f1d12a89
                                                              • Instruction ID: ea7944ddf91dac5e3d3903ec30bdcef7167d8796bc57bf2462a8e39dd1fd79f7
                                                              • Opcode Fuzzy Hash: 1361dad67eeff1c792316f63af3db4885c2dab0ff325bc2af1d5cc58f1d12a89
                                                              • Instruction Fuzzy Hash: C0F01430412B49EBDB915F26FD4C7983BE8AB10326F188226E529C80F5C7B189F5EF50
                                                              Function 00268992 Relevance: 7.5, APIs: 5, Instructions: 23memorysynchronizationCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0026899D
                                                              • CloseHandle.KERNEL32(?), ref: 002689B2
                                                              • CloseHandle.KERNEL32(?), ref: 002689BA
                                                              • GetProcessHeap.KERNEL32(00000000,?), ref: 002689C3
                                                              • HeapFree.KERNEL32(00000000), ref: 002689CA
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: CloseHandleHeap$FreeObjectProcessSingleWait
                                                              • String ID:
                                                              • API String ID: 3751786701-0
                                                              • Opcode ID: 9374d7a62b45fc63e4628dcc502d8a4e495b00ec8bbb38deca42f4755006447f
                                                              • Instruction ID: 76fcdc65dbcc7d4f11bea86047e0291fe56b436afb6770c660b6922d6bf61d6c
                                                              • Opcode Fuzzy Hash: 9374d7a62b45fc63e4628dcc502d8a4e495b00ec8bbb38deca42f4755006447f
                                                              • Instruction Fuzzy Hash: 47E0C236004001FBDA811FF1FE0C94ABB69FB89322B208232F219C1070CB329420DB94
                                                              Function 0027C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CoInitialize.OLE32(00000000), ref: 0027C432
                                                              • CoCreateInstance.COMBASE(002A2D6C,00000000,00000001,002A2BDC,?), ref: 0027C44A
                                                                • Part of subcall function 00217DE1: _memmove.LIBCMT ref: 00217E22
                                                              • CoUninitialize.COMBASE ref: 0027C6B7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: CreateInitializeInstanceUninitialize_memmove
                                                              • String ID: .lnk
                                                              • API String ID: 2683427295-24824748
                                                              • Opcode ID: 578921cc414690ac8178977efa60ac65dee9aaa29b269cbcaf147f47dd3bc8f8
                                                              • Instruction ID: ad7fa0a1ff7209cac8af0c102d4569c261a16a4ae3900e51b067db69df7bfac5
                                                              • Opcode Fuzzy Hash: 578921cc414690ac8178977efa60ac65dee9aaa29b269cbcaf147f47dd3bc8f8
                                                              • Instruction Fuzzy Hash: 46A15971114205AFD300EF64C891EABB7ECFF99304F00496DF159871A2EB71EA99CB92
                                                              Function 00222CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00230DB6: std::exception::exception.LIBCMT ref: 00230DEC
                                                                • Part of subcall function 00230DB6: __CxxThrowException@8.LIBCMT ref: 00230E01
                                                                • Part of subcall function 00217DE1: _memmove.LIBCMT ref: 00217E22
                                                                • Part of subcall function 00217A51: _memmove.LIBCMT ref: 00217AAB
                                                              • __swprintf.LIBCMT ref: 00222ECD
                                                              Strings
                                                              • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00222D66
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                              • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                              • API String ID: 1943609520-557222456
                                                              • Opcode ID: 863429148195c1cae7593abf31aec973e0fec9d1d377a89356a9ff839bfd9b51
                                                              • Instruction ID: 5a01a118228e58ce82a4e75365af79654f6037f33d26c0fe6771669c03808d4f
                                                              • Opcode Fuzzy Hash: 863429148195c1cae7593abf31aec973e0fec9d1d377a89356a9ff839bfd9b51
                                                              • Instruction Fuzzy Hash: D2917E71128212EFC714EF64D895CAEB7F8EF95314F00481DF8459B2A1EA31EDA8CB52
                                                              Function 0027B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00214750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00214743,?,?,002137AE,?), ref: 00214770
                                                              • CoInitialize.OLE32(00000000), ref: 0027B9BB
                                                              • CoCreateInstance.COMBASE(002A2D6C,00000000,00000001,002A2BDC,?), ref: 0027B9D4
                                                              • CoUninitialize.COMBASE ref: 0027B9F1
                                                                • Part of subcall function 00219837: __itow.LIBCMT ref: 00219862
                                                                • Part of subcall function 00219837: __swprintf.LIBCMT ref: 002198AC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                              • String ID: .lnk
                                                              • API String ID: 2126378814-24824748
                                                              • Opcode ID: c58c1d8ec330d76c73b4a3326012bfc360af8a179e71be686e706f59db55bf97
                                                              • Instruction ID: 1ec1965cf0d696d516264262c5dc1e1907d574efef030a457521c1b7a1107141
                                                              • Opcode Fuzzy Hash: c58c1d8ec330d76c73b4a3326012bfc360af8a179e71be686e706f59db55bf97
                                                              • Instruction Fuzzy Hash: BBA154746142019FCB00EF14C894E5ABBE5FF89318F008988F8999B3A1CB31ED96CB91
                                                              Function 0026B2F3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OleSetContainedObject.OLE32(?,00000001), ref: 0026B4BE
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: ContainedObject
                                                              • String ID: AutoIt3GUI$Container$%*
                                                              • API String ID: 3565006973-702153088
                                                              • Opcode ID: 868bd8e66d679ee9e95afe80e9788be547c326ec500111223f3c5581682c2765
                                                              • Instruction ID: bd927aa07d342a39b31db315c9ddcd1c7219b9f90cf2803b15fe8a656f5d3bd5
                                                              • Opcode Fuzzy Hash: 868bd8e66d679ee9e95afe80e9788be547c326ec500111223f3c5581682c2765
                                                              • Instruction Fuzzy Hash: 72915B70620601AFDB15DF64C894B6AB7E5FF49710F20856DF94ACB3A1DBB0E891CB50
                                                              Function 0023501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __startOneArgErrorHandling.LIBCMT ref: 002350AD
                                                                • Part of subcall function 002400F0: __87except.LIBCMT ref: 0024012B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: ErrorHandling__87except__start
                                                              • String ID: pow
                                                              • API String ID: 2905807303-2276729525
                                                              • Opcode ID: 3eac8590d0330aea211be83f1b98fc1059e2cce7dfcd561ecb7a525e0f2bd563
                                                              • Instruction ID: 0ffea05c3ad9528e11f9ca8a2fb53f9cd9a10919492c561602f573f0c7083dd9
                                                              • Opcode Fuzzy Hash: 3eac8590d0330aea211be83f1b98fc1059e2cce7dfcd561ecb7a525e0f2bd563
                                                              • Instruction Fuzzy Hash: 8F517DA193890387DB19BF24DC8536E2B90DB00710F208D59E5DD862E9DFB58DF49AC6
                                                              Function 00258584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: _memmove
                                                              • String ID: 3c"$_"
                                                              • API String ID: 4104443479-2711503754
                                                              • Opcode ID: 75b86df5847acd4584eabc4ebaf574da75a98145cbe95b88062c3f85c7b5c0a1
                                                              • Instruction ID: e830b00b9b2c37c5124a5de3be4629fe3b20cba068303120c8605fb547836253
                                                              • Opcode Fuzzy Hash: 75b86df5847acd4584eabc4ebaf574da75a98145cbe95b88062c3f85c7b5c0a1
                                                              • Instruction Fuzzy Hash: F2518E70A10616DFCF24DF68D880AAEB7F1FF44305F148529E85AE7250EB70A969CF51
                                                              Function 00297946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0029F910,00000000,?,?,?,?), ref: 002979DF
                                                              • GetWindowLongW.USER32 ref: 002979FC
                                                              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00297A0C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Window$Long
                                                              • String ID: SysTreeView32
                                                              • API String ID: 847901565-1698111956
                                                              • Opcode ID: d02df8a4562e692b76eb81d1785de76543e094ff5fd78d1c7b59cc8920babf81
                                                              • Instruction ID: 4bbb51213c9754fb312f5324eedb792fbd5a574c64d57ce202aa10d68f8db300
                                                              • Opcode Fuzzy Hash: d02df8a4562e692b76eb81d1785de76543e094ff5fd78d1c7b59cc8920babf81
                                                              • Instruction Fuzzy Hash: 72319E31224606ABEF518F38DC45BEA77A9EF05324F244725F975E22E0D731ED618B50
                                                              Function 002973D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00297461
                                                              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00297475
                                                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 00297499
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Window
                                                              • String ID: SysMonthCal32
                                                              • API String ID: 2326795674-1439706946
                                                              • Opcode ID: b66da0eafcd562f8ce2173b3ee2ddb84bcced3ff30dbc1de7bdc6d188c85c0df
                                                              • Instruction ID: 48b51d769bcffda28b3aa1365f944ace5f0d6c26cfa78a149ff4a0087659635c
                                                              • Opcode Fuzzy Hash: b66da0eafcd562f8ce2173b3ee2ddb84bcced3ff30dbc1de7bdc6d188c85c0df
                                                              • Instruction Fuzzy Hash: BC21B132520219ABDF118E54DC46FEA3B79EF48724F111214FE156B1D1DAB5ACA1CBA0
                                                              Function 00296CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00296D3B
                                                              • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00296D4B
                                                              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00296D70
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$MoveWindow
                                                              • String ID: Listbox
                                                              • API String ID: 3315199576-2633736733
                                                              • Opcode ID: 1c76196035f246bcabe6626265c7418f7ce2942bbf37bb32e4de25a92c677100
                                                              • Instruction ID: df62f1f7b972934d3bdb7c2a079ae16a23cf132d229895668b9240d6ad0ec1ed
                                                              • Opcode Fuzzy Hash: 1c76196035f246bcabe6626265c7418f7ce2942bbf37bb32e4de25a92c677100
                                                              • Instruction Fuzzy Hash: 8F21C232620119BFDF118F54DC49FEB3BBAEF89750F018129F9549B1A0CA719C618BA0
                                                              Function 002839E9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __snwprintf.LIBCMT ref: 00283A66
                                                                • Part of subcall function 00217DE1: _memmove.LIBCMT ref: 00217E22
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: __snwprintf_memmove
                                                              • String ID: , $$AUTOITCALLVARIABLE%d$%*
                                                              • API String ID: 3506404897-187446654
                                                              • Opcode ID: e3d505b78b347762053a896ab0e297fc31a985f86bccf5f976ab4f17a1ec0c16
                                                              • Instruction ID: 76de459dd448bfefdeb67212ad89502044e9ea43b00b592ecd2a2ad82af5db6d
                                                              • Opcode Fuzzy Hash: e3d505b78b347762053a896ab0e297fc31a985f86bccf5f976ab4f17a1ec0c16
                                                              • Instruction Fuzzy Hash: 98218F35620219AACF14EF64CC82EEE77F9AF55700F104499E449A7181DB70EAA1CFA1
                                                              Function 00268C4B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 00268C6D
                                                              • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00268C84
                                                              • SendMessageW.USER32(?,0000000D,?,00000000), ref: 00268CBC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID: @U=u
                                                              • API String ID: 3850602802-2594219639
                                                              • Opcode ID: 2a040a385e0fac3bff4126c205d2adef6f03a677e38a12aa97d2f98143d55b7b
                                                              • Instruction ID: 20b212094308291f64b93a81ed5ce6e07bd89c37b635c9e83be72315f24ca476
                                                              • Opcode Fuzzy Hash: 2a040a385e0fac3bff4126c205d2adef6f03a677e38a12aa97d2f98143d55b7b
                                                              • Instruction Fuzzy Hash: 5721D172611219BBDF24DFA8D841DAFB7BDEF48300F10055BE501E3260DA71ADA08BA4
                                                              Function 0029770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00297772
                                                              • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00297787
                                                              • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00297794
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID: msctls_trackbar32
                                                              • API String ID: 3850602802-1010561917
                                                              • Opcode ID: df4b88e6fc1bc2f60f91d0a6d40b2a0ed98995ce84093bb367bde5ffa4b8e7be
                                                              • Instruction ID: 4b291d0f671fbf26453c4c9a91385df51347c9bdb5659f6a037a64433791892c
                                                              • Opcode Fuzzy Hash: df4b88e6fc1bc2f60f91d0a6d40b2a0ed98995ce84093bb367bde5ffa4b8e7be
                                                              • Instruction Fuzzy Hash: 79110A72264209BFEF145FA5DC05FE777ADEF89B54F114129F64196090C671E861CB10
                                                              Function 00296920 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetWindowTextLengthW.USER32(00000000), ref: 002969A2
                                                              • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 002969B1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: LengthMessageSendTextWindow
                                                              • String ID: @U=u$edit
                                                              • API String ID: 2978978980-590756393
                                                              • Opcode ID: ae56bcb94388a7ea1c61296b91e6b5cff34fd5c9216807836eff8749338f0dd8
                                                              • Instruction ID: c96e05434d47881fa21b4368656d30fa18409b6696d41fad2e3124865a264866
                                                              • Opcode Fuzzy Hash: ae56bcb94388a7ea1c61296b91e6b5cff34fd5c9216807836eff8749338f0dd8
                                                              • Instruction Fuzzy Hash: A4118F71520205ABFF508F64DC48EEB37A9EB05374F504724F9A5971E0C775DC609B60
                                                              Function 00268E05 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 52windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00217DE1: _memmove.LIBCMT ref: 00217E22
                                                                • Part of subcall function 0026AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0026AABC
                                                              • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00268E73
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: ClassMessageNameSend_memmove
                                                              • String ID: @U=u$ComboBox$ListBox
                                                              • API String ID: 372448540-2258501812
                                                              • Opcode ID: 4628457fd0485437d252b5571f53a7048e35b7bb93252aa4cd994d3a9d17b565
                                                              • Instruction ID: 813848acc5df6ddcc5a1cab7fda313110a69c82cce8209e9101bd7ad0a525a2f
                                                              • Opcode Fuzzy Hash: 4628457fd0485437d252b5571f53a7048e35b7bb93252aa4cd994d3a9d17b565
                                                              • Instruction Fuzzy Hash: C701F5B1631229AB8B14EBA0CC45DFE73A8AF52320B100759B831672D1DE3258A8DA50
                                                              Function 00268CFD Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00217DE1: _memmove.LIBCMT ref: 00217E22
                                                                • Part of subcall function 0026AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0026AABC
                                                              • SendMessageW.USER32(?,00000180,00000000,?), ref: 00268D6B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: ClassMessageNameSend_memmove
                                                              • String ID: @U=u$ComboBox$ListBox
                                                              • API String ID: 372448540-2258501812
                                                              • Opcode ID: f17a25873763bfb3edf5546267051bb00b2678888d2553ddedd329d0b56c15a8
                                                              • Instruction ID: 6dc2d93fc1fc2c5f7cf62c779a84e3c5af19baf35204956d2257a5708db74c27
                                                              • Opcode Fuzzy Hash: f17a25873763bfb3edf5546267051bb00b2678888d2553ddedd329d0b56c15a8
                                                              • Instruction Fuzzy Hash: 8701F771A61109ABCB14EBF0C956EFE73BCDF25300F10015AB801732D1DE115E68DAB1
                                                              Function 00268D82 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 49windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00217DE1: _memmove.LIBCMT ref: 00217E22
                                                                • Part of subcall function 0026AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0026AABC
                                                              • SendMessageW.USER32(?,00000182,?,00000000), ref: 00268DEE
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: ClassMessageNameSend_memmove
                                                              • String ID: @U=u$ComboBox$ListBox
                                                              • API String ID: 372448540-2258501812
                                                              • Opcode ID: 386ba4eed6702818a37ba313972a7f7ad521bb79cdf12842c9e94753d8312a9c
                                                              • Instruction ID: b2867f907476e6ea4c11ec6b18b4bcb0693e9f5b1343d2397c0e3fa51ad3f293
                                                              • Opcode Fuzzy Hash: 386ba4eed6702818a37ba313972a7f7ad521bb79cdf12842c9e94753d8312a9c
                                                              • Instruction Fuzzy Hash: A701A771A61109ABDB11EAB4C946EFE77AC9F21300F100156B905732D1DE114E68DAB1
                                                              Function 0029ACCF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetForegroundWindow.USER32(?,002D57B0,0029D809,000000FC,?,00000000,00000000,?,?,?,0024B969,?,?,?,?,?), ref: 0029ACD1
                                                              • GetFocus.USER32 ref: 0029ACD9
                                                                • Part of subcall function 00212612: GetWindowLongW.USER32(?,000000EB), ref: 00212623
                                                                • Part of subcall function 002125DB: GetWindowLongW.USER32(?,000000EB), ref: 002125EC
                                                              • SendMessageW.USER32(0156DCD0,000000B0,000001BC,000001C0), ref: 0029AD4B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Window$Long$FocusForegroundMessageSend
                                                              • String ID: @U=u
                                                              • API String ID: 3601265619-2594219639
                                                              • Opcode ID: a7a64baeeecc2f13f0afd60cb41b6f3aaca1cded8eb748336f03dce533e81674
                                                              • Instruction ID: 4399458f5cf439f9aa7f1f2862b42fcd26dbf3ca44ff9f0fd6b38ce2ac981c5a
                                                              • Opcode Fuzzy Hash: a7a64baeeecc2f13f0afd60cb41b6f3aaca1cded8eb748336f03dce533e81674
                                                              • Instruction Fuzzy Hash: BC0196316016109FCB149F28E888AA577E6EB8A321F18027AF425C72B1CB31AC66CF50
                                                              Function 00226063 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0022603A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00226051
                                                              • SendMessageW.USER32(?,0000000C,00000000,?), ref: 0022607F
                                                              • GetParent.USER32(?), ref: 00260D46
                                                              • InvalidateRect.USER32(00000000,?,00223A4F,?,00000000,00000001), ref: 00260D4D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$InvalidateParentRectTimeout
                                                              • String ID: @U=u
                                                              • API String ID: 3648793173-2594219639
                                                              • Opcode ID: 25a40863feb277332eb749ee88a113a5a99edd7215fe82db7300b76b64467ce3
                                                              • Instruction ID: 01f6f858a8a47579b51df4c92fe0259a0437c2d9f222ff4d7bc94080382008d8
                                                              • Opcode Fuzzy Hash: 25a40863feb277332eb749ee88a113a5a99edd7215fe82db7300b76b64467ce3
                                                              • Instruction Fuzzy Hash: B4F03032121314FBEF711FA1FC0DF957B59BB25B94F244429F5409A0A1C6B26971BF50
                                                              Function 00214C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,00214B83,?), ref: 00214C44
                                                              • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00214C56
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: AddressLibraryLoadProc
                                                              • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                              • API String ID: 2574300362-1355242751
                                                              • Opcode ID: 6213faeb477e6aef02564d57631c842142902a1a7c19bbe4e1946763a789aaee
                                                              • Instruction ID: ec39a5db8d7d893fca92cb50c49c891bbd92a961765656df7c1516c16e806fe7
                                                              • Opcode Fuzzy Hash: 6213faeb477e6aef02564d57631c842142902a1a7c19bbe4e1946763a789aaee
                                                              • Instruction Fuzzy Hash: 0BD01230620713CFD7605F31EA1864676D4AF16351B11883F9499DA160E770D4D0C690
                                                              Function 00214C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,00214BD0,?,00214DEF,?,002D52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00214C11
                                                              • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00214C23
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: AddressLibraryLoadProc
                                                              • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                              • API String ID: 2574300362-3689287502
                                                              • Opcode ID: 4e76e74a5879b5e8a48f28a93d5250442d9044d7a01de28fbab12e9dd528e668
                                                              • Instruction ID: b1ad39f5534652142dc883be4a1adf3aaf80ee9d5ca6183376811dcc3d79134d
                                                              • Opcode Fuzzy Hash: 4e76e74a5879b5e8a48f28a93d5250442d9044d7a01de28fbab12e9dd528e668
                                                              • Instruction Fuzzy Hash: 83D01230521713CFD7606FB1EA08A46B6D5EF1A751B118C3F9889D6160E6B0D4D0C690
                                                              Function 00290DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryA.KERNEL32(advapi32.dll,?,00291039), ref: 00290DF5
                                                              • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00290E07
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: AddressLibraryLoadProc
                                                              • String ID: RegDeleteKeyExW$advapi32.dll
                                                              • API String ID: 2574300362-4033151799
                                                              • Opcode ID: 654f0c55aeac8dc0254dd2f5df80cb2d16ed5d91683780658522a261967087d8
                                                              • Instruction ID: ee72d65f5f3ce631ab33f6f457f174055d0bbee773c0928de7b497e538361812
                                                              • Opcode Fuzzy Hash: 654f0c55aeac8dc0254dd2f5df80cb2d16ed5d91683780658522a261967087d8
                                                              • Instruction Fuzzy Hash: 4BD01270560717CFD7605F75D94C74676D5AF05391F518C7E94C9D2150D6B0DCE0C650
                                                              Function 002890E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00288CF4,?,0029F910), ref: 002890EE
                                                              • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00289100
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: AddressLibraryLoadProc
                                                              • String ID: GetModuleHandleExW$kernel32.dll
                                                              • API String ID: 2574300362-199464113
                                                              • Opcode ID: 8cb990e04b18a00827a8d5b0e543cca12c12b4f7f6701774f2be25db322e104e
                                                              • Instruction ID: bf8ec6f9cce97771db808163d670037a33dbd55c9de93b6bc38618cdb7a43fd2
                                                              • Opcode Fuzzy Hash: 8cb990e04b18a00827a8d5b0e543cca12c12b4f7f6701774f2be25db322e104e
                                                              • Instruction Fuzzy Hash: 0AD01234524713CFDB609F31E91C61676D4AF06351B15C83E9489D6590E770C4D0C790
                                                              Function 00251714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: LocalTime__swprintf
                                                              • String ID: %.3d$WIN_XPe
                                                              • API String ID: 2070861257-2409531811
                                                              • Opcode ID: 9b64abae870987032b0da7a21fb09743f2337c482294975515a03a624f47e6f1
                                                              • Instruction ID: 4cb0e4b5e5b3cb675dedb6822a8725586f71acfc6c228e6a2e8e31f0afe9688c
                                                              • Opcode Fuzzy Hash: 9b64abae870987032b0da7a21fb09743f2337c482294975515a03a624f47e6f1
                                                              • Instruction Fuzzy Hash: D9D01271C74108FAC74497949889EF9B77CAB1D312F141552BC06E2040E3B18BB8DA29
                                                              Function 0026717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 15583230881d079814b4ef6b8aa0debc740c01bf4c3a4c7ef9e0fad5df14d780
                                                              • Instruction ID: 67656c681922b01a6b7f089fa9cd1b4f9f32f7062b21f9dbe905d66132b636db
                                                              • Opcode Fuzzy Hash: 15583230881d079814b4ef6b8aa0debc740c01bf4c3a4c7ef9e0fad5df14d780
                                                              • Instruction Fuzzy Hash: 2AC18F74A14216EFDB14CFA4D884EAEBBB5FF48708B148598E805EB351DB30ED91DB90
                                                              Function 0028E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CharLowerBuffW.USER32(?,?), ref: 0028E0BE
                                                              • CharLowerBuffW.USER32(?,?), ref: 0028E101
                                                                • Part of subcall function 0028D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0028D7C5
                                                              • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0028E301
                                                              • _memmove.LIBCMT ref: 0028E314
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: BuffCharLower$AllocVirtual_memmove
                                                              • String ID:
                                                              • API String ID: 3659485706-0
                                                              • Opcode ID: 13c1c8d7506a45399424b88a7148d4056da8b46ba535b81ed3ba17d730050a9d
                                                              • Instruction ID: 9e1fdc46ddc9a60b740c16aa6b9f30f332f5d213ea1dadbc939ad3206a8676c4
                                                              • Opcode Fuzzy Hash: 13c1c8d7506a45399424b88a7148d4056da8b46ba535b81ed3ba17d730050a9d
                                                              • Instruction Fuzzy Hash: 3FC159756183018FCB04EF28C49096ABBE4FF89714F05896EF8999B391D730E956CF82
                                                              Function 00288093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CoInitialize.OLE32(00000000), ref: 002880C3
                                                              • CoUninitialize.COMBASE ref: 002880CE
                                                                • Part of subcall function 0026D56C: CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 0026D5D4
                                                              • VariantInit.OLEAUT32(?), ref: 002880D9
                                                              • VariantClear.OLEAUT32(?), ref: 002883AA
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                              • String ID:
                                                              • API String ID: 780911581-0
                                                              • Opcode ID: 4244313d385a614bce6d440d6dcf0eb7b2900e8b144e5c1d0333800068eded57
                                                              • Instruction ID: 41ba9ff681217d2bcc813f08683d87cf4e1e5a9707840a5adb9fe5d461c09e52
                                                              • Opcode Fuzzy Hash: 4244313d385a614bce6d440d6dcf0eb7b2900e8b144e5c1d0333800068eded57
                                                              • Instruction Fuzzy Hash: E9A18A396247019FCB00EF24C491B6AB7E4BF99314F444448F99A9B3A1CB30EDA1CF82
                                                              Function 00267530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ProgIDFromCLSID.COMBASE(?,00000000), ref: 002676EA
                                                              • CoTaskMemFree.COMBASE(00000000), ref: 00267702
                                                              • CLSIDFromProgID.COMBASE(?,?), ref: 00267727
                                                              • _memcmp.LIBCMT ref: 00267748
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: FromProg$FreeTask_memcmp
                                                              • String ID:
                                                              • API String ID: 314563124-0
                                                              • Opcode ID: 8dfaf6706e75875d06e428cbb947fcc47905cdb890cb202541ebe7d766c596fb
                                                              • Instruction ID: cf82c2684fa3468ffcf74e878b50ca7df0676f71eab4d963bd2ded4c8dca6a43
                                                              • Opcode Fuzzy Hash: 8dfaf6706e75875d06e428cbb947fcc47905cdb890cb202541ebe7d766c596fb
                                                              • Instruction Fuzzy Hash: 33812E71A1010AEFCB04DFA4D984EEEB7B9FF89315F204198E505EB250DB71AE46CB60
                                                              Function 0026687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Variant$AllocClearCopyInitString
                                                              • String ID:
                                                              • API String ID: 2808897238-0
                                                              • Opcode ID: 7bf7256b941cf80eb52f6d6a5330881092757ec32681226b142aaa9b5eb8f4a5
                                                              • Instruction ID: aa73934c09a45e416fb8c1e4db852d52c146bdf4a32c36255b50fd75d4dff59d
                                                              • Opcode Fuzzy Hash: 7bf7256b941cf80eb52f6d6a5330881092757ec32681226b142aaa9b5eb8f4a5
                                                              • Instruction Fuzzy Hash: D851B5747343029ADB24EFA5D899A6AB3E5AF45310F20D81FE586DB291DA70DCE08B01
                                                              Function 0027B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0027B89E
                                                              • GetLastError.KERNEL32(?,00000000), ref: 0027B8C4
                                                              • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0027B8E9
                                                              • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0027B915
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: CreateHardLink$DeleteErrorFileLast
                                                              • String ID:
                                                              • API String ID: 3321077145-0
                                                              • Opcode ID: 21482d96e6790509c13983ba3d1c95b65477c0d975048f112b7992db27dc50db
                                                              • Instruction ID: 528da22dfdbc907b16bf2da4b8362d663bba32b7f3463e4ecfb39a6eb4f240dc
                                                              • Opcode Fuzzy Hash: 21482d96e6790509c13983ba3d1c95b65477c0d975048f112b7992db27dc50db
                                                              • Instruction Fuzzy Hash: 44414839A10611DFCB51EF15C594A9ABBE1AF5A310F09C088ED4A9B362CB30FD91CF91
                                                              Function 0029AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ClientToScreen.USER32(?,?), ref: 0029AB60
                                                              • GetWindowRect.USER32(?,?), ref: 0029ABD6
                                                              • PtInRect.USER32(?,?,0029C014), ref: 0029ABE6
                                                              • MessageBeep.USER32(00000000), ref: 0029AC57
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Rect$BeepClientMessageScreenWindow
                                                              • String ID:
                                                              • API String ID: 1352109105-0
                                                              • Opcode ID: 5a01f009e1dd3d120ba4e4db4f590cc468dacc806ed81e60f7212953d114483f
                                                              • Instruction ID: b02b91a9e68721b9616791c18e313965f7f73d524213e93942335d6a7677a05f
                                                              • Opcode Fuzzy Hash: 5a01f009e1dd3d120ba4e4db4f590cc468dacc806ed81e60f7212953d114483f
                                                              • Instruction Fuzzy Hash: 32416A30A1021ADFCF11DF58D888AA97BF5FB49710F1880AAE815DF264D770E891DB92
                                                              Function 00270AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00270B27
                                                              • SetKeyboardState.USER32(00000080,?,00000001), ref: 00270B43
                                                              • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00270BA9
                                                              • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00270BFB
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: KeyboardState$InputMessagePostSend
                                                              • String ID:
                                                              • API String ID: 432972143-0
                                                              • Opcode ID: 915a61ff05888dc3b543cc9871e89efd71c5c79a313b6d374baa5f1185161e93
                                                              • Instruction ID: b0ccd637285c71999f87e3789ae1f757d241531e70ffa865cd1633939b45b2e6
                                                              • Opcode Fuzzy Hash: 915a61ff05888dc3b543cc9871e89efd71c5c79a313b6d374baa5f1185161e93
                                                              • Instruction Fuzzy Hash: 31316B30D60209EEFF308F25DC49BFABBA5AB4431CF04D25AE488911D1C3B48AA89751
                                                              Function 00270C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetKeyboardState.USER32(?,753DC0D0,?,00008000), ref: 00270C66
                                                              • SetKeyboardState.USER32(00000080,?,00008000), ref: 00270C82
                                                              • PostMessageW.USER32(00000000,00000101,00000000), ref: 00270CE1
                                                              • SendInput.USER32(00000001,?,0000001C,753DC0D0,?,00008000), ref: 00270D33
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: KeyboardState$InputMessagePostSend
                                                              • String ID:
                                                              • API String ID: 432972143-0
                                                              • Opcode ID: 263639903bee3a16f0c4f26696df8eda069f98e1b974ff55627bb498213c114e
                                                              • Instruction ID: 9c6ae88f6bdbd7c48664bd302f5fe91efae1e190779271d3549096aeb3051cb2
                                                              • Opcode Fuzzy Hash: 263639903bee3a16f0c4f26696df8eda069f98e1b974ff55627bb498213c114e
                                                              • Instruction Fuzzy Hash: 9D314630920319EEFF318E699C48BFEBB66EB45310F04C36FE488921D1C37599A98751
                                                              Function 002461C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 002461FB
                                                              • __isleadbyte_l.LIBCMT ref: 00246229
                                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00246257
                                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0024628D
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                              • String ID:
                                                              • API String ID: 3058430110-0
                                                              • Opcode ID: 964f72d712853fadfdea2065e827ca530bbfed3b3d8cc28817bd19b0b9ad6876
                                                              • Instruction ID: b069c2a9c28c0aea005d0a2b7a2c41ddb23570f70dee5bd86b41967d675323c0
                                                              • Opcode Fuzzy Hash: 964f72d712853fadfdea2065e827ca530bbfed3b3d8cc28817bd19b0b9ad6876
                                                              • Instruction Fuzzy Hash: F531D230610247BFDF29CF64CC48BAA7BA9FF42310F154029E82897191D7B1DD60DB92
                                                              Function 00294EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetForegroundWindow.USER32 ref: 00294F02
                                                                • Part of subcall function 00273641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0027365B
                                                                • Part of subcall function 00273641: GetCurrentThreadId.KERNEL32 ref: 00273662
                                                                • Part of subcall function 00273641: AttachThreadInput.USER32(00000000,?,00275005), ref: 00273669
                                                              • GetCaretPos.USER32(?), ref: 00294F13
                                                              • ClientToScreen.USER32(00000000,?), ref: 00294F4E
                                                              • GetForegroundWindow.USER32 ref: 00294F54
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                              • String ID:
                                                              • API String ID: 2759813231-0
                                                              • Opcode ID: e27f6212671b3ba906af3ad4ff63f90bcde513ea703ad8019c513a5e17e832a1
                                                              • Instruction ID: 0cf6f32bfe5e57bed65b0bab4c6804934024485a2488887d270b8d217fa9bbe6
                                                              • Opcode Fuzzy Hash: e27f6212671b3ba906af3ad4ff63f90bcde513ea703ad8019c513a5e17e832a1
                                                              • Instruction Fuzzy Hash: D331F872D10108AFDB00EFA5C9859EFB7F9EF99300F11406AE415E7241EA71AE55CFA0
                                                              Function 00268656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0026810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00268121
                                                                • Part of subcall function 0026810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0026812B
                                                                • Part of subcall function 0026810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0026813A
                                                                • Part of subcall function 0026810A: RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00268141
                                                                • Part of subcall function 0026810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00268157
                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 002686A3
                                                              • _memcmp.LIBCMT ref: 002686C6
                                                              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 002686FC
                                                              • HeapFree.KERNEL32(00000000), ref: 00268703
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Heap$InformationProcessToken$AllocateErrorFreeLastLookupPrivilegeValue_memcmp
                                                              • String ID:
                                                              • API String ID: 2182266621-0
                                                              • Opcode ID: 414ab58dc1b0b384e2774bc08a49e9246cecdd49ada19926e82b1f19b097c6d0
                                                              • Instruction ID: 351313f95936dbc65690ab3d272036a0a685e8720a889ccd781d82f7a80ffac6
                                                              • Opcode Fuzzy Hash: 414ab58dc1b0b384e2774bc08a49e9246cecdd49ada19926e82b1f19b097c6d0
                                                              • Instruction Fuzzy Hash: 9121AF71E10109EFDB10DFA4CA49BEEB7B9EF44304F158159E444AB240EB71AE55CB90
                                                              Function 0023098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __setmode.LIBCMT ref: 002309AE
                                                                • Part of subcall function 00215A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00277896,?,?,00000000), ref: 00215A2C
                                                                • Part of subcall function 00215A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00277896,?,?,00000000,?,?), ref: 00215A50
                                                              • _fprintf.LIBCMT ref: 002309E5
                                                              • OutputDebugStringW.KERNEL32(?), ref: 00265DBB
                                                                • Part of subcall function 00234AAA: _flsall.LIBCMT ref: 00234AC3
                                                              • __setmode.LIBCMT ref: 00230A1A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                              • String ID:
                                                              • API String ID: 521402451-0
                                                              • Opcode ID: 6aee428db97b6947e5f4424495a4cd591afcea8397f68e5a2f1c3417e6e8d7f5
                                                              • Instruction ID: 77045d11d9fa99d6c1e3a5ef8b6e3e8fbff27cebc1deac1719424ec0a11dc76c
                                                              • Opcode Fuzzy Hash: 6aee428db97b6947e5f4424495a4cd591afcea8397f68e5a2f1c3417e6e8d7f5
                                                              • Instruction Fuzzy Hash: F8116AB19242146FCB04B7B4AC8B9FEB7AC9F95320F200096F20553182EE705DF28FA0
                                                              Function 00281767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 002817A3
                                                                • Part of subcall function 0028182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0028184C
                                                                • Part of subcall function 0028182D: InternetCloseHandle.WININET(00000000), ref: 002818E9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Internet$CloseConnectHandleOpen
                                                              • String ID:
                                                              • API String ID: 1463438336-0
                                                              • Opcode ID: 15e513ffaa4f5f7eb252414f63558c2629552ebffdb3afdfa906f9701fed334b
                                                              • Instruction ID: 883087f6b18b27cb069e2c39c7d3799c47e6ac2c809d3a44d6c2a4cdad8bec85
                                                              • Opcode Fuzzy Hash: 15e513ffaa4f5f7eb252414f63558c2629552ebffdb3afdfa906f9701fed334b
                                                              • Instruction Fuzzy Hash: DA218039221605BBEB16AF609C41BBABBADFB48711F10402AF915965D0D77198329BA0
                                                              Function 00273A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileAttributesW.KERNEL32(?,0029FAC0), ref: 00273A64
                                                              • GetLastError.KERNEL32 ref: 00273A73
                                                              • CreateDirectoryW.KERNEL32(?,00000000), ref: 00273A82
                                                              • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0029FAC0), ref: 00273ADF
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: CreateDirectory$AttributesErrorFileLast
                                                              • String ID:
                                                              • API String ID: 2267087916-0
                                                              • Opcode ID: 54b4da0075353263b0a2fbd80e8121ab19de69a734ec9d040a07bd4c48b7c327
                                                              • Instruction ID: 74acb80ef627df7f022de2a6023b5ca3082fa0a94ba3afdf0f71d5ce56fcd3e8
                                                              • Opcode Fuzzy Hash: 54b4da0075353263b0a2fbd80e8121ab19de69a734ec9d040a07bd4c48b7c327
                                                              • Instruction Fuzzy Hash: 6221D6315182029F8340DF24D9868AB77E8BF56364F108A1EF4DDC72A1D731DE55DB82
                                                              Function 002450E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • _free.LIBCMT ref: 00245101
                                                                • Part of subcall function 0023571C: __FF_MSGBANNER.LIBCMT ref: 00235733
                                                                • Part of subcall function 0023571C: __NMSG_WRITE.LIBCMT ref: 0023573A
                                                                • Part of subcall function 0023571C: RtlAllocateHeap.NTDLL(01550000,00000000,00000001), ref: 0023575F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: AllocateHeap_free
                                                              • String ID:
                                                              • API String ID: 614378929-0
                                                              • Opcode ID: f28917dc9a72d104c23d11e3c6556dd68f3efa90e59b97611e03e6e43d0c9bbe
                                                              • Instruction ID: 400f4b3610ee8085bb48e75792e46965bf19f216f357c522e82f158fae59e0f7
                                                              • Opcode Fuzzy Hash: f28917dc9a72d104c23d11e3c6556dd68f3efa90e59b97611e03e6e43d0c9bbe
                                                              • Instruction Fuzzy Hash: BB11E3B2930A27AFCB252F70FC49B6D77989F04361F20452AF98DDA152DE7489608A90
                                                              Function 002144A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 002144CF
                                                                • Part of subcall function 0021407C: _memset.LIBCMT ref: 002140FC
                                                                • Part of subcall function 0021407C: _wcscpy.LIBCMT ref: 00214150
                                                                • Part of subcall function 0021407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00214160
                                                              • KillTimer.USER32(?,00000001,?,?), ref: 00214524
                                                              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00214533
                                                              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0024D4B9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                              • String ID:
                                                              • API String ID: 1378193009-0
                                                              • Opcode ID: 300a9776aeda9a30cfde6f32ffd14c6a2708d3722a2889e282c39384169b4978
                                                              • Instruction ID: b0e05bddaf373fcd463a72b1a97d07990d367cf69271f5ecf758bd8eb8017590
                                                              • Opcode Fuzzy Hash: 300a9776aeda9a30cfde6f32ffd14c6a2708d3722a2889e282c39384169b4978
                                                              • Instruction Fuzzy Hash: AF210774914794AFE7729F249849BE7BBECAF15304F04009EE78E96281C3B42994DB51
                                                              Function 002685B1 Relevance: 6.1, APIs: 4, Instructions: 65processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 002685E2
                                                              • OpenProcessToken.ADVAPI32(00000000), ref: 002685E9
                                                              • CloseHandle.KERNEL32(00000004), ref: 00268603
                                                              • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00268632
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Process$CloseCreateCurrentHandleLogonOpenTokenWith
                                                              • String ID:
                                                              • API String ID: 2621361867-0
                                                              • Opcode ID: 6b2fad27cb6a5439a5db746d8ff68ca6b2d17399995b18bae883952ced977754
                                                              • Instruction ID: 8e0427b504b53b380b57f0222240011fded4c26844bb36145dbd6a89fc7d34ec
                                                              • Opcode Fuzzy Hash: 6b2fad27cb6a5439a5db746d8ff68ca6b2d17399995b18bae883952ced977754
                                                              • Instruction Fuzzy Hash: DF11597250024AABDF418FA4ED49BEE7BA9EF08344F044165FE05E2160C7728DB0EB60
                                                              Function 00286369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00215A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00277896,?,?,00000000), ref: 00215A2C
                                                                • Part of subcall function 00215A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00277896,?,?,00000000,?,?), ref: 00215A50
                                                              • gethostbyname.WS2_32(?), ref: 00286399
                                                              • WSAGetLastError.WS2_32(00000000), ref: 002863A4
                                                              • _memmove.LIBCMT ref: 002863D1
                                                              • inet_ntoa.WS2_32(?), ref: 002863DC
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                              • String ID:
                                                              • API String ID: 1504782959-0
                                                              • Opcode ID: 49d2176a5425cbc1273371a6da14c5e214e9e34901a2366526b3c9b842824509
                                                              • Instruction ID: 479fb3b0c8bd812b5898ddf41aa91209889ccf373dbb05b10a8bb7e96c6c2cb8
                                                              • Opcode Fuzzy Hash: 49d2176a5425cbc1273371a6da14c5e214e9e34901a2366526b3c9b842824509
                                                              • Instruction Fuzzy Hash: F0115135610109EFCB40FFA4DD96CEE77B8AF54310B144065F505A71A1DB309E64CFA1
                                                              Function 00268B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 00268B61
                                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00268B73
                                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00268B89
                                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00268BA4
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID:
                                                              • API String ID: 3850602802-0
                                                              • Opcode ID: 8cd0a085348585e7d7797b33c5694febcc1584c0723062eda704e9da9c89159c
                                                              • Instruction ID: e7e025eb3d1dd16b5b4b11f3cb40fe20ef95e82164f078076ce81c393183652f
                                                              • Opcode Fuzzy Hash: 8cd0a085348585e7d7797b33c5694febcc1584c0723062eda704e9da9c89159c
                                                              • Instruction Fuzzy Hash: E3114C79900218FFDB10DF95CC84F9DBB78FB48310F204195EA00B7250DA716E61DB94
                                                              Function 0026D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0026D84D
                                                              • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 0026D864
                                                              • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 0026D879
                                                              • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 0026D897
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Type$Register$FileLoadModuleNameUser
                                                              • String ID:
                                                              • API String ID: 1352324309-0
                                                              • Opcode ID: d60705dd7a82edc0a7052057520231e42484642d32b477176e27b3baf1b78f1b
                                                              • Instruction ID: 704f8c9d9855612970bcec42cd9b77b26d0e914bdba0dac1dd980facba40a063
                                                              • Opcode Fuzzy Hash: d60705dd7a82edc0a7052057520231e42484642d32b477176e27b3baf1b78f1b
                                                              • Instruction Fuzzy Hash: FE116575B15308DBE3208F50ED0CF93BBBCEB00700F10496AA615D7450D7F0E9A69BA1
                                                              Function 00246FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                              • String ID:
                                                              • API String ID: 3016257755-0
                                                              • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                              • Instruction ID: dcd67878d7bc709d4af57cb6ce2ba3cb702965584cc0ef8846ea82326411b10c
                                                              • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                              • Instruction Fuzzy Hash: 4B018C3206914ABBCF2A5F84DC01CEE3F62BB28350F499415FE2858030C336C9B1AF81
                                                              Function 0029B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetWindowRect.USER32(?,?), ref: 0029B2E4
                                                              • ScreenToClient.USER32(?,?), ref: 0029B2FC
                                                              • ScreenToClient.USER32(?,?), ref: 0029B320
                                                              • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0029B33B
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: ClientRectScreen$InvalidateWindow
                                                              • String ID:
                                                              • API String ID: 357397906-0
                                                              • Opcode ID: 0efaf12d50f45c9d28615a425e9023b56eab5fd2cad674f68b02e19d6ab0f97b
                                                              • Instruction ID: b6534b36b8ec296de6eaaed8720c2fce6fdf08fad9dff514bbecc4ae284a1fba
                                                              • Opcode Fuzzy Hash: 0efaf12d50f45c9d28615a425e9023b56eab5fd2cad674f68b02e19d6ab0f97b
                                                              • Instruction Fuzzy Hash: 56114675D00209EFDB41CF99D5449EEBBB9FB08310F104166E914E3220D735AA658F50
                                                              Function 0029B635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 0029B644
                                                              • _memset.LIBCMT ref: 0029B653
                                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,002D6F20,002D6F64), ref: 0029B682
                                                              • CloseHandle.KERNEL32 ref: 0029B694
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: _memset$CloseCreateHandleProcess
                                                              • String ID:
                                                              • API String ID: 3277943733-0
                                                              • Opcode ID: 73ee95fd9bdf33caf63d4ee9b300254c0f23e69b6cdfbf28a48ecdc8730f6acf
                                                              • Instruction ID: e7c8bf181073dae9727d17e71f73b347e9d5b436cd05146e2f5aeb64ce76cf32
                                                              • Opcode Fuzzy Hash: 73ee95fd9bdf33caf63d4ee9b300254c0f23e69b6cdfbf28a48ecdc8730f6acf
                                                              • Instruction Fuzzy Hash: DDF054F1551744BEE2102761BC0DF7B3B5CEB08755F004062FA09D5591D7755C108BA8
                                                              Function 00276BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 00276BE6
                                                                • Part of subcall function 002776C4: _memset.LIBCMT ref: 002776F9
                                                              • _memmove.LIBCMT ref: 00276C09
                                                              • _memset.LIBCMT ref: 00276C16
                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 00276C26
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: CriticalSection_memset$EnterLeave_memmove
                                                              • String ID:
                                                              • API String ID: 48991266-0
                                                              • Opcode ID: 08750a0c9c617e456c990f1c6871a5431d4d6b87da3bdd91f9f9e73039886a99
                                                              • Instruction ID: e83b146579f680ec720aa2b43933c39318b7b14c9bf8a7b30b880b06d39d3fb0
                                                              • Opcode Fuzzy Hash: 08750a0c9c617e456c990f1c6871a5431d4d6b87da3bdd91f9f9e73039886a99
                                                              • Instruction Fuzzy Hash: 6AF0547A600100ABCF416F55EC89A4ABB29EF45321F04C061FE089E227C731E821CFB4
                                                              Function 00212218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetSysColor.USER32(00000008), ref: 00212231
                                                              • SetTextColor.GDI32(?,000000FF), ref: 0021223B
                                                              • SetBkMode.GDI32(?,00000001), ref: 00212250
                                                              • GetStockObject.GDI32(00000005), ref: 00212258
                                                              • GetWindowDC.USER32(?,00000000), ref: 0024BE83
                                                              • GetPixel.GDI32(00000000,00000000,00000000), ref: 0024BE90
                                                              • GetPixel.GDI32(00000000,?,00000000), ref: 0024BEA9
                                                              • GetPixel.GDI32(00000000,00000000,?), ref: 0024BEC2
                                                              • GetPixel.GDI32(00000000,?,?), ref: 0024BEE2
                                                              • ReleaseDC.USER32(?,00000000), ref: 0024BEED
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                              • String ID:
                                                              • API String ID: 1946975507-0
                                                              • Opcode ID: 78e3f4f7ad10f72b2c7067c4d601bb61718992de93918f08f52ca15e0723694e
                                                              • Instruction ID: 3392f0e2dd8b3e2fd5dff0c5aeebfef1725d499e95531002f39df2c6817b22ba
                                                              • Opcode Fuzzy Hash: 78e3f4f7ad10f72b2c7067c4d601bb61718992de93918f08f52ca15e0723694e
                                                              • Instruction Fuzzy Hash: 1DE03932214245EADFA15F64FD0D7D83B10EB16332F108367FA6D880E187B289A4DF52
                                                              Function 00268712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentThread.KERNEL32 ref: 0026871B
                                                              • OpenThreadToken.ADVAPI32(00000000,?,?,?,002682E6), ref: 00268722
                                                              • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,002682E6), ref: 0026872F
                                                              • OpenProcessToken.ADVAPI32(00000000,?,?,?,002682E6), ref: 00268736
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: CurrentOpenProcessThreadToken
                                                              • String ID:
                                                              • API String ID: 3974789173-0
                                                              • Opcode ID: 98ed28e399b59671f174c6fffa6027197b1386ebf68e4703ad4ab6e2aa269055
                                                              • Instruction ID: 7122183807ccb2513106ec97383a66d6a802f5b4885099c961fc04a54e4ce910
                                                              • Opcode Fuzzy Hash: 98ed28e399b59671f174c6fffa6027197b1386ebf68e4703ad4ab6e2aa269055
                                                              • Instruction Fuzzy Hash: B8E0CD36A153129BD7E05FB07E0DB577BACEF547D1F144839F645C9044DA748491C750
                                                              Function 00216240 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: %*
                                                              • API String ID: 0-3615067565
                                                              • Opcode ID: 6e31db92ba452a96b68406bf7f83219b243de4e4ce94e3c16c872274926a5bf8
                                                              • Instruction ID: 10e1f1c5b469ab633e88b789f6e4c84b7d0a6b0c071484c78b2bda544d506660
                                                              • Opcode Fuzzy Hash: 6e31db92ba452a96b68406bf7f83219b243de4e4ce94e3c16c872274926a5bf8
                                                              • Instruction Fuzzy Hash: 5FB1B27182010ADACF24EF94C489AFEB7F9FF64710F504066E912A7191DB749EE2CB91
                                                              Function 0027AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0022FC86: _wcscpy.LIBCMT ref: 0022FCA9
                                                                • Part of subcall function 00219837: __itow.LIBCMT ref: 00219862
                                                                • Part of subcall function 00219837: __swprintf.LIBCMT ref: 002198AC
                                                              • __wcsnicmp.LIBCMT ref: 0027B02D
                                                              • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0027B0F6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                              • String ID: LPT
                                                              • API String ID: 3222508074-1350329615
                                                              • Opcode ID: ca4b2456ad498c374ae802114c225a3570e4439a0291be07a6a7bbc76fe0a4ab
                                                              • Instruction ID: 63a984ffc7ee9058facd38ffdf5dd088673da6657fad141db255d2a8c5dbe1d1
                                                              • Opcode Fuzzy Hash: ca4b2456ad498c374ae802114c225a3570e4439a0291be07a6a7bbc76fe0a4ab
                                                              • Instruction Fuzzy Hash: 7A618175A20215AFCB15EF94C895FEEB7F4EF08310F518069F91AAB251DB70AE90CB50
                                                              Function 00222957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Sleep.KERNEL32(00000000), ref: 00222968
                                                              • GlobalMemoryStatusEx.KERNEL32(?), ref: 00222981
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: GlobalMemorySleepStatus
                                                              • String ID: @
                                                              • API String ID: 2783356886-2766056989
                                                              • Opcode ID: 0de866629b60de3b5a76a8744717e54567bc5ce755cb822c64481d5908e3abde
                                                              • Instruction ID: 79d39a8a99bb1371c5fa58e4439f3c284a0f13309123d951a85dc10df9e18f86
                                                              • Opcode Fuzzy Hash: 0de866629b60de3b5a76a8744717e54567bc5ce755cb822c64481d5908e3abde
                                                              • Instruction Fuzzy Hash: A0514872418748ABD720EF10D886BEFBBE8FB95344F52485DF2D8410A1DB3185B9CB56
                                                              Function 00279734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00214F0B: __fread_nolock.LIBCMT ref: 00214F29
                                                              • _wcscmp.LIBCMT ref: 00279824
                                                              • _wcscmp.LIBCMT ref: 00279837
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: _wcscmp$__fread_nolock
                                                              • String ID: FILE
                                                              • API String ID: 4029003684-3121273764
                                                              • Opcode ID: 9a6e73b30473bf211ca55bda3853a1806e7b326bac2e501b1e26471e3e1b2d56
                                                              • Instruction ID: 941711e35048a20d85f23dcba1c5268e01309e41d8c2cefbed88f29399c4e9df
                                                              • Opcode Fuzzy Hash: 9a6e73b30473bf211ca55bda3853a1806e7b326bac2e501b1e26471e3e1b2d56
                                                              • Instruction Fuzzy Hash: 3E41D871A1021ABADF20AEA4CC45FEFB7FDDF95710F004069F908B7180D671AA558B61
                                                              Function 0028258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 0028259E
                                                              • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 002825D4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: CrackInternet_memset
                                                              • String ID: |
                                                              • API String ID: 1413715105-2343686810
                                                              • Opcode ID: ea2203103cd7345d232d1917bb324e3b7e38d425e7c459c1ecfad70e3dcd04f1
                                                              • Instruction ID: 379c7f774a1ed0833bdfaba5656b09298c916fba55c2bb706f8a5d8f03f13df3
                                                              • Opcode Fuzzy Hash: ea2203103cd7345d232d1917bb324e3b7e38d425e7c459c1ecfad70e3dcd04f1
                                                              • Instruction Fuzzy Hash: 7D31F971C21119EBCF05EFA0DC85EEEBFB9FF18310F100069E915A61A1EA3159A6DF50
                                                              Function 00297A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 00297B61
                                                              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00297B76
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID: '
                                                              • API String ID: 3850602802-1997036262
                                                              • Opcode ID: ddb83047da40f93e94865efe7beed1e8d16b8f1d5b8254ad17321230cd7ce565
                                                              • Instruction ID: 8fab6ad905eea532f3549f225fdb842f7623234289d6d676a09d784645d86071
                                                              • Opcode Fuzzy Hash: ddb83047da40f93e94865efe7beed1e8d16b8f1d5b8254ad17321230cd7ce565
                                                              • Instruction Fuzzy Hash: 2041F874A2520A9FDF14CF64D991BDABBB5FF09304F14016AE904EB351D770A961CF90
                                                              Function 00296A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DestroyWindow.USER32(?,?,?,?), ref: 00296B17
                                                              • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00296B53
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Window$DestroyMove
                                                              • String ID: static
                                                              • API String ID: 2139405536-2160076837
                                                              • Opcode ID: 9a0f9db2d44f0fed52ab7454d176387ddc1200396513c05606e3f3e9aa2fa82d
                                                              • Instruction ID: 8e2ba506e843146837008968eb19dffa7b45a3cf37c2ce8c89225a8908c39b02
                                                              • Opcode Fuzzy Hash: 9a0f9db2d44f0fed52ab7454d176387ddc1200396513c05606e3f3e9aa2fa82d
                                                              • Instruction Fuzzy Hash: 04318F71120605AEDF109F64DC54BFB73E9FF48764F108619F9A5D7190DA31ACA1CB60
                                                              Function 0026994C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00269965
                                                              • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0026999F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID: @U=u
                                                              • API String ID: 3850602802-2594219639
                                                              • Opcode ID: bcc5fac5b86a6f23d11a4ba366aedee6fcb8c9fef9e0fc11a700fac229b0b28d
                                                              • Instruction ID: 905bceec76912924115aaee41e13fff58c882ea77b1d9c7be40ddca413bb85f6
                                                              • Opcode Fuzzy Hash: bcc5fac5b86a6f23d11a4ba366aedee6fcb8c9fef9e0fc11a700fac229b0b28d
                                                              • Instruction Fuzzy Hash: 1421B431D20215ABCF10AFA4D881DEEB7BDEF99710B144069F915A7290EE709DD58B50
                                                              Function 002728A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 00272911
                                                              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0027294C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: InfoItemMenu_memset
                                                              • String ID: 0
                                                              • API String ID: 2223754486-4108050209
                                                              • Opcode ID: 42167c3ffb40e5fd28d93a5e5a6a01e924b33e152f432512b393d59922e6f1c9
                                                              • Instruction ID: 5f9614fba24e5c41fbd41fb1f8c20a3b2b841ca77fe5c31cb3a328a4ad0d37c2
                                                              • Opcode Fuzzy Hash: 42167c3ffb40e5fd28d93a5e5a6a01e924b33e152f432512b393d59922e6f1c9
                                                              • Instruction Fuzzy Hash: 1331EB31520306DFDB24CF58D945BAEBBF4EF45350F288019EA89A61A0D7709D68CB51
                                                              Function 0026A9B1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0022603A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00226051
                                                              • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0026AA10
                                                              • _strlen.LIBCMT ref: 0026AA1B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Timeout_strlen
                                                              • String ID: @U=u
                                                              • API String ID: 2777139624-2594219639
                                                              • Opcode ID: 88764294c26e6442fa96b61d501284cea8dce8bd28e65b1ab83116f095498734
                                                              • Instruction ID: 844bf5218e93f8fb741428f1608a57aea995a46836fb0ef2eb41f5b1045cdb6b
                                                              • Opcode Fuzzy Hash: 88764294c26e6442fa96b61d501284cea8dce8bd28e65b1ab83116f095498734
                                                              • Instruction Fuzzy Hash: F911383222420666CB14BEB8DDC29FE77B89F45300F10102EF505EA193DD259DE5CE51
                                                              Function 00296865 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 76windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 002755FD: GetLocalTime.KERNEL32 ref: 0027560A
                                                                • Part of subcall function 002755FD: _wcsncpy.LIBCMT ref: 0027563F
                                                                • Part of subcall function 002755FD: _wcsncpy.LIBCMT ref: 00275671
                                                                • Part of subcall function 002755FD: _wcsncpy.LIBCMT ref: 002756A4
                                                                • Part of subcall function 002755FD: _wcsncpy.LIBCMT ref: 002756E6
                                                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 002968FF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: _wcsncpy$LocalMessageSendTime
                                                              • String ID: @U=u$SysDateTimePick32
                                                              • API String ID: 2466184910-2530228043
                                                              • Opcode ID: fece657f90b794ae81fca227e1e2183e3659135e6d11a94986b7a2b947b4104f
                                                              • Instruction ID: 5e745467151508f211447567f3f9b1a9d1b9bec67035ae42c28f416c0758e80e
                                                              • Opcode Fuzzy Hash: fece657f90b794ae81fca227e1e2183e3659135e6d11a94986b7a2b947b4104f
                                                              • Instruction Fuzzy Hash: 852159713602196FEF218E14DC8AFEF73A9FF44350F200519F950AB1D0D6B2ACA08B60
                                                              Function 00269225 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0026923E
                                                                • Part of subcall function 002713DE: GetWindowThreadProcessId.USER32(?,?), ref: 00271409
                                                                • Part of subcall function 002713DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0026925A,00000034,?,?,00001004,00000000,00000000), ref: 00271419
                                                                • Part of subcall function 002713DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0026925A,00000034,?,?,00001004,00000000,00000000), ref: 0027142F
                                                                • Part of subcall function 002714BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00269296,?,?,00000034,00000800,?,00000034), ref: 002714E6
                                                              • SendMessageW.USER32(?,00001073,00000000,?), ref: 002692A5
                                                                • Part of subcall function 00271487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002692C5,?,?,00000800,?,00001073,00000000,?,?), ref: 002714B1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Process$MemoryMessageSend$AllocOpenReadThreadVirtualWindowWrite
                                                              • String ID: @U=u
                                                              • API String ID: 1045663743-2594219639
                                                              • Opcode ID: 29384e371ef07bd31fd91dd3a7a33fc64b0023f38d00607cb593a1ea45df6753
                                                              • Instruction ID: 7846ea120aea7e92a6eb6736e9df4b119b142f297aff3787f3081ccdbb4f25fa
                                                              • Opcode Fuzzy Hash: 29384e371ef07bd31fd91dd3a7a33fc64b0023f38d00607cb593a1ea45df6753
                                                              • Instruction Fuzzy Hash: 18215E31911229BBEF21DBA8DC95FDDBBB8FF09310F1041A5F958A7190DA705AA4CF90
                                                              Function 002966D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00296761
                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0029676C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID: Combobox
                                                              • API String ID: 3850602802-2096851135
                                                              • Opcode ID: b8e4b4f9f9e39cd1a8e25a08b734917fcf700755df6116b03eb80f3d626a3a24
                                                              • Instruction ID: 21e8aa4b7087d65ce8065ccf4cd3a6e1abf473d7eed87be452f7ef6381eb2cd7
                                                              • Opcode Fuzzy Hash: b8e4b4f9f9e39cd1a8e25a08b734917fcf700755df6116b03eb80f3d626a3a24
                                                              • Instruction Fuzzy Hash: 3B11B6712202096FEF118F94DC88EFB77AAEB44368F110129F91497290D671DC7187A0
                                                              Function 002996F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @U=u
                                                              • API String ID: 0-2594219639
                                                              • Opcode ID: 9ea22e91d7e446426bca477f58adb28b6c2a38b595d57d4f81e18e2a4a4b9b1d
                                                              • Instruction ID: e50439a17fa84ca6af22b0f06636b76455a3a511a2b681b139cf4d4794e7f36a
                                                              • Opcode Fuzzy Hash: 9ea22e91d7e446426bca477f58adb28b6c2a38b595d57d4f81e18e2a4a4b9b1d
                                                              • Instruction Fuzzy Hash: FF216375135119BFEF108E98CC45FFA77A8EB05320F504159FA16DA1E0DAB1D9A0DB60
                                                              Function 00296C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00211D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00211D73
                                                                • Part of subcall function 00211D35: GetStockObject.GDI32(00000011), ref: 00211D87
                                                                • Part of subcall function 00211D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00211D91
                                                              • GetWindowRect.USER32(00000000,?), ref: 00296C71
                                                              • GetSysColor.USER32(00000012), ref: 00296C8B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                              • String ID: static
                                                              • API String ID: 1983116058-2160076837
                                                              • Opcode ID: 7b356aed616bca1d7879f3bd4acf87818ae2fc61ef0850fd8e3bd08d83270851
                                                              • Instruction ID: 063d067d65670dd3c1642d680604415c9911692e05b14da063890d1c2924d11b
                                                              • Opcode Fuzzy Hash: 7b356aed616bca1d7879f3bd4acf87818ae2fc61ef0850fd8e3bd08d83270851
                                                              • Instruction Fuzzy Hash: 0D21297252020AAFDF04DFA8DD49AEA7BE8FB08314F114629FD95D2250D635E860DB60
                                                              Function 002729AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 00272A22
                                                              • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00272A41
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: InfoItemMenu_memset
                                                              • String ID: 0
                                                              • API String ID: 2223754486-4108050209
                                                              • Opcode ID: 613465750891b615baeef9e77d87a7ccf6f8da93f6ca22e29dcec28ca55dbaf4
                                                              • Instruction ID: 6394530fa7749fcbfd522d0e7a84dbffe53e454a4d04f36fa74e384ea82913a3
                                                              • Opcode Fuzzy Hash: 613465750891b615baeef9e77d87a7ccf6f8da93f6ca22e29dcec28ca55dbaf4
                                                              • Instruction Fuzzy Hash: 2411D332D21135EBCB30DE59D848B9A73ACAB45300F148022E95DE7290D770AD1EC791
                                                              Function 002821D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0028222C
                                                              • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00282255
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Internet$OpenOption
                                                              • String ID: <local>
                                                              • API String ID: 942729171-4266983199
                                                              • Opcode ID: c9a7374c1b3917644e84fe9fb4fc3a21edab949f83e6182fc12930d420103cc3
                                                              • Instruction ID: e8c2f941d9101087ff6a0197edcd056d6a502c338b5bbd9b171a52c731503967
                                                              • Opcode Fuzzy Hash: c9a7374c1b3917644e84fe9fb4fc3a21edab949f83e6182fc12930d420103cc3
                                                              • Instruction Fuzzy Hash: E7110674522226FADB24AF518CC8EF7FBACFF06351F10822AF90486080D2B05968D7F0
                                                              Function 002984E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,?,?,?), ref: 00298530
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID: @U=u
                                                              • API String ID: 3850602802-2594219639
                                                              • Opcode ID: 85333bbb2dde781ed7d78500be03aafb38b27342a7cd6a7ae0c882455f7ad42d
                                                              • Instruction ID: 287a38c180a862a31329e0af8b8256f835342400affd309bfc91fb3a229ff0a3
                                                              • Opcode Fuzzy Hash: 85333bbb2dde781ed7d78500be03aafb38b27342a7cd6a7ae0c882455f7ad42d
                                                              • Instruction Fuzzy Hash: 39210375A2020AEFCF15CF98D8408EA7BB9FB4D340B464159FD06A7320DA31AD65DBA0
                                                              Function 002965B6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,00000401,?,00000000), ref: 0029662C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID: @U=u$button
                                                              • API String ID: 3850602802-1762282863
                                                              • Opcode ID: 222ea0e97d7ef5d553a3dc3d0ddc199004f2f80656d6323ac6bec07e719fbc16
                                                              • Instruction ID: 0ff8fd05bd6640fd0f3bcf7495e87e1f20ee00a6777c9f626196506e886301de
                                                              • Opcode Fuzzy Hash: 222ea0e97d7ef5d553a3dc3d0ddc199004f2f80656d6323ac6bec07e719fbc16
                                                              • Instruction Fuzzy Hash: 2D11E172160206ABDF118F60DC55FEA37AAEF18314F154218FA55A7190C776ECB1AB10
                                                              Function 0029788C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,0000133E,00000000,?), ref: 002978D8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID: @U=u
                                                              • API String ID: 3850602802-2594219639
                                                              • Opcode ID: 4dab77b9d516229c54ac105ecb1183d9103ef2f21202f94db83d5edabeabdd42
                                                              • Instruction ID: b54d0e93800c0afb1e759c35269d9f7a5aea9668a975df9123f89c6a9fbb12c2
                                                              • Opcode Fuzzy Hash: 4dab77b9d516229c54ac105ecb1183d9103ef2f21202f94db83d5edabeabdd42
                                                              • Instruction Fuzzy Hash: 5911E230524744AFEB21CF34C891AE7BBE9FF06310F10851DE9AA87391DB716951DBA0
                                                              Function 002694A7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 002714BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00269296,?,?,00000034,00000800,?,00000034), ref: 002714E6
                                                              • SendMessageW.USER32(?,0000102B,?,00000000), ref: 00269509
                                                              • SendMessageW.USER32(?,0000102B,?,00000000), ref: 0026952E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$MemoryProcessWrite
                                                              • String ID: @U=u
                                                              • API String ID: 1195347164-2594219639
                                                              • Opcode ID: 9c0fb9d9703f804f88a0dd64e8111819e296edfa585074a81b50286d8ac37df7
                                                              • Instruction ID: 1c037f678357314cf1e5358f813e0fb804b0ae497b0fafc12bc4ccf35a0265cd
                                                              • Opcode Fuzzy Hash: 9c0fb9d9703f804f88a0dd64e8111819e296edfa585074a81b50286d8ac37df7
                                                              • Instruction Fuzzy Hash: BA01DF32510219ABDB21AF54EC49EDAB77CDF14310F10416AF919A71D1DB706DB5CF60
                                                              Function 002695D5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,00000406,00000000,00000000), ref: 002695FB
                                                              • SendMessageW.USER32(?,0000040D,?,00000000), ref: 0026962E
                                                                • Part of subcall function 00271487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002692C5,?,?,00000800,?,00001073,00000000,?,?), ref: 002714B1
                                                                • Part of subcall function 00217BCC: _memmove.LIBCMT ref: 00217C06
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$MemoryProcessRead_memmove
                                                              • String ID: @U=u
                                                              • API String ID: 339422723-2594219639
                                                              • Opcode ID: b468903b1d0b1a45809245c5d63a759c824569138d3697a0424761b6f7a29fe3
                                                              • Instruction ID: 0449934d193825476c725958a0d55836d95877e7007936c893555199be165503
                                                              • Opcode Fuzzy Hash: b468903b1d0b1a45809245c5d63a759c824569138d3697a0424761b6f7a29fe3
                                                              • Instruction Fuzzy Hash: 26015B72810218AFDB50AE94DC85ED977BCFB14344F80C0AAB649A6150DE311EA9CF90
                                                              Function 00236B71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: __calloc_crt
                                                              • String ID: @B-
                                                              • API String ID: 3494438863-139142432
                                                              • Opcode ID: 46cfd6072f28b9ce24dfbeb6f1a0503f29d146be655ede783efc6bcbb72db259
                                                              • Instruction ID: 4525dcfadae361a2a7616b9b3ff9a1b14dea79b53c6267f00c6c07bb3c969d38
                                                              • Opcode Fuzzy Hash: 46cfd6072f28b9ce24dfbeb6f1a0503f29d146be655ede783efc6bcbb72db259
                                                              • Instruction Fuzzy Hash: 12F0A4B5625622ABE7248F54BC5DB62A79EE710734F10401BE500EE180EBB08C554EC0
                                                              Function 0026953C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0026954C
                                                              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00269564
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID: @U=u
                                                              • API String ID: 3850602802-2594219639
                                                              • Opcode ID: 6e03510577cb2024257519217beee27d4ff71992fc4ca5e69c87824d7f5b9243
                                                              • Instruction ID: 40946a444a0d08b6b0f4d7d7fe7ff7c526d3819cd1bc593bcf4ef176a8a5cbde
                                                              • Opcode Fuzzy Hash: 6e03510577cb2024257519217beee27d4ff71992fc4ca5e69c87824d7f5b9243
                                                              • Instruction Fuzzy Hash: 65E02B3535232276F2311A259D4EFD72E0DDB88B61F100035B702990D5CDE20DE286B0
                                                              Function 00274F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: ClassName_wcscmp
                                                              • String ID: #32770
                                                              • API String ID: 2292705959-463685578
                                                              • Opcode ID: f86c48821d9db4aa04fd19e74ebfb08c09aa6b5d8e72d0453b3ae92e65ab2ca8
                                                              • Instruction ID: de7692ca092c286f1bd58150045763c1401bd9a100158d602edc87697ee737ce
                                                              • Opcode Fuzzy Hash: f86c48821d9db4aa04fd19e74ebfb08c09aa6b5d8e72d0453b3ae92e65ab2ca8
                                                              • Instruction Fuzzy Hash: 00E09B32A0022926D7109A95AC49FA7F7ACDB45B70F410157FD04D2051D5609A5587D1
                                                              Function 0024B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0024B314: _memset.LIBCMT ref: 0024B321
                                                                • Part of subcall function 00230940: InitializeCriticalSectionAndSpinCount.KERNEL32(002D4158,00000000,002D4144,0024B2F0,?,?,?,0021100A), ref: 00230945
                                                              • IsDebuggerPresent.KERNEL32(?,?,?,0021100A), ref: 0024B2F4
                                                              • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0021100A), ref: 0024B303
                                                              Strings
                                                              • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0024B2FE
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                              • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                              • API String ID: 3158253471-631824599
                                                              • Opcode ID: 50a183e6599db3a410f4d815eaf7cda1bf1cfb639b99fd702ec64ac4cff572d6
                                                              • Instruction ID: 9b0eeae471b5f27cb95ba676d5e3ee7d57b17005b7256aa855005814a6398321
                                                              • Opcode Fuzzy Hash: 50a183e6599db3a410f4d815eaf7cda1bf1cfb639b99fd702ec64ac4cff572d6
                                                              • Instruction Fuzzy Hash: 65E06D706207518BD766DF2AE5087867BE4AF04744F0089ADE886C7240E7B4E868CFA1
                                                              Function 00251935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetSystemDirectoryW.KERNEL32(?), ref: 00251775
                                                                • Part of subcall function 0028BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,0025195E,?), ref: 0028BFFE
                                                                • Part of subcall function 0028BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0028C010
                                                              • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0025196D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                              • String ID: WIN_XPe
                                                              • API String ID: 582185067-3257408948
                                                              • Opcode ID: 7d68d533338ddbae0f8742cfd2cb2367ffe4a933bc26a15a65270452500a1269
                                                              • Instruction ID: 9f5a24a8bf0b5bdb5716141886691a6f1d21a5f6646e6e10406b5cdcf9881a63
                                                              • Opcode Fuzzy Hash: 7d68d533338ddbae0f8742cfd2cb2367ffe4a933bc26a15a65270452500a1269
                                                              • Instruction Fuzzy Hash: 89F03970821009EFCB55DF94DA88BECBBF8AF1C302F240096E502A20A1C7704FA8CF64
                                                              Function 00295964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0029596E
                                                              • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00295981
                                                                • Part of subcall function 00275244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 002752BC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: FindMessagePostSleepWindow
                                                              • String ID: Shell_TrayWnd
                                                              • API String ID: 529655941-2988720461
                                                              • Opcode ID: 355bd27be40dcb43747328f80aff6fdea4c675d0c91a4be6ef3fb18b0816deb0
                                                              • Instruction ID: ecfec70c1cb68ad12fc3531ecbc24eba011a9725eecc44f1d148d8826703d105
                                                              • Opcode Fuzzy Hash: 355bd27be40dcb43747328f80aff6fdea4c675d0c91a4be6ef3fb18b0816deb0
                                                              • Instruction Fuzzy Hash: 80D0C931794311B7E6E8AB70AD4FFA76A14AB00B50F01482AB65AEA1D1D9E09810CA54
                                                              Function 00295998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 002959AE
                                                              • PostMessageW.USER32(00000000), ref: 002959B5
                                                                • Part of subcall function 00275244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 002752BC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: FindMessagePostSleepWindow
                                                              • String ID: Shell_TrayWnd
                                                              • API String ID: 529655941-2988720461
                                                              • Opcode ID: af9208baba820ea6f90149586f58aa9591ff7ad7a52d3c9fae2c4a18721ca284
                                                              • Instruction ID: 73c6baf0ada1ac4275bcec4de2423c4367a9bb536a7b6917cd384f06bc00ff7b
                                                              • Opcode Fuzzy Hash: af9208baba820ea6f90149586f58aa9591ff7ad7a52d3c9fae2c4a18721ca284
                                                              • Instruction Fuzzy Hash: 36D0C9317903117BE6E8AB70AD4FF976614AB05B50F41482AB65AEA1D1D9E0A810CA54
                                                              Function 002693DD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 002693E9
                                                              • SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 002693F7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1431539997.0000000000211000.00000040.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000000.00000002.1431455375.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.00000000002DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431539997.0000000000315000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431734220.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1431751999.000000000031C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_210000_ru52XOQ1p7.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID: @U=u
                                                              • API String ID: 3850602802-2594219639
                                                              • Opcode ID: 528663495fd2baa5ce16a55278c12229bcee044dccc2a713be86f3a072436c72
                                                              • Instruction ID: fd60dd3d7c928c053f6d7309b37fcba42959da05be6ad70d25864e5d8e39820b
                                                              • Opcode Fuzzy Hash: 528663495fd2baa5ce16a55278c12229bcee044dccc2a713be86f3a072436c72
                                                              • Instruction Fuzzy Hash: 8EC00231141280BAEAA11B77BD0DD873E3DE7CAF52711016DB221D50B5866500A5DA24